Provide a way to omit Event stages in audit policy

[CaoShuFeng]

This provide a way to omit some stages for each audit policy rule.

For example:

```
  apiVersion: audit.k8s.io/v1beta1
  kind: Policy
  - level: Metadata
    resources:
       - group: "rbac.authorization.k8s.io"
         resources: ["roles"]
    omitStages:
      - "RequestReceived"
```

RequestReceived stage will not be emitted to audit backends with previous config.

Release note:

None

[k8s-ci-robot]

Hi @CaoShuFeng. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[CaoShuFeng]

We want to omit the RequestReceived stage in GKE. The policy may be the right place to specify that.

@sttts @tallclair
I will add unit test for this change soon if my idea is "right".

[tallclair]

@CaoShuFeng - What is your motivation for omitting stages? Would the solution proposed in #46592 (comment) work for you? I'd like to explore that option before expanding the audit profile API.

[CaoShuFeng]

@tallclair Thanks for your review.

I write this pr because of this expression:

We want to omit the RequestReceived stage in GKE. The policy may be the right place to specify that.

It looks like I got it wrong.
What's the meaning behind The policy may be the right place to specify that. ?

[tallclair]

This isn't wrong, per say. I just wanted to discuss alternatives before putting the burden on the user (i.e. adding it to the policy). If we can accomplish the same goals automatically (the batching proposal) then I think that would be preferable.

[CaoShuFeng]

. I just wanted to discuss alternatives before putting the burden on the user (i.e. adding it to the policy)

Agree.

Thanks for teaching me.
I will leave this pr open for a while. Maybe this is useful.

[caesarxuchao]

/assign @tallclair
/unassign @caesarxuchao

[CaoShuFeng]

Closed according to commants from @tallclair and @ericchiang .
Ref:
#48561 (comment)
#48561 (comment)

[CaoShuFeng]

Repopened according to @crassirostris 's commants.
Ref:
#48561 (comment)

This is still WIP, Unit tests will come soon.

[crassirostris]

@tallclair suggested earlier that it might be useful to have omitStages field in the Policy object that will be "ored" with the omitStages field in the PolicyRule. That's a syntax sugar for cases where a stage has to be excluded in every rule

@sttts @CaoShuFeng WDYT?

[crassirostris]

Btw, it should probably should be rebased once #49115 is merged and the changes should go to the beta API

[sttts]

no need for the if.

[sttts]

oops, that's generated proto :)

[sttts]

no need for the if

[sttts]

don't the level and stages overlap?

[CaoShuFeng]

Renamed to LevelAndStages

[sttts]

LevelAndOmitStaged

[sttts]

nit: An empty....

[CaoShuFeng]

Done.

[sttts]

nit: fullstop and spaces after ,

[sttts]

Is it common to relist the constants in those comments?

[crassirostris]

Is it common to relist the constants in those comments?

+1, I don't think it's a great idea

[CaoShuFeng]

Done.

[sttts]

please add a comment: omitStages are skipped, i.e. not sent to the backend. But their information is still recorded in the context Event for later stages.

[CaoShuFeng]

Done.

[sttts]

Some nit. Overall lgtm.

[sttts]

@tallclair suggested earlier that it might be useful to have omitStages field in the Policy object that will be "ored" with the omitStages

Sounds good.

[sttts]

Needs rebase.

[CaoShuFeng]

Needs rebase.

Partially done. This will need another rebase after #51797.
#51797 has gone into the submit queue.

[CaoShuFeng]

/test pull-kubernetes-e2e-gce-bazel

[sttts]

/retest

[sttts]

Can't we return omitStages from createAuditEventAndAttachToContext? Am not a fan of this code duplication.

[crassirostris]

I'm not sure why this function is removed at all. omitStages are later obtained from the policy and not used until the code that was previously outside of createAuditEventAndAttachToContext. @CaoShuFeng Could you please elaborate more?

[CaoShuFeng]

I have took createAuditEventAndAttachToContext back.
And the codes look cleaner for me, thanks.

[sttts]

much better now

[sttts]

lgtm. @crassirostris can you take another look and /lgtm if it is ok?

[crassirostris]

Some nits regarding the comments, otherwise LGTM

[crassirostris]

I think that might be confusing. What about An empty list means no restrictions will apply.?

[CaoShuFeng]

Done.

[crassirostris]

omitStages are skipped

Is this comment necessary? once and sink are not set to the backend also :) Basically, the only explanation why omitStages field is there is b/c it's used later and this description is not very informative. Maybe remove the comment altogether?

[CaoShuFeng]

Good for me.
Deleted.

[crassirostris]

LGTM

[crassirostris]

/lgtm

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CaoShuFeng, crassirostris, sttts

Associated issue requirement bypassed by: sttts

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• staging/src/k8s.io/apiserver/OWNERS [sttts]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

Automatic merge from submit-queue

[k8s-ci-robot]

@CaoShuFeng: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-e2e-kops-aws	b50acbd	link	/test pull-kubernetes-e2e-kops-aws

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[tengqm]

should we mark this as optional?

[CaoShuFeng]

Yes, we should.

[CaoShuFeng]

Added here together:
#54634