-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement audit policy logic #46009
Implement audit policy logic #46009
Conversation
case audit.LevelNone, audit.LevelMetadata, audit.LevelRequest, audit.LevelRequestResponse: | ||
return nil | ||
default: | ||
return field.ErrorList{field.Required(fldPath, "")} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add a "" case and a proper error message for non-empty, but invalid level.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
} | ||
} | ||
|
||
if len(r.Namespaces) > 0 || len(r.Resources) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why the first clause? We have cluster-scope resources.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ruleMatchesResource
checks whether the request matches any Namespaces or Resources from the rule. If neither are set, there's nothing to check :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
misread the operator, it's ||
not &&
panic(fmt.Sprintf("failed to enable version %v", groupVersions)) | ||
} | ||
|
||
install.Install(groupFactoryRegistry, registry, scheme) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
don't like to depend on the registry here. Using the scheme with AddToScheme is enough. The registry should be for CRUD api groups.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack. This is section is throwaway code.
return nil, fmt.Errorf("failed to read file path %s: %+v", filePath, err) | ||
} | ||
if len(policyDef) == 0 { | ||
return nil, fmt.Errorf("file was empty: %s", filePath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
won't that fail the decoding?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually no, it will just create an empty policy.
|
||
decoder := codecs.UniversalDecoder(v1alpha1.SchemeGroupVersion) | ||
if err := runtime.DecodeInto(decoder, policyDef, policyVersioned); err != nil { | ||
return nil, fmt.Errorf("failed decoding file: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
file %q
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
doesn't matter where, but we need the file name in the error messages somewhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
|
||
// FIXME: Figure out a shared location for this vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv | ||
// Duplicated from @ericchiang's PR: | ||
// https://github.com/kubernetes/kubernetes/pull/45919 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ericchiang FYI
// AdvancedAuditing enables a much more general API auditing pipeline, which includes support for | ||
// pluggable output backends and an audit policy specifying how different requests should be | ||
// audited. | ||
AdvancedAuditing utilfeature.Feature = "AdvancedAuditing" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do we want to switch here? By default auditing is off. If you use the --audit-log-*
flags, you will get the log plugin. What about the default level? It used to be meta data only, but not "none".
We could re-add the old WithAudit
filter as WithBasicAudit
and use that if the feature is disabled. Wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could re-add the old WithAudit filter as WithBasicAudit and use that if the feature is disabled. Wdyt?
That's what I was suggesting in #45766 (comment). Since the pipeline is growing in complexity, I think we should do that.
Reasons for adding a feature flag:
- This code is coming in hot and it mitigates risk. Additionally, it would make a code freeze exception easier if we end up needing it...
- Default audit level (off = metadata, on = none)
- If users specify flags for the new features (e.g. set a policy, different backend) they should be aware that they are using an alpha feature. Requiring the feature gate to be set makes that more explicit
- Makes the support & completeness level of advanced auditing explicit
@@ -45,9 +50,30 @@ func (o *AuditLogOptions) AddFlags(fs *pflag.FlagSet) { | |||
"The maximum number of old audit log files to retain.") | |||
fs.IntVar(&o.MaxSize, "audit-log-maxsize", o.MaxSize, | |||
"The maximum size in megabytes of the audit log file before it gets rotated.") | |||
|
|||
fs.StringVar(&o.PolicyPath, "audit-policy", o.PolicyPath, | |||
"Path to the file that defines the audit policy configuration.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add something about the feature flag.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And about the default of "none".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
} | ||
|
||
func (o *AuditLogOptions) ApplyTo(c *server.Config) error { | ||
if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this answer my question from above.
Automatic merge from submit-queue (batch tested with PRs 45766, 46223) Audit: fill audit.Event in handler chain Related: - external API types #45315 - policy checker #46009 Decisions: - ~~[ ] decide whether we want to send an event before `WriteHeader` #45766 (review) Follow-up described in https://github.com/kubernetes/kubernetes/pull/46065/files#r117438531 - [ ] decide how to handle `AuditID`s and the IP chain #45766 (review). Is the variant in the proposal (kubernetes/community#625) final? Then we need the API type update. - ~~[ ] decide how to mark intermediate/incomplete events? set a special reason in `ResponseStatus.Reason` vs. having extra fields for that `Event.NonFinal` #45766 (comment) Follow-up of #46065 - [ ] decide whether and how to protect the `Audit-Level` header #45766 (review) TODOs: - ~~[ ] move `AuditIDHeader`, `AuditLevelHeader` to types #45766 (comment), @timstclair for the type PR~~ Follow-up of #46065 - [x] add SourceIP/ForwardedFor support #45766 (comment) - [x] adapt ObjectReference.Resource to API PR #45766 (review)
"k8s.io/apiserver/pkg/apis/audit/v1alpha1" | ||
) | ||
|
||
var Scheme = runtime.NewScheme() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ericchiang FYI
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we move this scheme into pkg/audit? This has nothing todo with the actual API, but the plumbing around it. In general we are trying to make schemes more local.
Rebased on #45766, and finished remaining work items. This PR is now complete. PTAL |
I would prefer to have the scheme locally in pkg/audit. Otherwise, lgtm. |
Moved scheme to |
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts, thockin, timstclair
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Trivial rebase, reapplying LGTM. |
@timstclair: The following test(s) failed:
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@k8s-bot pull-kubernetes-unit test this |
Automatic merge from submit-queue (batch tested with PRs 45949, 46009, 46320, 46423, 46437) |
Automatic merge from submit-queue apiserver: add a webhook implementation of the audit backend This builds off of #45315 and is intended to implement an interfaced defined in #45766. TODO: - [x] Rebase on top of API types PR. - [x] Rebase on top of API types updates (#46065) - [x] Rebase on top of feature flag (#46009) - [x] Rebase on top of audit instrumentation. - [x] Hook up API server flag or register plugin (depending on #45766) Features issue kubernetes/enhancements#22 Design proposal https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auditing.md ```release-notes Webhook added to the API server which omits structured audit log events. ``` /cc @soltysh @timstclair @soltysh @deads2k
Automatic merge from submit-queue (batch tested with PRs 45766, 46223) Audit: fill audit.Event in handler chain Related: - external API types kubernetes/kubernetes#45315 - policy checker kubernetes/kubernetes#46009 Decisions: - ~~[ ] decide whether we want to send an event before `WriteHeader` kubernetes/kubernetes#45766 (review) Follow-up described in https://github.com/kubernetes/kubernetes/pull/46065/files#r117438531 - [ ] decide how to handle `AuditID`s and the IP chain kubernetes/kubernetes#45766 (review). Is the variant in the proposal (kubernetes/community#625) final? Then we need the API type update. - ~~[ ] decide how to mark intermediate/incomplete events? set a special reason in `ResponseStatus.Reason` vs. having extra fields for that `Event.NonFinal` kubernetes/kubernetes#45766 (comment) Follow-up of #46065 - [ ] decide whether and how to protect the `Audit-Level` header kubernetes/kubernetes#45766 (review) TODOs: - ~~[ ] move `AuditIDHeader`, `AuditLevelHeader` to types kubernetes/kubernetes#45766 (comment), @timstclair for the type PR~~ Follow-up of kubernetes/kubernetes#46065 - [x] add SourceIP/ForwardedFor support kubernetes/kubernetes#45766 (comment) - [x] adapt ObjectReference.Resource to API PR kubernetes/kubernetes#45766 (review) Kubernetes-commit: 1f45c4846bafaa8f2f17deb53f4284cc78e83210
Includes #45315 (comment) (ignore the first commit)
Feature: kubernetes/enhancements#22
Remaining work:
server.Config
/cc @sttts @soltysh @ericchiang @ihmccreery @pweil- @deads2k