From eddf65849dfa1b3c351597d7018a2700371d8955 Mon Sep 17 00:00:00 2001 From: Tim Hockin Date: Fri, 17 Nov 2023 11:46:28 -0800 Subject: [PATCH] Fix list_type_missing in k8s.io/apiserver --- api/api-rules/violation_exceptions.list | 12 ---- pkg/generated/openapi/zz_generated.openapi.go | 60 +++++++++++++++++++ .../pkg/apis/audit/v1/generated.proto | 12 ++++ .../apiserver/pkg/apis/audit/v1/types.go | 12 ++++ 4 files changed, 84 insertions(+), 12 deletions(-) diff --git a/api/api-rules/violation_exceptions.list b/api/api-rules/violation_exceptions.list index 6e489015c7c..5c08ea21b49 100644 --- a/api/api-rules/violation_exceptions.list +++ b/api/api-rules/violation_exceptions.list @@ -1,15 +1,3 @@ -API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,Event,SourceIPs -API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,GroupResources,ResourceNames -API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,GroupResources,Resources -API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,Policy,OmitStages -API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,Policy,Rules -API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,Namespaces -API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,NonResourceURLs -API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,OmitStages -API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,Resources -API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,UserGroups -API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,Users -API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,Verbs API rule violation: list_type_missing,k8s.io/cloud-provider/config/v1alpha1,WebhookConfiguration,Webhooks API rule violation: list_type_missing,k8s.io/controller-manager/config/v1alpha1,GenericControllerManagerConfiguration,Controllers API rule violation: list_type_missing,k8s.io/controller-manager/config/v1alpha1,LeaderMigrationConfiguration,ControllerLeaders diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index 27590946a9f..d60f2a2b8be 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -52591,6 +52591,11 @@ func schema_pkg_apis_audit_v1_Event(ref common.ReferenceCallback) common.OpenAPI }, }, "sourceIPs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Source IPs, from where the request originated and intermediate proxies. The source IPs are listed from (in order): 1. X-Forwarded-For request header IPs 2. X-Real-Ip header, if not present in the X-Forwarded-For list 3. The remote address for the connection, if it doesn't match the last\n IP in the list up to here (X-Forwarded-For or X-Real-Ip).\nNote: All but the last IP can be arbitrarily set by the client.", Type: []string{"array"}, @@ -52737,6 +52742,11 @@ func schema_pkg_apis_audit_v1_GroupResources(ref common.ReferenceCallback) commo }, }, "resources": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Resources is a list of resources this rule applies to.\n\nFor example: - `pods` matches pods. - `pods/log` matches the log subresource of pods. - `*` matches all resources and their subresources. - `pods/*` matches all subresources of pods. - `*/scale` matches all scale subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nAn empty list implies all resources and subresources in this API groups apply.", Type: []string{"array"}, @@ -52752,6 +52762,11 @@ func schema_pkg_apis_audit_v1_GroupResources(ref common.ReferenceCallback) commo }, }, "resourceNames": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "ResourceNames is a list of resource instance names that the policy matches. Using this field requires Resources to be specified. An empty list implies that every instance of the resource is matched.", Type: []string{"array"}, @@ -52864,6 +52879,11 @@ func schema_pkg_apis_audit_v1_Policy(ref common.ReferenceCallback) common.OpenAP }, }, "rules": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Rules specify the audit Level a request should be recorded at. A request may match multiple rules, in which case the FIRST matching rule is used. The default audit level is None, but can be overridden by a catch-all rule at the end of the list. PolicyRules are strictly ordered.", Type: []string{"array"}, @@ -52878,6 +52898,11 @@ func schema_pkg_apis_audit_v1_Policy(ref common.ReferenceCallback) common.OpenAP }, }, "omitStages": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "OmitStages is a list of stages for which no events are created. Note that this can also be specified per rule in which case the union of both are omitted.", Type: []string{"array"}, @@ -52973,6 +52998,11 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op }, }, "users": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "The users (by authenticated user name) this rule applies to. An empty list implies every user.", Type: []string{"array"}, @@ -52988,6 +53018,11 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op }, }, "userGroups": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "The user groups this rule applies to. A user is considered matching if it is a member of any of the UserGroups. An empty list implies every user group.", Type: []string{"array"}, @@ -53003,6 +53038,11 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op }, }, "verbs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "The verbs that match this rule. An empty list implies every verb.", Type: []string{"array"}, @@ -53018,6 +53058,11 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op }, }, "resources": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Resources that this rule matches. An empty list implies all kinds in all API groups.", Type: []string{"array"}, @@ -53032,6 +53077,11 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op }, }, "namespaces": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Namespaces that this rule matches. The empty string \"\" matches non-namespaced resources. An empty list implies every namespace.", Type: []string{"array"}, @@ -53047,6 +53097,11 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op }, }, "nonResourceURLs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "NonResourceURLs is a set of URL paths that should be audited. `*`s are allowed, but only as the full, final step in the path. Examples: - `/metrics` - Log requests for apiserver metrics - `/healthz*` - Log all health checks", Type: []string{"array"}, @@ -53062,6 +53117,11 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op }, }, "omitStages": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "OmitStages is a list of stages for which no events are created. Note that this can also be specified policy wide in which case the union of both are omitted. An empty list means no restrictions will apply.", Type: []string{"array"}, diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto index 13c41e54ce6..bda8c6953c7 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto @@ -62,6 +62,7 @@ message Event { // IP in the list up to here (X-Forwarded-For or X-Real-Ip). // Note: All but the last IP can be arbitrarily set by the client. // +optional + // +listType=atomic repeated string sourceIPs = 8; // UserAgent records the user agent string reported by the client. @@ -140,12 +141,14 @@ message GroupResources { // // An empty list implies all resources and subresources in this API groups apply. // +optional + // +listType=atomic repeated string resources = 2; // ResourceNames is a list of resource instance names that the policy matches. // Using this field requires Resources to be specified. // An empty list implies that every instance of the resource is matched. // +optional + // +listType=atomic repeated string resourceNames = 3; } @@ -190,11 +193,13 @@ message Policy { // A request may match multiple rules, in which case the FIRST matching rule is used. // The default audit level is None, but can be overridden by a catch-all rule at the end of the list. // PolicyRules are strictly ordered. + // +listType=atomic repeated PolicyRule rules = 2; // OmitStages is a list of stages for which no events are created. Note that this can also // be specified per rule in which case the union of both are omitted. // +optional + // +listType=atomic repeated string omitStages = 3; // OmitManagedFields indicates whether to omit the managed fields of the request @@ -224,27 +229,32 @@ message PolicyRule { // The users (by authenticated user name) this rule applies to. // An empty list implies every user. // +optional + // +listType=atomic repeated string users = 2; // The user groups this rule applies to. A user is considered matching // if it is a member of any of the UserGroups. // An empty list implies every user group. // +optional + // +listType=atomic repeated string userGroups = 3; // The verbs that match this rule. // An empty list implies every verb. // +optional + // +listType=atomic repeated string verbs = 4; // Resources that this rule matches. An empty list implies all kinds in all API groups. // +optional + // +listType=atomic repeated GroupResources resources = 5; // Namespaces that this rule matches. // The empty string "" matches non-namespaced resources. // An empty list implies every namespace. // +optional + // +listType=atomic repeated string namespaces = 6; // NonResourceURLs is a set of URL paths that should be audited. @@ -253,12 +263,14 @@ message PolicyRule { // - `/metrics` - Log requests for apiserver metrics // - `/healthz*` - Log all health checks // +optional + // +listType=atomic repeated string nonResourceURLs = 7; // OmitStages is a list of stages for which no events are created. Note that this can also // be specified policy wide in which case the union of both are omitted. // An empty list means no restrictions will apply. // +optional + // +listType=atomic repeated string omitStages = 8; // OmitManagedFields indicates whether to omit the managed fields of the request diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go index 151c56c689b..ae122d6c4db 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go @@ -98,6 +98,7 @@ type Event struct { // IP in the list up to here (X-Forwarded-For or X-Real-Ip). // Note: All but the last IP can be arbitrarily set by the client. // +optional + // +listType=atomic SourceIPs []string `json:"sourceIPs,omitempty" protobuf:"bytes,8,rep,name=sourceIPs"` // UserAgent records the user agent string reported by the client. // Note that the UserAgent is provided by the client, and must not be trusted. @@ -166,11 +167,13 @@ type Policy struct { // A request may match multiple rules, in which case the FIRST matching rule is used. // The default audit level is None, but can be overridden by a catch-all rule at the end of the list. // PolicyRules are strictly ordered. + // +listType=atomic Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"` // OmitStages is a list of stages for which no events are created. Note that this can also // be specified per rule in which case the union of both are omitted. // +optional + // +listType=atomic OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,3,rep,name=omitStages"` // OmitManagedFields indicates whether to omit the managed fields of the request @@ -203,16 +206,19 @@ type PolicyRule struct { // The users (by authenticated user name) this rule applies to. // An empty list implies every user. // +optional + // +listType=atomic Users []string `json:"users,omitempty" protobuf:"bytes,2,rep,name=users"` // The user groups this rule applies to. A user is considered matching // if it is a member of any of the UserGroups. // An empty list implies every user group. // +optional + // +listType=atomic UserGroups []string `json:"userGroups,omitempty" protobuf:"bytes,3,rep,name=userGroups"` // The verbs that match this rule. // An empty list implies every verb. // +optional + // +listType=atomic Verbs []string `json:"verbs,omitempty" protobuf:"bytes,4,rep,name=verbs"` // Rules can apply to API resources (such as "pods" or "secrets"), @@ -221,11 +227,13 @@ type PolicyRule struct { // Resources that this rule matches. An empty list implies all kinds in all API groups. // +optional + // +listType=atomic Resources []GroupResources `json:"resources,omitempty" protobuf:"bytes,5,rep,name=resources"` // Namespaces that this rule matches. // The empty string "" matches non-namespaced resources. // An empty list implies every namespace. // +optional + // +listType=atomic Namespaces []string `json:"namespaces,omitempty" protobuf:"bytes,6,rep,name=namespaces"` // NonResourceURLs is a set of URL paths that should be audited. @@ -234,12 +242,14 @@ type PolicyRule struct { // - `/metrics` - Log requests for apiserver metrics // - `/healthz*` - Log all health checks // +optional + // +listType=atomic NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,7,rep,name=nonResourceURLs"` // OmitStages is a list of stages for which no events are created. Note that this can also // be specified policy wide in which case the union of both are omitted. // An empty list means no restrictions will apply. // +optional + // +listType=atomic OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,8,rep,name=omitStages"` // OmitManagedFields indicates whether to omit the managed fields of the request @@ -274,11 +284,13 @@ type GroupResources struct { // // An empty list implies all resources and subresources in this API groups apply. // +optional + // +listType=atomic Resources []string `json:"resources,omitempty" protobuf:"bytes,2,rep,name=resources"` // ResourceNames is a list of resource instance names that the policy matches. // Using this field requires Resources to be specified. // An empty list implies that every instance of the resource is matched. // +optional + // +listType=atomic ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,3,rep,name=resourceNames"` }