apiserver: add a webhook implementation of the audit backend #45919
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
added
size/XXL
|
/cc @ihmccreery |
|
@timothysc: GitHub didn't allow me to request PR reviews from the following users: kensimon. Note that only people with write access to kubernetes/kubernetes can review this PR. |
| // New returns an audit backend at sends events over HTTP to the. | ||
| func New(kubeConfigFile string) (*AuditBackend, error) { | ||
| // TODO(ericchiang): Figure out some way to allow protobuf encoding? Is there | ||
| // a kubeconfig extension to request this? |
There was a problem hiding this comment.
FYI - we were having trouble with the protobuf code generation, so that needs to happen first.
| // LogAuditEvent attempts to POST a serialized audit event to an external service. | ||
| func (a *AuditBackend) LogAuditEvent(ev *audit.Event) error { | ||
| // TODO(ericchiang): With retry and backoff? | ||
| return a.w.RestClient.Post().Body(ev).Do().Error() |
There was a problem hiding this comment.
Can we make this send an EventList instead? Even if we're sending single events now, it means we can add batching later without changing the endpoint api at all.
ericchiang
force-pushed
the
audit-webhook-backend
branch
2 times, most recently
from
e397f24
to
ca6f107
Compare
k8s-github-robot
added
size/L
ericchiang
force-pushed
the
audit-webhook-backend
branch
from
ca6f107
to
1d7f225
Compare
Nope. Haven't pulled in sttts' PR yet. Unit tests produce a nice, empty audit object though. EDIT: everything's broken. going to wait for the other PRs to merge before moving forward. |
k8s-github-robot
added
needs-rebase
|
This needs both a release note and full doc behind it. Is there an entry in the features repo? Almost every operator is going to need to hook into this. |
k8s-github-robot
added
release-note
|
@timstclair added release notes and linked the feature and design proposal. |
| // payload contains an audit.EventList with a single element. The audit webhook may batch | ||
| // multiple events in the future. | ||
| func (a *AuditBackend) LogAuditEvent(ev *audit.Event) error { | ||
| list := &audit.EventList{Items: []audit.Event{*ev}} |
There was a problem hiding this comment.
Does this need to be converted to the versioned API, or is that done automatically by the RestClient?
There was a problem hiding this comment.
done by the rest client, compare the internal client, e.g. pkg/client/clientset_generated/internalclientset/typed/batch/internalversion/job.go
There was a problem hiding this comment.
That's correct. Let me update the test to show that.
| // Since the audit API isn't registered with the client or apimachinery API, | ||
| // create a unique scheme to register this API group with here. | ||
| // | ||
| // TODO(ericchiang): Refactor this once the audit API group is moved to k8s.io/api. |
There was a problem hiding this comment.
I think the current plan is that it will move into a new repository, e.g. k8s.io/apiserverapi (needs a better name...)
| } | ||
|
|
||
| install.Install(groupFactoryRegistry, registry, scheme) | ||
| } |
There was a problem hiding this comment.
Can we move this to a common location? I'm not sure what the "right" way to do it is, but I need something similar to parse the Policy out of a file.
There was a problem hiding this comment.
This first bit, at least, is just copied from other webhooks.[1] The install call was because "k8s.io/apiserver/pkg/apis/audit/install" doesn't call this like other api groups.[2] Maybe we could have the audit/install package actually register the API group?
[1]
[2]
kubernetes/pkg/apis/imagepolicy/install/install.go
Lines 31 to 33 in e9b02c2
There was a problem hiding this comment.
It looks like most API groups are installed on k8s.io/kubernetes/pkg/api (see the second link above). If I'm not mistaken, we can't import that package here. The other k8s.io/apiserver/pkg/apis group doesn't do this import.
There was a problem hiding this comment.
We don't have a global scheme and registry in k8s.io/apiserver. All the new api servers (aggregation, apiextensions, ...) have their private one for the crud served resources. Having a private scheme is the way to go.
ericchiang
force-pushed
the
audit-webhook-backend
branch
from
11fad6e
to
e7235bf
Compare
|
|
||
| c := conversion.NewCloner() | ||
| for _, f := range metav1.GetGeneratedDeepCopyFuncs() { | ||
| if err := c.RegisterGeneratedDeepCopyFunc(f); err != nil { |
There was a problem hiding this comment.
also the audit deepcopy funcs. Feel free to re-apply lgtm after that.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
@deads2k can you approve? |
ericchiang
force-pushed
the
audit-webhook-backend
branch
from
e7235bf
to
a88e018
Compare
k8s-github-robot
removed
the
lgtm
|
|
||
| // Copied from generated code in k8s.io/apiserver/pkg/apis/audit. | ||
| // | ||
| // TODO(ericchiang): Have the generated code expose these methods like metav1.GetGeneratedDeepCopyFuncs(). |
There was a problem hiding this comment.
Going to follow up with a change to not have this copied from the audit package. It's currently in a generated file that I don't want to mess with:
ericchiang
added
the
lgtm
|
Re-applying lgtm per #45919 (comment) |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, ericchiang, sttts, timstclair
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this |
|
Test failing due to #46713 |
|
@k8s-bot gce etcd3 e2e test this |
|
@k8s-bot gce etcd3 e2e test this |
|
:( would rebasing be a good idea? |
|
I think we just need to wait for #46713 to be resolved :( |
|
@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this |
|
@ericchiang: The following test(s) failed:
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@k8s-bot pull-kubernetes-federation-e2e-gce test this |
|
Automatic merge from submit-queue |
Automatic merge from submit-queue (batch tested with PRs 46620, 46732, 46773, 46772, 46725) Instrument advanced auditing Add prometheus metrics for audit logging, including: - A total count of audit events generated and sent to the output backend - A count of audit events that failed to be audited due to an error (per backend) - A count of request audit levels (1 per request) For kubernetes/enhancements#22 - [x] TODO: Call `HandlePluginError` from the webhook backend, once #45919 merges (in this or a separate PR, depending on timing of the merge) /cc @ihmccreery @sttts @soltysh @ericchiang
This builds off of #45315 and is intended to implement an interfaced defined in #45766.
TODO:
Features issue kubernetes/enhancements#22
Design proposal https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auditing.md
/cc @soltysh @timstclair @soltysh @deads2k