add dynamic audit policy controller #460

EmilyM1 · 2021-06-30T22:04:10Z

Removes static elements of audit policy and allows for dynamic creation with groups specified.

EmilyM1 · 2021-07-02T21:05:08Z

/test e2e-agnostic-upgrade

EmilyM1 · 2021-07-02T23:18:32Z

/retest

sttts · 2021-07-03T07:14:53Z

The pod still tries to access /var/run/configmaps/audit/default.yaml. This must be /var/run/configmaps/audit/policy.yaml instead (in bindata).

sttts · 2021-07-06T20:06:37Z

pkg/operator/workload/sync_openshift_oauth_apiserver_test.go

-				ObservedConfig: runtime.RawExtension{Raw: []byte(withDefaultsProvidedAPIServerArgsJSON)},
-			},
-			expectedAPIServerArguments: map[string][]string{
-				"api-audiences":     {"https://now.something.different"},


can we preserve this part of the test about api-audiences?

just leave the test, but remove the lines with audit policy. That should work, shouldn't it?

I can try it.

sttts · 2021-07-06T20:50:27Z

pkg/operator/workload/sync_openshift_oauth_apiserver_test.go

-				ObservedConfig: runtime.RawExtension{Raw: []byte(emptyAPIServerArgsJSON)},
-			},
-			expectedAPIServerArguments: map[string][]string{
-				"audit-policy-file": {"/var/run/configmaps/audit/default.yaml"},


just remove this line only

And line 180 too

sttts · 2021-07-06T22:28:08Z

pkg/operator/workload/testdata/sync_ds_scenario_2.yaml

-              --tls-min-version=VersionTLS12 \
-              --v=2
+                --cors-allowed-origins='//127\.0\.0\.1(:|$)' \
+                --cors-allowed-origins='//localhost(:|$)' \


move left every but the first green line

sttts · 2021-07-06T22:28:19Z

pkg/operator/workload/testdata/sync_ds_scenario_3.yaml

-              --tls-cipher-suites=TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 \
-              --tls-min-version=VersionTLS13 \
-              --v=2
+                --audit-policy-file=/var/run/configmaps/audit/policy.yaml \


remove this line

sttts · 2021-07-06T22:28:30Z

pkg/operator/workload/testdata/sync_ds_scenario_3.yaml

-              --v=2
+                --audit-policy-file=/var/run/configmaps/audit/policy.yaml \
+                --cors-allowed-origins='//127\.0\.0\.1(:|$)' \
+                --cors-allowed-origins='//localhost(:|$)' \


move left from here on

stlaz · 2021-07-07T10:47:12Z

/hold
needs better commit management (and the tests to pass)

EmilyM1 · 2021-07-07T19:44:20Z

@stlaz Put back in WIP till tests are passing and squashed.
Found in this PR we have quite a few previously existing yaml alignment problems, so flurry of commits from yesterday addresses those.
Will remove WIP and ping you when passes and resquashed if needed.

EmilyM1 · 2021-07-07T21:25:00Z

/test e2e-agnostic

stlaz · 2021-07-08T10:20:59Z

/hold cancel
this seems ready

EmilyM1 · 2021-07-08T17:02:54Z

/test e2e-agnostic-ipv6

EmilyM1 · 2021-07-08T19:42:19Z

/test e2e-agnostic

EmilyM1 · 2021-07-08T23:48:46Z

/test e2e-agnostic-ipv6

openshift-ci · 2021-07-09T02:03:49Z

@EmilyM1: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-agnostic-ipv6	`8047b34`	link	`/test e2e-agnostic-ipv6`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

stlaz · 2021-07-09T06:40:55Z

/lgtm

openshift-ci · 2021-07-09T06:41:11Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: EmilyM1, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [stlaz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 30, 2021

openshift-ci bot requested review from stlaz and sttts June 30, 2021 22:04

EmilyM1 changed the title ~~[WIP]add dynamic audit policy controller~~ add dynamic audit policy controller Jul 6, 2021

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 6, 2021

sttts reviewed Jul 6, 2021

View reviewed changes

EmilyM1 force-pushed the init-audit-policy-controller branch from c33ffc8 to 7e95cc2 Compare July 6, 2021 20:08

bump(library-go): add audit controller

6f1fd7a

EmilyM1 force-pushed the init-audit-policy-controller branch from 012a273 to 126851e Compare July 6, 2021 20:43

sttts reviewed Jul 6, 2021

View reviewed changes

EmilyM1 force-pushed the init-audit-policy-controller branch from 126851e to 60a7a13 Compare July 6, 2021 20:50

sttts reviewed Jul 6, 2021

View reviewed changes

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 7, 2021

oauth-apiserver: wire auditpolicy controller

8047b34

EmilyM1 force-pushed the init-audit-policy-controller branch from 4096ae0 to 8047b34 Compare July 7, 2021 19:39

EmilyM1 changed the title ~~add dynamic audit policy controller~~ [WIP] add dynamic audit policy controller Jul 7, 2021

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 7, 2021

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 8, 2021

EmilyM1 changed the title ~~[WIP] add dynamic audit policy controller~~ add dynamic audit policy controller Jul 8, 2021

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 8, 2021

openshift-ci bot assigned stlaz Jul 9, 2021

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2021

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 9, 2021

openshift-merge-robot merged commit 4eda0f5 into openshift:master Jul 9, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add dynamic audit policy controller #460

add dynamic audit policy controller #460

EmilyM1 commented Jun 30, 2021

EmilyM1 commented Jul 2, 2021

EmilyM1 commented Jul 2, 2021

sttts commented Jul 3, 2021

sttts Jul 6, 2021

sttts Jul 6, 2021

EmilyM1 Jul 6, 2021

sttts Jul 6, 2021

sttts Jul 6, 2021

sttts Jul 6, 2021

sttts Jul 6, 2021

sttts Jul 6, 2021

stlaz commented Jul 7, 2021

EmilyM1 commented Jul 7, 2021

EmilyM1 commented Jul 7, 2021

stlaz commented Jul 8, 2021

EmilyM1 commented Jul 8, 2021

EmilyM1 commented Jul 8, 2021

EmilyM1 commented Jul 8, 2021

openshift-ci bot commented Jul 9, 2021

stlaz commented Jul 9, 2021

openshift-ci bot commented Jul 9, 2021

add dynamic audit policy controller #460

add dynamic audit policy controller #460

Conversation

EmilyM1 commented Jun 30, 2021

EmilyM1 commented Jul 2, 2021

EmilyM1 commented Jul 2, 2021

sttts commented Jul 3, 2021

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

stlaz commented Jul 7, 2021

EmilyM1 commented Jul 7, 2021

EmilyM1 commented Jul 7, 2021

stlaz commented Jul 8, 2021

EmilyM1 commented Jul 8, 2021

EmilyM1 commented Jul 8, 2021

EmilyM1 commented Jul 8, 2021

openshift-ci bot commented Jul 9, 2021

stlaz commented Jul 9, 2021

openshift-ci bot commented Jul 9, 2021