diff --git a/staging/src/k8s.io/apiserver/pkg/audit/policy/BUILD b/staging/src/k8s.io/apiserver/pkg/audit/policy/BUILD index 8efedfb44a4..17d5881b066 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/policy/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/audit/policy/BUILD @@ -34,7 +34,7 @@ go_library( importpath = "k8s.io/apiserver/pkg/audit/policy", deps = [ "//vendor/github.com/golang/glog:go_default_library", - "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library", + "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//vendor/k8s.io/apiserver/pkg/apis/audit:go_default_library", "//vendor/k8s.io/apiserver/pkg/apis/audit/v1alpha1:go_default_library", "//vendor/k8s.io/apiserver/pkg/apis/audit/v1beta1:go_default_library", diff --git a/staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go b/staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go index b748e8649cc..1d02e1a3fb9 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go +++ b/staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go @@ -20,7 +20,7 @@ import ( "fmt" "io/ioutil" - "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" auditinternal "k8s.io/apiserver/pkg/apis/audit" auditv1alpha1 "k8s.io/apiserver/pkg/apis/audit/v1alpha1" auditv1beta1 "k8s.io/apiserver/pkg/apis/audit/v1beta1" @@ -30,6 +30,20 @@ import ( "github.com/golang/glog" ) +var ( + apiGroupVersions = []schema.GroupVersion{ + auditv1beta1.SchemeGroupVersion, + auditv1alpha1.SchemeGroupVersion, + } + apiGroupVersionSet = map[schema.GroupVersion]bool{} +) + +func init() { + for _, gv := range apiGroupVersions { + apiGroupVersionSet[gv] = true + } +} + func LoadPolicyFromFile(filePath string) (*auditinternal.Policy, error) { if filePath == "" { return nil, fmt.Errorf("file path not specified") @@ -40,11 +54,18 @@ func LoadPolicyFromFile(filePath string) (*auditinternal.Policy, error) { } policy := &auditinternal.Policy{} - decoder := audit.Codecs.UniversalDecoder(auditv1beta1.SchemeGroupVersion, auditv1alpha1.SchemeGroupVersion) - if err := runtime.DecodeInto(decoder, policyDef, policy); err != nil { + decoder := audit.Codecs.UniversalDecoder(apiGroupVersions...) + + _, gvk, err := decoder.Decode(policyDef, nil, policy) + if err != nil { return nil, fmt.Errorf("failed decoding file %q: %v", filePath, err) } + // Ensure the policy file contained an apiVersion and kind. + if !apiGroupVersionSet[schema.GroupVersion{Group: gvk.Group, Version: gvk.Version}] { + return nil, fmt.Errorf("unknown group version field %v in policy file %s", gvk, filePath) + } + if err := validation.ValidatePolicy(policy); err != nil { return nil, err.ToAggregate() } diff --git a/staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go b/staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go index f9bda28463c..b05297a983a 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go +++ b/staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go @@ -71,6 +71,24 @@ rules: - level: Metadata ` +const policyWithNoVersionOrKind = ` +rules: + - level: None + nonResourceURLs: + - /healthz* + - /version + - level: RequestResponse + users: ["tim"] + userGroups: ["testers", "developers"] + verbs: ["patch", "delete", "create"] + resources: + - group: "" + - group: "rbac.authorization.k8s.io" + resources: ["clusterroles", "clusterrolebindings"] + namespaces: ["default", "kube-system"] + - level: Metadata +` + var expectedPolicy = &audit.Policy{ Rules: []audit.PolicyRule{{ Level: audit.LevelNone, @@ -104,6 +122,15 @@ func TestParserV1alpha1(t *testing.T) { } } +func TestParsePolicyWithNoVersionOrKind(t *testing.T) { + f, err := writePolicy(t, policyWithNoVersionOrKind) + require.NoError(t, err) + defer os.Remove(f) + + _, err = LoadPolicyFromFile(f) + assert.Contains(t, err.Error(), "unknown group version field") +} + func TestParserV1beta1(t *testing.T) { f, err := writePolicy(t, policyDefV1beta1) require.NoError(t, err)