github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-30 15:05:27 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #47457 from timstclair/audit-objref

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 47073, 47457, 47479)

audit: Fill in full ObjectRef, include in LevelMetadata

The previous implementation was missing several ObjectReference fields, including `APIVersion`, `Resource`, and `Subresource`. This PR adds those fields, and also fills in the `ObjectRef` when the level is `Metadata` (previously it was only filled for level `Request`).

For kubernetes/features#22

/cc @ericchiang @ihmccreery
This commit is contained in:
Kubernetes Submit Queue 2017-06-14 01:52:14 -07:00 committed by GitHub
commit be0a5f75d5
2 changed files with 30 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
staging/src/k8s.io/apiserver/pkg/audit/request.go
View File

@ -28,7 +28,6 @@ import (
"reflect" "reflect"
"k8s.io/apimachinery/pkg/apis/meta/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
@ -107,17 +106,8 @@ func NewEventFromRequest(req *http.Request, level auditinternal.Level, attribs a
// LogRequestObject fills in the request object into an audit event. The passed runtime.Object // LogRequestObject fills in the request object into an audit event. The passed runtime.Object
// will be converted to the given gv. // will be converted to the given gv.
func LogRequestObject(ae *audit.Event, obj runtime.Object, gv schema.GroupVersion, s runtime.NegotiatedSerializer) { func LogRequestObject(ae *audit.Event, obj runtime.Object, gvr schema.GroupVersionResource, subresource string, s runtime.NegotiatedSerializer) {
if ae == nil || ae.Level.Less(audit.LevelRequest) { if ae == nil || ae.Level.Less(audit.LevelMetadata) {
return
}
// TODO(audit): hook into the serializer to avoid double conversion
var err error
ae.RequestObject, err = encodeObject(obj, gv, s)
if err != nil {
// TODO(audit): add error slice to audit event struct
glog.Warningf("Auditing failed of %v request: %v", reflect.TypeOf(obj).Name(), err)
return return
} }
@ -125,7 +115,7 @@ func LogRequestObject(ae *audit.Event, obj runtime.Object, gv schema.GroupVersio
if ae.ObjectRef == nil { if ae.ObjectRef == nil {
ae.ObjectRef = &audit.ObjectReference{} ae.ObjectRef = &audit.ObjectReference{}
} }
if acc, ok := obj.(v1.ObjectMetaAccessor); ok { if acc, ok := obj.(metav1.ObjectMetaAccessor); ok {
meta := acc.GetObjectMeta() meta := acc.GetObjectMeta()
if len(ae.ObjectRef.Namespace) == 0 { if len(ae.ObjectRef.Namespace) == 0 {
ae.ObjectRef.Namespace = meta.GetNamespace() ae.ObjectRef.Namespace = meta.GetNamespace()
@ -140,6 +130,29 @@ func LogRequestObject(ae *audit.Event, obj runtime.Object, gv schema.GroupVersio
ae.ObjectRef.ResourceVersion = meta.GetResourceVersion() ae.ObjectRef.ResourceVersion = meta.GetResourceVersion()
} }
} }
// TODO: ObjectRef should include the API group.
if len(ae.ObjectRef.APIVersion) == 0 {
ae.ObjectRef.APIVersion = gvr.Version
}
if len(ae.ObjectRef.Resource) == 0 {
ae.ObjectRef.Resource = gvr.Resource
}
if len(ae.ObjectRef.Subresource) == 0 {
ae.ObjectRef.Subresource = subresource
}
if ae.Level.Less(audit.LevelRequest) {
return
}
// TODO(audit): hook into the serializer to avoid double conversion
var err error
ae.RequestObject, err = encodeObject(obj, gvr.GroupVersion(), s)
if err != nil {
// TODO(audit): add error slice to audit event struct
glog.Warningf("Auditing failed of %v request: %v", reflect.TypeOf(obj).Name(), err)
return
}
} }
// LogRquestPatch fills in the given patch as the request object into an audit event. // LogRquestPatch fills in the given patch as the request object into an audit event.

8
staging/src/k8s.io/apiserver/pkg/endpoints/handlers/rest.go
View File

@ -442,7 +442,7 @@ func createHandler(r rest.NamedCreater, scope RequestScope, typer runtime.Object
trace.Step("Conversion done") trace.Step("Conversion done")
ae := request.AuditEventFrom(ctx) ae := request.AuditEventFrom(ctx)
audit.LogRequestObject(ae, obj, scope.Resource.GroupVersion(), scope.Serializer) audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer)
if admit != nil && admit.Handles(admission.Create) { if admit != nil && admit.Handles(admission.Create) {
userInfo, _ := request.UserFrom(ctx) userInfo, _ := request.UserFrom(ctx)
@ -876,7 +876,7 @@ func UpdateResource(r rest.Updater, scope RequestScope, typer runtime.ObjectType
trace.Step("Conversion done") trace.Step("Conversion done")
ae := request.AuditEventFrom(ctx) ae := request.AuditEventFrom(ctx)
audit.LogRequestObject(ae, obj, scope.Resource.GroupVersion(), scope.Serializer) audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer)
if err := checkName(obj, name, namespace, scope.Namer); err != nil { if err := checkName(obj, name, namespace, scope.Namer); err != nil {
scope.err(err, w, req) scope.err(err, w, req)
@ -969,7 +969,7 @@ func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope RequestSco
} }
ae := request.AuditEventFrom(ctx) ae := request.AuditEventFrom(ctx)
audit.LogRequestObject(ae, obj, scope.Resource.GroupVersion(), scope.Serializer) audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer)
} else { } else {
if values := req.URL.Query(); len(values) > 0 { if values := req.URL.Query(); len(values) > 0 {
if err := metainternalversion.ParameterCodec.DecodeParameters(values, scope.MetaGroupVersion, options); err != nil { if err := metainternalversion.ParameterCodec.DecodeParameters(values, scope.MetaGroupVersion, options); err != nil {
@ -1115,7 +1115,7 @@ func DeleteCollection(r rest.CollectionDeleter, checkBody bool, scope RequestSco
} }
ae := request.AuditEventFrom(ctx) ae := request.AuditEventFrom(ctx)
audit.LogRequestObject(ae, obj, scope.Resource.GroupVersion(), scope.Serializer) audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer)
} }
} }