New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add PodSecurityPolicy admission information to audit logs #58075
Conversation
@@ -37,12 +38,12 @@ var _ admission.MutationInterface = AlwaysAdmit{} | |||
var _ admission.ValidationInterface = AlwaysAdmit{} | |||
|
|||
// Admit makes an admission decision based on the request attributes | |||
func (AlwaysAdmit) Admit(a admission.Attributes) (err error) { | |||
func (AlwaysAdmit) Admit(_ request.Context, a admission.Attributes) (err error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can also insert audit
into admission.Attributes.
But audit
is not an attribute.
I hope I am in the right direction.
@@ -50,7 +51,7 @@ var _ admission.MutationInterface = &AlwaysPullImages{} | |||
var _ admission.ValidationInterface = &AlwaysPullImages{} | |||
|
|||
// Admit makes an admission decision based on the request attributes | |||
func (a *AlwaysPullImages) Admit(attributes admission.Attributes) (err error) { | |||
func (a *AlwaysPullImages) Admit(_ request.Context, attributes admission.Attributes) (err error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's a deep and big change. Can't we attach the information to the admission.Attributes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, we can attach ctx
or audit
to admission.Attributes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And also attach audit to authorizer attributes here?
authorized, reason, err := a.Authorize(attributes) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What exactly is audit
that you have in mind, which type?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What exactly is audit that you have in mind, which type?
Not very sure about this. But it seems to be something different from Verb, UserInfo.
But I am very happy to insert audit
to admission.Attribute and authorizer.Attribute. In fact I use such way in the beginning. This will make code much simpler.
:)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would expect that a webhook can return an annotation map to persist in audit events.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add a map to Admit() and Validate()s' return value?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also mutate the object "in" admission.Attributes
. We should also store the audit annotation in admission.Attributes
instead of complicating the function signatures.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also mutate the object "in" admission.Attributes. We should also store the audit annotation in admission.Attributes instead of complicating the function signatures.
Does #58143 addressed this comment?
e36ae55
to
3df263a
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: CaoShuFeng Assign the PR to them by writing Associated issue: #56209 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
3df263a
to
35129a4
Compare
I think that #58143 is a better way (as do others), so this could be closed, right? |
Sure. |
Fix #56209
PS: I will add RBAC to support this too.
Release note:
/cc @sttts
/cc @tallclair