mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
Add an impersonation test case to the audit E2E test
This commit is contained in:
Dennis Czombera
parent
7ba79c3183
commit
f9df691c72
@ -79,6 +79,16 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
|||||||
anonymousClient, err := clientset.NewForConfig(config)
|
anonymousClient, err := clientset.NewForConfig(config)
|
||||||
framework.ExpectNoError(err)
|
framework.ExpectNoError(err)
|
||||||
|
|
||||||
|
By("Creating a kubernetes client that impersonates an authorized user")
|
||||||
|
config, err = framework.LoadConfig()
|
||||||
|
framework.ExpectNoError(err)
|
||||||
|
config.Impersonate = restclient.ImpersonationConfig{
|
||||||
|
UserName: "superman",
|
||||||
|
Groups: []string{"system:masters"},
|
||||||
|
}
|
||||||
|
impersonatedClient, err := clientset.NewForConfig(config)
|
||||||
|
framework.ExpectNoError(err)
|
||||||
|
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
action func()
|
action func()
|
||||||
events []utils.AuditEvent
|
events []utils.AuditEvent
|
||||||
@ -668,6 +678,30 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
// List pods as impersonated user.
|
||||||
|
{
|
||||||
|
func() {
|
||||||
|
_, err = impersonatedClient.CoreV1().Pods(namespace).List(metav1.ListOptions{})
|
||||||
|
framework.ExpectNoError(err, "failed to list pods")
|
||||||
|
},
|
||||||
|
[]utils.AuditEvent{
|
||||||
|
{
|
||||||
|
Level: auditinternal.LevelRequest,
|
||||||
|
Stage: auditinternal.StageResponseComplete,
|
||||||
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods", namespace),
|
||||||
|
Verb: "list",
|
||||||
|
Code: 200,
|
||||||
|
User: auditTestUser,
|
||||||
|
ImpersonatedUser: "superman",
|
||||||
|
ImpersonatedGroups: "system:masters",
|
||||||
|
Resource: "pods",
|
||||||
|
Namespace: namespace,
|
||||||
|
RequestObject: false,
|
||||||
|
ResponseObject: false,
|
||||||
|
AuthorizeDecision: "allow",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
// test authorizer annotations, RBAC is required.
|
// test authorizer annotations, RBAC is required.
|
||||||
@ -684,17 +718,19 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
|||||||
},
|
},
|
||||||
[]utils.AuditEvent{
|
[]utils.AuditEvent{
|
||||||
{
|
{
|
||||||
Level: auditinternal.LevelRequest,
|
Level: auditinternal.LevelRequest,
|
||||||
Stage: auditinternal.StageResponseComplete,
|
Stage: auditinternal.StageResponseComplete,
|
||||||
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/another-audit-pod", namespace),
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/another-audit-pod", namespace),
|
||||||
Verb: "get",
|
Verb: "get",
|
||||||
Code: 403,
|
Code: 403,
|
||||||
User: auditTestUser,
|
User: auditTestUser,
|
||||||
Resource: "pods",
|
ImpersonatedUser: "system:anonymous",
|
||||||
Namespace: namespace,
|
ImpersonatedGroups: "system:unauthenticated",
|
||||||
RequestObject: false,
|
Resource: "pods",
|
||||||
ResponseObject: false,
|
Namespace: namespace,
|
||||||
AuthorizeDecision: "forbid",
|
RequestObject: false,
|
||||||
|
ResponseObject: false,
|
||||||
|
AuthorizeDecision: "forbid",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|||||||
@ -20,6 +20,8 @@ import (
|
|||||||
"bufio"
|
"bufio"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
|
"sort"
|
||||||
|
"strings"
|
||||||
|
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
@ -28,17 +30,19 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
type AuditEvent struct {
|
type AuditEvent struct {
|
||||||
Level auditinternal.Level
|
Level auditinternal.Level
|
||||||
Stage auditinternal.Stage
|
Stage auditinternal.Stage
|
||||||
RequestURI string
|
RequestURI string
|
||||||
Verb string
|
Verb string
|
||||||
Code int32
|
Code int32
|
||||||
User string
|
User string
|
||||||
Resource string
|
ImpersonatedUser string
|
||||||
Namespace string
|
ImpersonatedGroups string
|
||||||
RequestObject bool
|
Resource string
|
||||||
ResponseObject bool
|
Namespace string
|
||||||
AuthorizeDecision string
|
RequestObject bool
|
||||||
|
ResponseObject bool
|
||||||
|
AuthorizeDecision string
|
||||||
}
|
}
|
||||||
|
|
||||||
// Search the audit log for the expected audit lines.
|
// Search the audit log for the expected audit lines.
|
||||||
@ -101,6 +105,11 @@ func parseAuditLine(line string, version schema.GroupVersion) (AuditEvent, error
|
|||||||
if e.RequestObject != nil {
|
if e.RequestObject != nil {
|
||||||
event.RequestObject = true
|
event.RequestObject = true
|
||||||
}
|
}
|
||||||
|
if e.ImpersonatedUser != nil {
|
||||||
|
event.ImpersonatedUser = e.ImpersonatedUser.Username
|
||||||
|
sort.Strings(e.ImpersonatedUser.Groups)
|
||||||
|
event.ImpersonatedGroups = strings.Join(e.ImpersonatedUser.Groups, ",")
|
||||||
|
}
|
||||||
event.AuthorizeDecision = e.Annotations["authorization.k8s.io/decision"]
|
event.AuthorizeDecision = e.Annotations["authorization.k8s.io/decision"]
|
||||||
return event, nil
|
return event, nil
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user