Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Add user-agent to audit-logging #64812
What this PR does / why we need it:
Add User-Agent to audit event.
Which issue(s) this PR fixes (optional, in
Special notes for your reviewer:
referenced this pull request
Jun 7, 2018
user-agent isn't an appropriate way to transmit this data. I agree with @tallclair's suggestion of client-side logging combined with an audit id. I also would not be in favor of including data in the user-agent that revealed local path names or source packages to the server, for arbitrary code-bases client-go would be used in.
I am trying to identify when an api call is being made from the same line of code / callstack without client side logging or logic (so it can be enabled for any application using client-go).
To limit exposing local path names and source, client-go could instead generate a hash of the data (generalized, so it's just the paths+linums under $GOPATH)?
This hash could be included in User-Agent, Audit-Id, or possibly a new Callstack-Hash, but only when configured to do so via a KUBE_CALLSTACK_HASH style env var.
@liggitt thanks for the alternate approach
I'd prefer if there were zero changes to applications using client-go, instead using an env var to enable callstack-hash-sending. Off by default, when on we reveal only a hash (of the go-paths only, local paths removed), via the appropriate aggregation method.
My personal preference is the hash somehow appear directly in the audit-logs, but if there are other options that allow anyone to easily contribute data, I'd love to hear them!
Also what's the best place to get wider feedback on something like this?
[APPROVALNOTIFIER] This PR is APPROVED
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing