upgrade Audit api version to stable #65891

CaoShuFeng · 2018-07-06T07:37:48Z

Partial Fix: #65266

TODO:
use v1 version of advanced audit policy in kubeadm, gce script, kubemark

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Release note:

audit.k8s.io api group is upgraded from v1beta1 to v1.
Deprecated element metav1.ObjectMeta and Timestamp are removed from audit Events in v1 version.
Default value of option --audit-webhook-version and --audit-log-version will be changed from `audit.k8s.io/v1beta1` to `audit.k8s.io/v1` in release 1.13

soltysh

I left you some comments.

soltysh · 2018-07-06T12:53:57Z

staging/src/k8s.io/apiserver/pkg/apis/audit/v1/doc.go

@@ -0,0 +1,23 @@
+/*
+Copyright 2017 The Kubernetes Authors.


soltysh · 2018-07-06T12:54:03Z

staging/src/k8s.io/apiserver/pkg/apis/audit/v1/register.go

@@ -0,0 +1,58 @@
+/*
+Copyright 2017 The Kubernetes Authors.


soltysh · 2018-07-06T12:54:19Z

staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go

@@ -0,0 +1,279 @@
+/*
+Copyright 2017 The Kubernetes Authors.


soltysh · 2018-07-06T12:56:09Z

staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go

@@ -52,7 +52,7 @@ rules:
 `

 const policyDefV1beta1 = `
-apiVersion: audit.k8s.io/v1beta1
+apiVersion: audit.k8s.io/v1


Don't do this like that, we need to ensure we're reading previous versions. You need to add policyDefV1 and ensure that the new and old ones are properly readable.

soltysh · 2018-07-06T12:58:46Z

test/e2e/auth/audit.go

@@ -120,8 +120,8 @@ var _ = SIGDescribe("Advanced Audit", func() {
 				},
 				[]auditEvent{
 					{
-						v1beta1.LevelRequestResponse,
-						v1beta1.StageResponseComplete,
+						auditv1.LevelRequestResponse,


Honestly, I'd still like to see both v1 and v1beta1 being tested for a while, at least partially.

Now both v1 and v1beta1 are test in unit test.

But in e2e test we can test only one version. Other wise we need to reset the --audit-log-version option and restart kube-apiserver. Now the output version is audit.k8s.io/v1 by default.

Do we have integration tests using k8s.io/kubernetes/cmd/kube-apiserver/app/testing/testserver.go? That way we could test different flags. Very similar to e2e in fact, with a real kube-apiserver. We have some of those tests in test/integration/master.

We have some of those tests in test/integration/master.

Added an integration test.

Do I need to copy all testcases from e2e test into integration test?

The test you have now looks pretty good. @soltysh anything else you want to see for each version?

neolit123 · 2018-07-08T01:30:41Z

/cc @kubernetes/sig-api-machinery-pr-reviews

fedebongio · 2018-07-09T20:16:19Z

/assign @tallclair

tallclair · 2018-07-09T21:55:30Z

/assign @x13n

x13n · 2018-07-10T10:00:38Z

test/integration/master/audit_test.go

+		return false, err
+	}
+
+	noneMissing := true


s/noneMissing/allFound/? Double negation is harder to read.

x13n · 2018-07-10T10:03:58Z

test/integration/master/audit_test.go

+	}
+
+	expectedEvents := []auditEvent{}
+	for _, t := range testCases {


What's the point of iterating over 1 statically defined element? Especially since you're merging all expectedEvents together anyway?

x13n · 2018-07-11T08:34:09Z

/lgtm

sttts · 2018-07-17T09:01:19Z

staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go

@@ -108,17 +89,20 @@ var expectedPolicy = &audit.Policy{
 	}},
 }

-func TestParserV1alpha1(t *testing.T) {


where did this go? Same for the beta variant.

I merged three versions into a loop.

looks good 👍

sttts · 2018-07-17T09:03:06Z

staging/src/k8s.io/apiserver/pkg/server/options/audit.go

@@ -139,7 +140,7 @@ func NewAuditOptions() *AuditOptions {
 				BatchConfig: pluginbuffered.NewDefaultBatchConfig(),
 			},
 			TruncateOptions:    NewAuditTruncateOptions(),
-			GroupVersionString: "audit.k8s.io/v1beta1",
+			GroupVersionString: "audit.k8s.io/v1",


Does this mean we call out using v1 objects by default after this? Do we have an upgrade policy for this kind of changes?

Does this mean we call out using v1 objects by default after this?

Yes.

Do we have an upgrade policy for this kind of changes?

I remembered that we don't support group version when upgrade from alpha to beta.
Or we still use v1beta1 here, and use v1 in the next release?

Or we still use v1beta1 here, and use v1 in the next release?

Yes, this is what I had in mind.

CaoShuFeng · 2018-07-31T03:28:33Z

/test pull-kubernetes-integration

CaoShuFeng · 2018-07-31T05:46:06Z

/test pull-kubernetes-e2e-gce

tallclair · 2018-07-31T23:39:37Z

/lgtm

tallclair · 2018-08-07T21:43:03Z

/assign @sttts
For approval. I'll track down another top-level approver for the remaining packages.

sttts · 2018-08-08T07:46:01Z

/approve

sttts · 2018-08-08T07:47:04Z

Overriding approval as only the openapi BUILD file is changed.

k8s-ci-robot · 2018-08-08T07:47:22Z

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: CaoShuFeng, sttts, tallclair, x13n

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~hack/OWNERS~~ [sttts]
pkg/OWNERS
~~staging/src/k8s.io/apiextensions-apiserver/Godeps/OWNERS~~ [sttts]
~~staging/src/k8s.io/apiserver/OWNERS~~ [sttts]
~~staging/src/k8s.io/kube-aggregator/Godeps/OWNERS~~ [sttts]
~~staging/src/k8s.io/sample-apiserver/Godeps/OWNERS~~ [sttts]
~~test/OWNERS~~ [sttts]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

k8s-github-robot · 2018-08-08T07:51:25Z

/test all [submit-queue is verifying that this PR is safe to merge]

k8s-github-robot · 2018-08-08T09:17:23Z

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. use v1 version of advanced audit policy in kubeadm audit api version has been updated to v1 #65891 **Release note**: ```release-note kubeadm uses audit policy v1 instead of v1beta1 ```

jimangel · 2018-08-17T02:09:10Z

@CaoShuFeng does this need docs for the 1.12 release? It looks like it's just a api version change in some of the configs, I'm not sure if v1beta1 / v1 is explicitly mentioned anywhere in related documentation.

CaoShuFeng · 2018-08-17T02:47:04Z

@jimangel

All necessary information is contained in release note.

…a1Tov1_kubemark Automatic merge from submit-queue (batch tested with PRs 67332, 66737, 67281, 67173). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. use v1 version of advanced audit policy in kubemark audit api version has been updated to v1 kubernetes#65891 **Release note**: ```release-note NONE ```

k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jul 6, 2018

k8s-ci-robot requested review from jbeda and lavalamp July 6, 2018 07:37

CaoShuFeng changed the title ~~Audit v1 stable~~ upgrade Audit api version to stable Jul 6, 2018

CaoShuFeng force-pushed the audit_v1_stable branch 2 times, most recently from 9dcfe5a to 8418642 Compare July 6, 2018 10:12

soltysh requested changes Jul 6, 2018

View reviewed changes

CaoShuFeng force-pushed the audit_v1_stable branch from 8418642 to 69f7180 Compare July 7, 2018 06:51

k8s-ci-robot added the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label Jul 8, 2018

k8s-ci-robot assigned tallclair Jul 9, 2018

k8s-ci-robot assigned x13n Jul 9, 2018

CaoShuFeng force-pushed the audit_v1_stable branch from 69f7180 to 6ef0f6c Compare July 10, 2018 08:16

k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jul 10, 2018

x13n reviewed Jul 10, 2018

View reviewed changes

CaoShuFeng force-pushed the audit_v1_stable branch 2 times, most recently from 8cbc252 to 11b2e75 Compare July 11, 2018 02:26

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 11, 2018

sttts reviewed Jul 17, 2018

View reviewed changes

CaoShuFeng force-pushed the audit_v1_stable branch from 11b2e75 to a249b0c Compare July 17, 2018 10:27

k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jul 17, 2018

CaoShuFeng force-pushed the audit_v1_stable branch 3 times, most recently from db72587 to 858e450 Compare July 31, 2018 03:09

add an integration test for advanced audit feature

858e450

CaoShuFeng mentioned this pull request Jul 31, 2018

support annotations for admission webhook #58679

Merged

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 31, 2018

tallclair mentioned this pull request Aug 7, 2018

Promote AdvancedAuditing to GA #65862

Merged

k8s-ci-robot assigned sttts Aug 7, 2018

sttts added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 8, 2018

k8s-github-robot merged commit 28b2b21 into kubernetes:master Aug 8, 2018

ChiuWang mentioned this pull request Oct 17, 2018

audit api version has been updated to v1 kubernetes/website#10647

Merged

vpnachev mentioned this pull request Jan 13, 2021

Deprecate and Remove audit.k8s.io/v1[alpha|beta]1 Versions #98035

Closed

carlory mentioned this pull request Feb 8, 2021

deprecate audit.k8s.io/v1[alpha|beta]1 versions #98858

Merged

upgrade Audit api version to stable #65891

upgrade Audit api version to stable #65891

Conversation

CaoShuFeng commented Jul 6, 2018 • edited

soltysh left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

neolit123 commented Jul 8, 2018

fedebongio commented Jul 9, 2018

tallclair commented Jul 9, 2018

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

x13n commented Jul 11, 2018

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

CaoShuFeng commented Jul 31, 2018

CaoShuFeng commented Jul 31, 2018

tallclair commented Jul 31, 2018

tallclair commented Aug 7, 2018

sttts commented Aug 8, 2018

sttts commented Aug 8, 2018

k8s-ci-robot commented Aug 8, 2018

k8s-github-robot commented Aug 8, 2018

k8s-github-robot commented Aug 8, 2018

jimangel commented Aug 17, 2018

CaoShuFeng commented Aug 17, 2018

CaoShuFeng commented Jul 6, 2018 •

edited