Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication audit logging with authentication mechanism #84576

Closed
wants to merge 1 commit into from
Closed

Authentication audit logging with authentication mechanism #84576

wants to merge 1 commit into from

Conversation

tedyu
Copy link
Contributor

@tedyu tedyu commented Oct 30, 2019

What type of PR is this?
/kind cleanup

What this PR does / why we need it:
As #82295 requested, this PR adds audit logging with authentication mechanism.

Which issue(s) this PR fixes:
Fixes #82295

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 30, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tedyu
To complete the pull request process, please assign deads2k
You can assign the PR to them by writing /assign @deads2k in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 30, 2019
@tedyu
Copy link
Contributor Author

tedyu commented Oct 31, 2019

/assign @tallclair

tallclair
tallclair reviewed Oct 31, 2019
View reviewed changes
Copy link
Member

@tallclair tallclair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a unit test, which would highlight the incorrect use of getAuthMethods

staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go Outdated
@@ -98,6 +101,9 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, failed
if len(apiAuds) > 0 {
req = req.WithContext(authenticator.WithAudiences(req.Context(), apiAuds))
}
ctx := req.Context()
ae := request.AuditEventFrom(ctx)
audit.LogAnnotation(ae, annotationKey, getAuthMethods(req))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This method is just for providing a failure message, it doesn't actually give the method used.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From getAuthMethods :

	if req.TLS != nil && len(req.TLS.PeerCertificates) > 0 {
		authMethods = append(authMethods, "x509")
	}

The "x509" would indicate certificate authentication.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am looking at

func (w *WebhookTokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) {

to see if useful information for audit can be obtained.

@k8s-ci-robot
Copy link
Contributor

@tedyu: The following tests failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-e2e-gce-device-plugin-gpu bf8acd5 link /test pull-kubernetes-e2e-gce-device-plugin-gpu
pull-kubernetes-e2e-gce bf8acd5 link /test pull-kubernetes-e2e-gce
pull-kubernetes-e2e-gce-100-performance bf8acd5 link /test pull-kubernetes-e2e-gce-100-performance

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@tedyu tedyu closed this Jan 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tallclair tallclair tallclair left review comments

@deads2k deads2k Awaiting requested review from deads2k

@soltysh soltysh Awaiting requested review from soltysh

Assignees

@tallclair tallclair

Labels
area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Authentication audit logging - denote the authentication mechanism used.
4 participants
@tedyu @k8s-ci-robot @tallclair @yutedz