Add Validate() function for audit options

This commit is contained in:
Cao Shufeng 2017-06-06 19:31:29 +08:00
parent 0613ae5077
commit cf8e3ccf19
3 changed files with 50 additions and 12 deletions

View File

@ -63,6 +63,9 @@ func (options *ServerRunOptions) Validate() []error {
if errs := options.Authentication.Validate(); len(errs) > 0 {
errors = append(errors, errs...)
}
if errs := options.Audit.Validate(); len(errs) > 0 {
errors = append(errors, errs...)
}
if errs := options.InsecureServing.Validate("insecure-port"); len(errs) > 0 {
errors = append(errors, errs...)
}

View File

@ -46,6 +46,7 @@ audit-log-maxage
audit-log-maxbackup
audit-log-maxsize
audit-log-path
audit-policy-file
audit-webhook-config-file
audit-webhook-mode
authentication-kubeconfig

View File

@ -81,6 +81,33 @@ func NewAuditOptions() *AuditOptions {
}
}
// Validate checks invalid config combination
func (o *AuditOptions) Validate() []error {
allErrors := []error{}
if !advancedAuditingEnabled() {
if len(o.PolicyFile) > 0 {
allErrors = append(allErrors, fmt.Errorf("feature '%s' must be enabled to set option --audit-policy-file", features.AdvancedAuditing))
}
if len(o.WebhookOptions.ConfigFile) > 0 {
allErrors = append(allErrors, fmt.Errorf("feature '%s' must be enabled to set option --audit-webhook-config-file", features.AdvancedAuditing))
}
} else {
// check webhook mode
validMode := false
for _, m := range pluginwebhook.AllowedModes {
if m == o.WebhookOptions.Mode {
validMode = true
break
}
}
if !validMode {
allErrors = append(allErrors, fmt.Errorf("invalid audit webhook mode %s, allowed modes are %q", o.WebhookOptions.Mode, strings.Join(pluginwebhook.AllowedModes, ",")))
}
}
return allErrors
}
func (o *AuditOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&o.PolicyFile, "audit-policy-file", o.PolicyFile,
"Path to the file that defines the audit policy configuration. Requires the 'AdvancedAuditing' feature gate."+
@ -91,13 +118,19 @@ func (o *AuditOptions) AddFlags(fs *pflag.FlagSet) {
}
func (o *AuditOptions) ApplyTo(c *server.Config) error {
// Apply generic options.
// Apply legacy audit options if advanced audit is not enabled.
if !advancedAuditingEnabled() {
return o.LogOptions.legacyApplyTo(c)
}
// Apply advanced options if advanced audit is enabled.
// 1. Apply generic options.
if err := o.applyTo(c); err != nil {
return err
}
// Apply plugin options.
if err := o.LogOptions.applyTo(c); err != nil {
// 2. Apply plugin options.
if err := o.LogOptions.advancedApplyTo(c); err != nil {
return err
}
if err := o.WebhookOptions.applyTo(c); err != nil {
@ -111,9 +144,6 @@ func (o *AuditOptions) applyTo(c *server.Config) error {
return nil
}
if !advancedAuditingEnabled() {
return fmt.Errorf("feature '%s' must be enabled to set an audit policy", features.AdvancedAuditing)
}
p, err := policy.LoadPolicyFromFile(o.PolicyFile)
if err != nil {
return fmt.Errorf("loading audit policy file: %v", err)
@ -133,7 +163,7 @@ func (o *AuditLogOptions) AddFlags(fs *pflag.FlagSet) {
"The maximum size in megabytes of the audit log file before it gets rotated.")
}
func (o *AuditLogOptions) applyTo(c *server.Config) error {
func (o *AuditLogOptions) getWriter() io.Writer {
if o.Path == "" {
return nil
}
@ -147,14 +177,21 @@ func (o *AuditLogOptions) applyTo(c *server.Config) error {
MaxSize: o.MaxSize,
}
}
c.LegacyAuditWriter = w
return w
}
if advancedAuditingEnabled() {
func (o *AuditLogOptions) advancedApplyTo(c *server.Config) error {
if w := o.getWriter(); w != nil {
c.AuditBackend = appendBackend(c.AuditBackend, pluginlog.NewBackend(w))
}
return nil
}
func (o *AuditLogOptions) legacyApplyTo(c *server.Config) error {
c.LegacyAuditWriter = o.getWriter()
return nil
}
func (o *AuditWebhookOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&o.ConfigFile, "audit-webhook-config-file", o.ConfigFile,
"Path to a kubeconfig formatted file that defines the audit webhook configuration."+
@ -170,9 +207,6 @@ func (o *AuditWebhookOptions) applyTo(c *server.Config) error {
return nil
}
if !advancedAuditingEnabled() {
return fmt.Errorf("feature '%s' must be enabled to set an audit webhook", features.AdvancedAuditing)
}
webhook, err := pluginwebhook.NewBackend(o.ConfigFile, o.Mode)
if err != nil {
return fmt.Errorf("initializing audit webhook: %v", err)