New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
audit policy: reject audit policy files without apiVersion and kind #54267
audit policy: reject audit policy files without apiVersion and kind #54267
Conversation
52c0e48
to
b3baa03
Compare
defer os.Remove(f) | ||
|
||
_, err = LoadPolicyFromFile(f) | ||
require.Error(t, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to replace this line with:
assert.Containsf(t,err.Error(), "policy file contained invalid apiVersion and kind field combination", "a policy without apiVersion or Kind should not be accepted.")
So that we are sure this err is not caused by other reason
Looks good to me and test OK in my environment. |
CHANGELOG-1.8.md
Outdated
@@ -416,7 +416,7 @@ Consider the following changes, limitations, and guidelines before you upgrade: | |||
|
|||
* The `--audit-policy-file` option is required if the `AdvancedAudit` feature is not explicitly turned off (`--feature-gates=AdvancedAudit=false`) on the API server. | |||
* The audit log file defaults to JSON encoding when using the advanced auditing feature gate. | |||
* The `--audit-policy-file` option requires `kind` and `apiVersion` fields specifying what format version the `Policy` is using. | |||
* An audit policy file without an `apiVersion` or `kind` field may be treated as invalid. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not is treated as invalid
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand @liggitt's comment or its context. This PR here treats those files as invalid. Why soft language in the changelog?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In 1.8.0 1.8.1, such policy files are not treated as invalid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we cherry pick this to 1.8?
@sttts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it. Do we actually reference this file instead of the 1.8 branch one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we cherry pick this to 1.8?
We should IMO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we actually reference this file instead of the 1.8 branch one?
I don't know.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we don't cherry pick CHANGELOG changes to release branches
return nil, fmt.Errorf("failed decoding file %q: %v", filePath, err) | ||
} | ||
|
||
// Ensure the policy file contained an apiVersion and kind. | ||
found := false | ||
for _, gv := range apiGroupVersions { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
make apiGroupVersions a set and the loop will turn into a oneliner check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, what's a oneliner check?
Something like this?
var = (a > b) ? a : b
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if !apiGroupVersions.Has(schema.GroupVersion{gvk.Group, gvk.Version}.String()) {
} | ||
} | ||
if !found { | ||
return nil, fmt.Errorf("policy file contained invalid apiVersion and kind field combination") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this "combination" wording sounds strange. "unknown group version %v in policy file %q"
b3baa03
to
baf6be0
Compare
Thanks for the reviews. Updated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
CHANGELOG-1.8.md
Outdated
@@ -416,7 +416,7 @@ Consider the following changes, limitations, and guidelines before you upgrade: | |||
|
|||
* The `--audit-policy-file` option is required if the `AdvancedAudit` feature is not explicitly turned off (`--feature-gates=AdvancedAudit=false`) on the API server. | |||
* The audit log file defaults to JSON encoding when using the advanced auditing feature gate. | |||
* The `--audit-policy-file` option requires `kind` and `apiVersion` fields specifying what format version the `Policy` is using. | |||
* An audit policy file without an `apiVersion` or `kind` field may be treated as invalid. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small nit: ...without either an apiVersion
or a kind
field...
|
||
_, err = LoadPolicyFromFile(f) | ||
assert.Contains(t, err.Error(), "unknown group version field") | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: no empty line
/approve |
Leaving lgtm to @crassirostris when the nits are addressed. |
baf6be0
to
54f4983
Compare
/test pull-kubernetes-e2e-gce-gpu |
/lgtm |
@@ -416,7 +416,7 @@ Consider the following changes, limitations, and guidelines before you upgrade: | |||
|
|||
* The `--audit-policy-file` option is required if the `AdvancedAudit` feature is not explicitly turned off (`--feature-gates=AdvancedAudit=false`) on the API server. | |||
* The audit log file defaults to JSON encoding when using the advanced auditing feature gate. | |||
* The `--audit-policy-file` option requires `kind` and `apiVersion` fields specifying what format version the `Policy` is using. | |||
* An audit policy file without either an `apiVersion` or a `kind` field may be treated as invalid. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For reviewers. Release note change because the old one was inaccurate. See discussion in #54254
cc @lavalamp @smarterclayton need a top level OWNER to approve because this PR tweaks the release notes. |
/retest |
/test pull-kubernetes-e2e-gce-gpu |
2 similar comments
/test pull-kubernetes-e2e-gce-gpu |
/test pull-kubernetes-e2e-gce-gpu |
/assign @jpbetz |
/test pull-kubernetes-e2e-gce-gpu |
54f4983
to
393ac3c
Compare
(rebased, hope that will help the flaking test) |
@ericchiang: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Flaking on #54095 /test pull-kubernetes-unit |
/lgtm |
/approve |
/assign @thockin Could you please approve? |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CaoShuFeng, crassirostris, ericchiang, sttts, thockin Associated issue: 54254 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
Closes #54254
/cc @sttts @CaoShuFeng @crassirostris @tallclair
/sig auth
/kind cleanup