Add PodSecurityPolicy admission information to audit logs #58075
Conversation
k8s-ci-robot
added
release-note
| @@ -37,12 +38,12 @@ var _ admission.MutationInterface = AlwaysAdmit{} | |||
| var _ admission.ValidationInterface = AlwaysAdmit{} | |||
|
|
|||
| // Admit makes an admission decision based on the request attributes | |||
| func (AlwaysAdmit) Admit(a admission.Attributes) (err error) { | |||
| func (AlwaysAdmit) Admit(_ request.Context, a admission.Attributes) (err error) { | |||
There was a problem hiding this comment.
We can also insert audit into admission.Attributes.
But audit is not an attribute.
I hope I am in the right direction.
| @@ -50,7 +51,7 @@ var _ admission.MutationInterface = &AlwaysPullImages{} | |||
| var _ admission.ValidationInterface = &AlwaysPullImages{} | |||
|
|
|||
| // Admit makes an admission decision based on the request attributes | |||
| func (a *AlwaysPullImages) Admit(attributes admission.Attributes) (err error) { | |||
| func (a *AlwaysPullImages) Admit(_ request.Context, attributes admission.Attributes) (err error) { | |||
There was a problem hiding this comment.
that's a deep and big change. Can't we attach the information to the admission.Attributes?
There was a problem hiding this comment.
Sure, we can attach ctx or audit to admission.Attributes.
There was a problem hiding this comment.
And also attach audit to authorizer attributes here?
There was a problem hiding this comment.
What exactly is audit that you have in mind, which type?
There was a problem hiding this comment.
What exactly is audit that you have in mind, which type?
Not very sure about this. But it seems to be something different from Verb, UserInfo.
But I am very happy to insert audit to admission.Attribute and authorizer.Attribute. In fact I use such way in the beginning. This will make code much simpler.
:)
There was a problem hiding this comment.
I would expect that a webhook can return an annotation map to persist in audit events.
There was a problem hiding this comment.
add a map to Admit() and Validate()s' return value?
There was a problem hiding this comment.
We also mutate the object "in" admission.Attributes. We should also store the audit annotation in admission.Attributes instead of complicating the function signatures.
There was a problem hiding this comment.
We also mutate the object "in" admission.Attributes. We should also store the audit annotation in admission.Attributes instead of complicating the function signatures.
Does #58143 addressed this comment?
CaoShuFeng
changed the title
CaoShuFeng
force-pushed
the
audit_annotation
branch
from
e36ae55
to
3df263a
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: CaoShuFeng Assign the PR to them by writing Associated issue: #56209 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
CaoShuFeng
force-pushed
the
audit_annotation
branch
from
3df263a
to
35129a4
Compare
|
I think that #58143 is a better way (as do others), so this could be closed, right? |
Sure. |
Fix #56209
PS: I will add RBAC to support this too.
Release note:
/cc @sttts
/cc @tallclair