-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
avoid duplicate status in audit events #62695
avoid duplicate status in audit events #62695
Conversation
@@ -171,7 +171,12 @@ func LogResponseObject(ae *auditinternal.Event, obj runtime.Object, gv schema.Gr | |||
return | |||
} | |||
if status, ok := obj.(*metav1.Status); ok { | |||
ae.ResponseStatus = status | |||
ae.ResponseStatus = &metav1.Status{ | |||
// Selectively copy the bounded fields to avoid duplicate status in audit events |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what do we lose in practice?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before this change:
"responseStatus": {
"apiVersion": "v1",
"code": 403,
"details": {
"kind": "pods"
},
"kind": "Status",
"message": "pods is forbidden: User \"tom\" cannot list pods in the namespace \"default\"",
"metadata": {},
"reason": "Forbidden",
"status": "Failure"
},
After this change:
"responseStatus": {
"code": 403,
"metadata": {},
"reason": "Forbidden",
"status": "Failure"
},
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you want to lose the message?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As @tallclair said:
#60108 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And is this message duplicated as well? If yes, I can agree with the change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also think Message is necessay.
Add it back.
094304b
to
e9522ed
Compare
When is a status returned? I think maybe for delete requests, and errors? There are 2 concerns with copying the status:
The first could be dealt with simply by omitting the response object when it's a status, but this won't handle the case where the message can be really large. We could truncate the message when level == Metadata WDYT? What is the desired behavior here? |
e9522ed
to
13fe48d
Compare
Will fix the unit test tomorrow. |
Done.
Done. |
13fe48d
to
7a4e90d
Compare
/area audit |
Looking at how we use the status, I'm thinking something closer to your original PR might be the way to go. Don't copy the status, Just set the code, reason, and status. Long term, I think we should consider changing EDIT: The info from the fake status we generate can be added as annotations if it's really needed. For cases where you want the full response status from the response, just log at response level. |
7a4e90d
to
d19e96f
Compare
Can't follow this. Which part to add to annotations?
Message is deleted, and it should be only saved at response level. |
/test pull-kubernetes-e2e-kops-aws |
I was just reviewing the status objects we generate for auditing (as opposed to copy from the response): What I meant was that the messages we set in those 3 cases could be included elsewhere, if we got rid of the ResponseStatus field (replaced with ResponseCode). |
Reason: status.Reason, | ||
Code: status.Code, | ||
} | ||
} else { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should get rid of the else case. This just duplicates the status when it's already being returned in the Response field.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This just duplicates the status when it's already being returned in the Response field.
We have a return
in line 184, so it's not duplicated.
If we delete it, it will be diffacult for users to query the http response code from response level audit events. WDYT @tallclair
d19e96f
to
4d20c38
Compare
Hi, @tallclair @sttts With this version, users can still get detailed status info in response audit level. |
What about we leave other parts of ResponseStatus empty, and only set the Code? |
/lgtm I updated your release note to highlight that this is a potentially breaking change. |
Ping @sttts - would be great to get this in 1.11 |
/sig auth |
[MILESTONENOTIFIER] Milestone Pull Request Needs Approval @CaoShuFeng @sttts @tallclair @kubernetes/sig-auth-misc Action required: This pull request must have the Pull Request Labels
|
/test pull-kubernetes-e2e-gce |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CaoShuFeng, sttts, tallclair The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
Fixes: #60108
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
/assign @sttts @tallclair
Release note: