-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Advanced Auditing 1.12 umbrella bug #65266
Comments
Maybe add this: #64791 |
cc @destijl |
We already have that per-backend with |
/milestone v1.12 |
@CaoShuFeng I see Tim already added this.
|
I see, thanks for clarifying. Yeah, blocking should have been that (blocking-strict sgtm) |
Sorry, can you clarify which one do you think makes more sense? Adding third option (e.g. blocking-strict) or changing behavior of existing 'blocking' setting? |
@timstclair could you approve it for milestone? |
I don't think we can change |
[MILESTONENOTIFIER] Milestone Issue: Up-to-date for process Issue Labels
|
what would it mean for a mutating request to fail if the responsecomplete audit logging fails after the object is persisted? just a failure http status? |
Right, to clarify this would only work for the |
Yeah, this makes sense only for |
@CaoShuFeng I see that you have been performing API graduation from alpha to beta last time. Do you want to take care about doing the same for stable, or should I take it? And do you think that there are any blockers for it? |
Would be good either way. I remembered that we will delete some fields when upgrade the audit API.
Not very sure. Do we wait until issues here get solved? |
Thanks for pointing. Do we need any period for testing newly introduced/renamed fields?
user-agent field was added. @x13n could you update it? |
Agree. I think so.
Sounds good to me. I could start coding in Friday, if I am responsible for upgrading the API. What do you think? |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. upgrade Audit api version to stable Partial Fix: kubernetes/kubernetes#65266 TODO: use v1 version of advanced audit policy in [kubeadm](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/cmd/kubeadm/app/util/audit/utils.go#L29), [gce script](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/cluster/gce/gci/configure-helper.sh#L743), [kubemark](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/test/kubemark/resources/start-kubemark-master.sh#L349) **What this PR does / why we need it**: **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note audit.k8s.io api group is upgraded from v1beta1 to v1. Deprecated element metav1.ObjectMeta and Timestamp are removed from audit Events in v1 version. Default value of option --audit-webhook-version and --audit-log-version will be changed from `audit.k8s.io/v1beta1` to `audit.k8s.io/v1` in release 1.13 ``` Kubernetes-commit: 28b2b2128723d382ce241e9b67c7e875b9dfba78
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. upgrade Audit api version to stable Partial Fix: kubernetes/kubernetes#65266 TODO: use v1 version of advanced audit policy in [kubeadm](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/cmd/kubeadm/app/util/audit/utils.go#L29), [gce script](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/cluster/gce/gci/configure-helper.sh#L743), [kubemark](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/test/kubemark/resources/start-kubemark-master.sh#L349) **What this PR does / why we need it**: **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note audit.k8s.io api group is upgraded from v1beta1 to v1. Deprecated element metav1.ObjectMeta and Timestamp are removed from audit Events in v1 version. Default value of option --audit-webhook-version and --audit-log-version will be changed from `audit.k8s.io/v1beta1` to `audit.k8s.io/v1` in release 1.13 ``` Kubernetes-commit: 28b2b2128723d382ce241e9b67c7e875b9dfba78
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. upgrade Audit api version to stable Partial Fix: kubernetes/kubernetes#65266 TODO: use v1 version of advanced audit policy in [kubeadm](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/cmd/kubeadm/app/util/audit/utils.go#L29), [gce script](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/cluster/gce/gci/configure-helper.sh#L743), [kubemark](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/test/kubemark/resources/start-kubemark-master.sh#L349) **What this PR does / why we need it**: **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note audit.k8s.io api group is upgraded from v1beta1 to v1. Deprecated element metav1.ObjectMeta and Timestamp are removed from audit Events in v1 version. Default value of option --audit-webhook-version and --audit-log-version will be changed from `audit.k8s.io/v1beta1` to `audit.k8s.io/v1` in release 1.13 ``` Kubernetes-commit: 28b2b2128723d382ce241e9b67c7e875b9dfba78
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. upgrade Audit api version to stable Partial Fix: kubernetes/kubernetes#65266 TODO: use v1 version of advanced audit policy in [kubeadm](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/cmd/kubeadm/app/util/audit/utils.go#L29), [gce script](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/cluster/gce/gci/configure-helper.sh#L743), [kubemark](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/test/kubemark/resources/start-kubemark-master.sh#L349) **What this PR does / why we need it**: **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note audit.k8s.io api group is upgraded from v1beta1 to v1. Deprecated element metav1.ObjectMeta and Timestamp are removed from audit Events in v1 version. Default value of option --audit-webhook-version and --audit-log-version will be changed from `audit.k8s.io/v1beta1` to `audit.k8s.io/v1` in release 1.13 ``` Kubernetes-commit: 28b2b2128723d382ce241e9b67c7e875b9dfba78
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. upgrade Audit api version to stable Partial Fix: kubernetes/kubernetes#65266 TODO: use v1 version of advanced audit policy in [kubeadm](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/cmd/kubeadm/app/util/audit/utils.go#L29), [gce script](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/cluster/gce/gci/configure-helper.sh#L743), [kubemark](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/test/kubemark/resources/start-kubemark-master.sh#L349) **What this PR does / why we need it**: **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note audit.k8s.io api group is upgraded from v1beta1 to v1. Deprecated element metav1.ObjectMeta and Timestamp are removed from audit Events in v1 version. Default value of option --audit-webhook-version and --audit-log-version will be changed from `audit.k8s.io/v1beta1` to `audit.k8s.io/v1` in release 1.13 ``` Kubernetes-commit: 28b2b2128723d382ce241e9b67c7e875b9dfba78
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. upgrade Audit api version to stable Partial Fix: kubernetes/kubernetes#65266 TODO: use v1 version of advanced audit policy in [kubeadm](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/cmd/kubeadm/app/util/audit/utils.go#L29), [gce script](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/cluster/gce/gci/configure-helper.sh#L743), [kubemark](https://github.com/kubernetes/kubernetes/blob/86b9a53226b1c9f9dce3ffb0133482f14709418b/test/kubemark/resources/start-kubemark-master.sh#L349) **What this PR does / why we need it**: **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note audit.k8s.io api group is upgraded from v1beta1 to v1. Deprecated element metav1.ObjectMeta and Timestamp are removed from audit Events in v1 version. Default value of option --audit-webhook-version and --audit-log-version will be changed from `audit.k8s.io/v1beta1` to `audit.k8s.io/v1` in release 1.13 ``` Kubernetes-commit: 28b2b2128723d382ce241e9b67c7e875b9dfba78
/open |
/reopen |
@CaoShuFeng: you can't re-open an issue/PR unless you authored it or you are assigned to it. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign |
/reopen |
Stop putting "bla bla Fix: #65266" into PR descriptions :-) |
/reopen |
@x13n: Reopening this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Please continue this work in 1.13. |
/milestone v1.13 |
Actually, we'll tombstone this to track what was done in 1.12 and copy unfinished items to a new issue /milestone v1.12 |
@liggitt: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is a continuation of #60392
API-related changes
@CaoShuFeng is working on this in support annotations for admission webhook #58679
Bugfixes and improvements
Policy changes
To discuss
I mostly carried over the unfinished work from 1.11 issue. Two things added: the ability to reject apiserver requests when audit logging fails (configurable via audit policy) and - optionally - recent proposal for dynamic audit configuration.
/kind feature
/sig auth
/area audit
cc @loburm @tallclair @soltysh
The text was updated successfully, but these errors were encountered: