Implement audit policy logic #46009
Implement audit policy logic #46009
Conversation
k8s-ci-robot
requested review from
ikehz,
soltysh,
sttts,
ericchiang,
pweil- and
deads2k
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
added
size/XXL
| case audit.LevelNone, audit.LevelMetadata, audit.LevelRequest, audit.LevelRequestResponse: | ||
| return nil | ||
| default: | ||
| return field.ErrorList{field.Required(fldPath, "")} |
There was a problem hiding this comment.
add a "" case and a proper error message for non-empty, but invalid level.
| } | ||
| } | ||
|
|
||
| if len(r.Namespaces) > 0 || len(r.Resources) > 0 { |
There was a problem hiding this comment.
why the first clause? We have cluster-scope resources.
There was a problem hiding this comment.
ruleMatchesResource checks whether the request matches any Namespaces or Resources from the rule. If neither are set, there's nothing to check :)
There was a problem hiding this comment.
misread the operator, it's || not &&
| panic(fmt.Sprintf("failed to enable version %v", groupVersions)) | ||
| } | ||
|
|
||
| install.Install(groupFactoryRegistry, registry, scheme) |
There was a problem hiding this comment.
don't like to depend on the registry here. Using the scheme with AddToScheme is enough. The registry should be for CRUD api groups.
There was a problem hiding this comment.
Ack. This is section is throwaway code.
| return nil, fmt.Errorf("failed to read file path %s: %+v", filePath, err) | ||
| } | ||
| if len(policyDef) == 0 { | ||
| return nil, fmt.Errorf("file was empty: %s", filePath) |
There was a problem hiding this comment.
won't that fail the decoding?
There was a problem hiding this comment.
Actually no, it will just create an empty policy.
|
|
||
| decoder := codecs.UniversalDecoder(v1alpha1.SchemeGroupVersion) | ||
| if err := runtime.DecodeInto(decoder, policyDef, policyVersioned); err != nil { | ||
| return nil, fmt.Errorf("failed decoding file: %v", err) |
There was a problem hiding this comment.
doesn't matter where, but we need the file name in the error messages somewhere.
k8s-github-robot
added
size/XL
|
|
||
| // FIXME: Figure out a shared location for this vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv | ||
| // Duplicated from @ericchiang's PR: | ||
| // https://github.com/kubernetes/kubernetes/pull/45919 |
| // AdvancedAuditing enables a much more general API auditing pipeline, which includes support for | ||
| // pluggable output backends and an audit policy specifying how different requests should be | ||
| // audited. | ||
| AdvancedAuditing utilfeature.Feature = "AdvancedAuditing" |
There was a problem hiding this comment.
What do we want to switch here? By default auditing is off. If you use the --audit-log-* flags, you will get the log plugin. What about the default level? It used to be meta data only, but not "none".
We could re-add the old WithAudit filter as WithBasicAudit and use that if the feature is disabled. Wdyt?
There was a problem hiding this comment.
We could re-add the old WithAudit filter as WithBasicAudit and use that if the feature is disabled. Wdyt?
That's what I was suggesting in #45766 (comment). Since the pipeline is growing in complexity, I think we should do that.
Reasons for adding a feature flag:
- This code is coming in hot and it mitigates risk. Additionally, it would make a code freeze exception easier if we end up needing it...
- Default audit level (off = metadata, on = none)
- If users specify flags for the new features (e.g. set a policy, different backend) they should be aware that they are using an alpha feature. Requiring the feature gate to be set makes that more explicit
- Makes the support & completeness level of advanced auditing explicit
| @@ -45,9 +50,30 @@ func (o *AuditLogOptions) AddFlags(fs *pflag.FlagSet) { | |||
| "The maximum number of old audit log files to retain.") | |||
| fs.IntVar(&o.MaxSize, "audit-log-maxsize", o.MaxSize, | |||
| "The maximum size in megabytes of the audit log file before it gets rotated.") | |||
|
|
|||
| fs.StringVar(&o.PolicyPath, "audit-policy", o.PolicyPath, | |||
| "Path to the file that defines the audit policy configuration.") | |||
There was a problem hiding this comment.
add something about the feature flag.
There was a problem hiding this comment.
And about the default of "none".
| } | ||
|
|
||
| func (o *AuditLogOptions) ApplyTo(c *server.Config) error { | ||
| if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) { |
There was a problem hiding this comment.
this answer my question from above.
Automatic merge from submit-queue (batch tested with PRs 45766, 46223) Audit: fill audit.Event in handler chain Related: - external API types #45315 - policy checker #46009 Decisions: - ~~[ ] decide whether we want to send an event before `WriteHeader` #45766 (review) Follow-up described in https://github.com/kubernetes/kubernetes/pull/46065/files#r117438531 - [ ] decide how to handle `AuditID`s and the IP chain #45766 (review). Is the variant in the proposal (kubernetes/community#625) final? Then we need the API type update. - ~~[ ] decide how to mark intermediate/incomplete events? set a special reason in `ResponseStatus.Reason` vs. having extra fields for that `Event.NonFinal` #45766 (comment) Follow-up of #46065 - [ ] decide whether and how to protect the `Audit-Level` header #45766 (review) TODOs: - ~~[ ] move `AuditIDHeader`, `AuditLevelHeader` to types #45766 (comment), @timstclair for the type PR~~ Follow-up of #46065 - [x] add SourceIP/ForwardedFor support #45766 (comment) - [x] adapt ObjectReference.Resource to API PR #45766 (review)
| "k8s.io/apiserver/pkg/apis/audit/v1alpha1" | ||
| ) | ||
|
|
||
| var Scheme = runtime.NewScheme() |
There was a problem hiding this comment.
Can we move this scheme into pkg/audit? This has nothing todo with the actual API, but the plumbing around it. In general we are trying to make schemes more local.
timstclair
changed the title
|
Rebased on #45766, and finished remaining work items. This PR is now complete. PTAL |
|
I would prefer to have the scheme locally in pkg/audit. Otherwise, lgtm. |
|
Moved scheme to |
timstclair
added
release-note-none
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts, thockin, timstclair
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
approved
|
Trivial rebase, reapplying LGTM. |
timstclair
added
lgtm
k8s-github-robot
removed
the
needs-rebase
|
@timstclair: The following test(s) failed:
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@k8s-bot pull-kubernetes-unit test this |
|
Automatic merge from submit-queue (batch tested with PRs 45949, 46009, 46320, 46423, 46437) |
Automatic merge from submit-queue apiserver: add a webhook implementation of the audit backend This builds off of #45315 and is intended to implement an interfaced defined in #45766. TODO: - [x] Rebase on top of API types PR. - [x] Rebase on top of API types updates (#46065) - [x] Rebase on top of feature flag (#46009) - [x] Rebase on top of audit instrumentation. - [x] Hook up API server flag or register plugin (depending on #45766) Features issue kubernetes/enhancements#22 Design proposal https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auditing.md ```release-notes Webhook added to the API server which omits structured audit log events. ``` /cc @soltysh @timstclair @soltysh @deads2k
Automatic merge from submit-queue (batch tested with PRs 45766, 46223) Audit: fill audit.Event in handler chain Related: - external API types kubernetes/kubernetes#45315 - policy checker kubernetes/kubernetes#46009 Decisions: - ~~[ ] decide whether we want to send an event before `WriteHeader` kubernetes/kubernetes#45766 (review) Follow-up described in https://github.com/kubernetes/kubernetes/pull/46065/files#r117438531 - [ ] decide how to handle `AuditID`s and the IP chain kubernetes/kubernetes#45766 (review). Is the variant in the proposal (kubernetes/community#625) final? Then we need the API type update. - ~~[ ] decide how to mark intermediate/incomplete events? set a special reason in `ResponseStatus.Reason` vs. having extra fields for that `Event.NonFinal` kubernetes/kubernetes#45766 (comment) Follow-up of #46065 - [ ] decide whether and how to protect the `Audit-Level` header kubernetes/kubernetes#45766 (review) TODOs: - ~~[ ] move `AuditIDHeader`, `AuditLevelHeader` to types kubernetes/kubernetes#45766 (comment), @timstclair for the type PR~~ Follow-up of kubernetes/kubernetes#46065 - [x] add SourceIP/ForwardedFor support kubernetes/kubernetes#45766 (comment) - [x] adapt ObjectReference.Resource to API PR kubernetes/kubernetes#45766 (review) Kubernetes-commit: 1f45c4846bafaa8f2f17deb53f4284cc78e83210
Includes #45315 (comment) (ignore the first commit)
Feature: kubernetes/enhancements#22
Remaining work:
server.Config/cc @sttts @soltysh @ericchiang @ihmccreery @pweil- @deads2k