github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #46009 from timstclair/audit-policy

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 45949, 46009, 46320, 46423, 46437)

Implement audit policy logic

Includes https://github.com/kubernetes/kubernetes/pull/45315#discussion_r117115932 (ignore the first commit)

Feature: https://github.com/kubernetes/features/issues/22

Remaining work:

- [x] Load the policy into the `server.Config`
- [x] Rebase on https://github.com/kubernetes/kubernetes/pull/45315
- [x] Establish shared code for audit api scheme (with https://github.com/kubernetes/kubernetes/pull/45919)
- [x] Once https://github.com/kubernetes/kubernetes/pull/45766 is merged, call the policy checker in the audit path

/cc @sttts @soltysh @ericchiang @ihmccreery @pweil- @deads2k
This commit is contained in:
Kubernetes Submit Queue
2017-05-25 19:40:59 -07:00
committed by GitHub
parent 470a6a45d5 a5de309ee2
commit ae03f22c65
25 changed files with 828 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/features/kube_features.go
View File

@@ -117,5 +117,6 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS
// inherited features from generic apiserver, relisted here to get a conflict if it is changed
// unintentionally on either side:
StreamingProxyRedirects: {Default: true, PreRelease: utilfeature.Beta},
StreamingProxyRedirects: {Default: true, PreRelease: utilfeature.Beta},
genericfeatures.AdvancedAuditing: {Default: false, PreRelease: utilfeature.Alpha},
}

2
pkg/kubeapiserver/server/BUILD
View File

@@ -16,8 +16,10 @@ go_library(
"//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//vendor/k8s.io/apiserver/pkg/endpoints/filters:go_default_library",
"//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
"//vendor/k8s.io/apiserver/pkg/features:go_default_library",
"//vendor/k8s.io/apiserver/pkg/server:go_default_library",
"//vendor/k8s.io/apiserver/pkg/server/filters:go_default_library",
"//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
"//vendor/k8s.io/client-go/rest:go_default_library",
],
)

9
pkg/kubeapiserver/server/insecure_handler.go
View File

@@ -25,8 +25,10 @@ import (
"k8s.io/apiserver/pkg/authentication/user"
genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
apirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/features"
"k8s.io/apiserver/pkg/server"
genericfilters "k8s.io/apiserver/pkg/server/filters"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/client-go/rest"
)
@@ -35,7 +37,12 @@ import (
// InsecureServingInfo *ServingInfo
func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler {
handler := genericapifilters.WithAudit(apiHandler, c.RequestContextMapper, c.AuditBackend, c.AuditPolicy, c.LongRunningFunc)
handler := apiHandler
if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) {
handler = genericapifilters.WithAudit(handler, c.RequestContextMapper, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
} else {
handler = genericapifilters.WithLegacyAudit(handler, c.RequestContextMapper, c.LegacyAuditWriter)
}
handler = genericapifilters.WithAuthentication(handler, c.RequestContextMapper, insecureSuperuser{}, nil)
handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
handler = genericfilters.WithPanicRecovery(handler)