Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

audit policy: reject audit policy files without apiVersion and kind #54267

Merged
merged 2 commits into from Nov 9, 2017
Merged

audit policy: reject audit policy files without apiVersion and kind #54267

merged 2 commits into from Nov 9, 2017

Conversation

ericchiang
Copy link
Contributor

@ericchiang ericchiang commented Oct 20, 2017
edited

Closes #54254

/cc @sttts @CaoShuFeng @crassirostris @tallclair

/sig auth
/kind cleanup

Audit policy files without apiVersion and kind are treated as invalid.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 20, 2017
@ericchiang ericchiang force-pushed the audit-policy-file-without-kind-or-version branch 2 times, most recently from 52c0e48 to b3baa03 Compare October 20, 2017 00:39
CaoShuFeng
CaoShuFeng reviewed Oct 20, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go Outdated
defer os.Remove(f)

_, err = LoadPolicyFromFile(f)
require.Error(t, err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to replace this line with:

assert.Containsf(t,err.Error(), "policy file contained invalid apiVersion and kind field combination", "a policy without apiVersion or Kind should not be accepted.")

So that we are sure this err is not caused by other reason

@CaoShuFeng
Copy link
Contributor

Looks good to me and test OK in my environment.
Thanks.

sttts
sttts reviewed Oct 20, 2017
View reviewed changes
CHANGELOG-1.8.md Outdated
@@ -416,7 +416,7 @@ Consider the following changes, limitations, and guidelines before you upgrade:

* The `--audit-policy-file` option is required if the `AdvancedAudit` feature is not explicitly turned off (`--feature-gates=AdvancedAudit=false`) on the API server.
* The audit log file defaults to JSON encoding when using the advanced auditing feature gate.
* The `--audit-policy-file` option requires `kind` and `apiVersion` fields specifying what format version the `Policy` is using.
* An audit policy file without an `apiVersion` or `kind` field may be treated as invalid.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not is treated as invalid?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#54254 (comment)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand @liggitt's comment or its context. This PR here treats those files as invalid. Why soft language in the changelog?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In 1.8.0 1.8.1, such policy files are not treated as invalid.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we cherry pick this to 1.8?
@sttts

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it. Do we actually reference this file instead of the 1.8 branch one?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we cherry pick this to 1.8?

We should IMO.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we actually reference this file instead of the 1.8 branch one?

I don't know.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't cherry pick CHANGELOG changes to release branches

sttts
sttts reviewed Oct 20, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go Outdated
return nil, fmt.Errorf("failed decoding file %q: %v", filePath, err)
}

// Ensure the policy file contained an apiVersion and kind.
found := false
for _, gv := range apiGroupVersions {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

make apiGroupVersions a set and the loop will turn into a oneliner check.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, what's a oneliner check?
Something like this?

var = (a > b) ? a : b

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if !apiGroupVersions.Has(schema.GroupVersion{gvk.Group, gvk.Version}.String()) {

sttts
sttts reviewed Oct 20, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go Outdated
}
}
if !found {
return nil, fmt.Errorf("policy file contained invalid apiVersion and kind field combination")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this "combination" wording sounds strange. "unknown group version %v in policy file %q"

@ericchiang ericchiang force-pushed the audit-policy-file-without-kind-or-version branch from b3baa03 to baf6be0 Compare October 20, 2017 17:29
@ericchiang
Copy link
Contributor Author

Thanks for the reviews. Updated.

crassirostris
crassirostris approved these changes Oct 20, 2017
View reviewed changes
Copy link

@crassirostris crassirostris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

CHANGELOG-1.8.md Outdated
@@ -416,7 +416,7 @@ Consider the following changes, limitations, and guidelines before you upgrade:

* The `--audit-policy-file` option is required if the `AdvancedAudit` feature is not explicitly turned off (`--feature-gates=AdvancedAudit=false`) on the API server.
* The audit log file defaults to JSON encoding when using the advanced auditing feature gate.
* The `--audit-policy-file` option requires `kind` and `apiVersion` fields specifying what format version the `Policy` is using.
* An audit policy file without an `apiVersion` or `kind` field may be treated as invalid.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small nit: ...without either an apiVersion or a kind field...

sttts
sttts reviewed Oct 23, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go Outdated

_, err = LoadPolicyFromFile(f)
assert.Contains(t, err.Error(), "unknown group version field")

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: no empty line

@sttts
Copy link
Contributor

sttts commented Oct 23, 2017

/approve

@sttts
Copy link
Contributor

sttts commented Oct 23, 2017
edited

Leaving lgtm to @crassirostris when the nits are addressed.

@ericchiang ericchiang force-pushed the audit-policy-file-without-kind-or-version branch from baf6be0 to 54f4983 Compare October 23, 2017 22:08
@ericchiang
Copy link
Contributor Author

/test pull-kubernetes-e2e-gce-gpu

@crassirostris
Copy link

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 24, 2017
ericchiang
ericchiang commented Oct 24, 2017
View reviewed changes
CHANGELOG-1.8.md
@@ -416,7 +416,7 @@ Consider the following changes, limitations, and guidelines before you upgrade:

* The `--audit-policy-file` option is required if the `AdvancedAudit` feature is not explicitly turned off (`--feature-gates=AdvancedAudit=false`) on the API server.
* The audit log file defaults to JSON encoding when using the advanced auditing feature gate.
* The `--audit-policy-file` option requires `kind` and `apiVersion` fields specifying what format version the `Policy` is using.
* An audit policy file without either an `apiVersion` or a `kind` field may be treated as invalid.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For reviewers. Release note change because the old one was inaccurate. See discussion in #54254

@ericchiang
Copy link
Contributor Author

cc @lavalamp @smarterclayton need a top level OWNER to approve because this PR tweaks the release notes.

@crassirostris crassirostris mentioned this pull request Oct 25, 2017
Closed
14 tasks
@ericchiang
Copy link
Contributor Author

/retest

@CaoShuFeng
Copy link
Contributor

/test pull-kubernetes-e2e-gce-gpu

2 similar comments
@CaoShuFeng
Copy link
Contributor

/test pull-kubernetes-e2e-gce-gpu

@CaoShuFeng
Copy link
Contributor

/test pull-kubernetes-e2e-gce-gpu

@crassirostris
Copy link

/assign @jpbetz
Are you OK with this PR?

@CaoShuFeng
Copy link
Contributor

/test pull-kubernetes-e2e-gce-gpu

@ericchiang ericchiang force-pushed the audit-policy-file-without-kind-or-version branch from 54f4983 to 393ac3c Compare November 6, 2017 16:47
@k8s-github-robot k8s-github-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 6, 2017
@ericchiang
Copy link
Contributor Author

(rebased, hope that will help the flaking test)

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 6, 2017
edited

@ericchiang: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-e2e-gce-gpu 54f49838581399f616f250c98b66e4391b1b3bff link /test pull-kubernetes-e2e-gce-gpu

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@ericchiang
Copy link
Contributor Author

Flaking on #54095

/test pull-kubernetes-unit

@CaoShuFeng
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 7, 2017
@sttts
Copy link
Contributor

sttts commented Nov 7, 2017

/approve

@crassirostris
Copy link

/assign @thockin

Could you please approve?

@thockin
Copy link
Member

thockin commented Nov 9, 2017

/approve

@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CaoShuFeng, crassirostris, ericchiang, sttts, thockin

Associated issue: 54254

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 9, 2017
@k8s-github-robot
Copy link

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit ab44ec9 into kubernetes:master Nov 9, 2017
@ericchiang ericchiang deleted the audit-policy-file-without-kind-or-version branch November 14, 2017 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sttts sttts sttts left review comments

@liggitt liggitt liggitt left review comments

@CaoShuFeng CaoShuFeng CaoShuFeng left review comments

@crassirostris crassirostris crassirostris approved these changes

@tallclair tallclair Awaiting requested review from tallclair

Assignees

@ncdc ncdc

@jpbetz jpbetz

@crassirostris crassirostris

@thockin thockin

@deads2k deads2k

@CaoShuFeng CaoShuFeng

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet