Merge pull request #91502 from deads2k/dyn-audit-removal-00
remove --feature-gates=DynamicAuditing
This commit is contained in:
		| @@ -33,8 +33,6 @@ API rule violation: list_type_missing,k8s.io/api/apps/v1beta2,DeploymentStatus,C | |||||||
| API rule violation: list_type_missing,k8s.io/api/apps/v1beta2,ReplicaSetStatus,Conditions | API rule violation: list_type_missing,k8s.io/api/apps/v1beta2,ReplicaSetStatus,Conditions | ||||||
| API rule violation: list_type_missing,k8s.io/api/apps/v1beta2,StatefulSetSpec,VolumeClaimTemplates | API rule violation: list_type_missing,k8s.io/api/apps/v1beta2,StatefulSetSpec,VolumeClaimTemplates | ||||||
| API rule violation: list_type_missing,k8s.io/api/apps/v1beta2,StatefulSetStatus,Conditions | API rule violation: list_type_missing,k8s.io/api/apps/v1beta2,StatefulSetStatus,Conditions | ||||||
| API rule violation: list_type_missing,k8s.io/api/auditregistration/v1alpha1,Policy,Stages |  | ||||||
| API rule violation: list_type_missing,k8s.io/api/auditregistration/v1alpha1,WebhookClientConfig,CABundle |  | ||||||
| API rule violation: list_type_missing,k8s.io/api/authentication/v1,TokenRequestSpec,Audiences | API rule violation: list_type_missing,k8s.io/api/authentication/v1,TokenRequestSpec,Audiences | ||||||
| API rule violation: list_type_missing,k8s.io/api/authentication/v1,TokenReviewSpec,Audiences | API rule violation: list_type_missing,k8s.io/api/authentication/v1,TokenReviewSpec,Audiences | ||||||
| API rule violation: list_type_missing,k8s.io/api/authentication/v1,TokenReviewStatus,Audiences | API rule violation: list_type_missing,k8s.io/api/authentication/v1,TokenReviewStatus,Audiences | ||||||
|   | |||||||
							
								
								
									
										1044
									
								
								api/openapi-spec/swagger.json
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										1044
									
								
								api/openapi-spec/swagger.json
									
									
									
										generated
									
									
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @@ -38,13 +38,11 @@ tags_values_pkgs = {"openapi-gen": { | |||||||
|         "cmd/cloud-controller-manager/app/apis/config/v1alpha1", |         "cmd/cloud-controller-manager/app/apis/config/v1alpha1", | ||||||
|         "pkg/apis/abac/v0", |         "pkg/apis/abac/v0", | ||||||
|         "pkg/apis/abac/v1beta1", |         "pkg/apis/abac/v1beta1", | ||||||
|         "pkg/apis/auditregistration", |  | ||||||
|         "staging/src/k8s.io/api/admissionregistration/v1", |         "staging/src/k8s.io/api/admissionregistration/v1", | ||||||
|         "staging/src/k8s.io/api/admissionregistration/v1beta1", |         "staging/src/k8s.io/api/admissionregistration/v1beta1", | ||||||
|         "staging/src/k8s.io/api/apps/v1", |         "staging/src/k8s.io/api/apps/v1", | ||||||
|         "staging/src/k8s.io/api/apps/v1beta1", |         "staging/src/k8s.io/api/apps/v1beta1", | ||||||
|         "staging/src/k8s.io/api/apps/v1beta2", |         "staging/src/k8s.io/api/apps/v1beta2", | ||||||
|         "staging/src/k8s.io/api/auditregistration/v1alpha1", |  | ||||||
|         "staging/src/k8s.io/api/authentication/v1", |         "staging/src/k8s.io/api/authentication/v1", | ||||||
|         "staging/src/k8s.io/api/authentication/v1beta1", |         "staging/src/k8s.io/api/authentication/v1beta1", | ||||||
|         "staging/src/k8s.io/api/authorization/v1", |         "staging/src/k8s.io/api/authorization/v1", | ||||||
| @@ -116,7 +114,6 @@ tags_pkgs_values = {"openapi-gen": { | |||||||
|     "cmd/cloud-controller-manager/app/apis/config/v1alpha1": ["true"], |     "cmd/cloud-controller-manager/app/apis/config/v1alpha1": ["true"], | ||||||
|     "pkg/apis/abac/v0": ["true"], |     "pkg/apis/abac/v0": ["true"], | ||||||
|     "pkg/apis/abac/v1beta1": ["true"], |     "pkg/apis/abac/v1beta1": ["true"], | ||||||
|     "pkg/apis/auditregistration": ["true"], |  | ||||||
|     "staging/src/k8s.io/api/admission/v1": ["false"], |     "staging/src/k8s.io/api/admission/v1": ["false"], | ||||||
|     "staging/src/k8s.io/api/admission/v1beta1": ["false"], |     "staging/src/k8s.io/api/admission/v1beta1": ["false"], | ||||||
|     "staging/src/k8s.io/api/admissionregistration/v1": ["true"], |     "staging/src/k8s.io/api/admissionregistration/v1": ["true"], | ||||||
| @@ -124,7 +121,6 @@ tags_pkgs_values = {"openapi-gen": { | |||||||
|     "staging/src/k8s.io/api/apps/v1": ["true"], |     "staging/src/k8s.io/api/apps/v1": ["true"], | ||||||
|     "staging/src/k8s.io/api/apps/v1beta1": ["true"], |     "staging/src/k8s.io/api/apps/v1beta1": ["true"], | ||||||
|     "staging/src/k8s.io/api/apps/v1beta2": ["true"], |     "staging/src/k8s.io/api/apps/v1beta2": ["true"], | ||||||
|     "staging/src/k8s.io/api/auditregistration/v1alpha1": ["true"], |  | ||||||
|     "staging/src/k8s.io/api/authentication/v1": ["true"], |     "staging/src/k8s.io/api/authentication/v1": ["true"], | ||||||
|     "staging/src/k8s.io/api/authentication/v1beta1": ["true"], |     "staging/src/k8s.io/api/authentication/v1beta1": ["true"], | ||||||
|     "staging/src/k8s.io/api/authorization/v1": ["true"], |     "staging/src/k8s.io/api/authorization/v1": ["true"], | ||||||
|   | |||||||
| @@ -283,7 +283,6 @@ var apiVersionPriorities = map[schema.GroupVersion]priority{ | |||||||
| 	{Group: "scheduling.k8s.io", Version: "v1alpha1"}:            {group: 16600, version: 9}, | 	{Group: "scheduling.k8s.io", Version: "v1alpha1"}:            {group: 16600, version: 9}, | ||||||
| 	{Group: "coordination.k8s.io", Version: "v1"}:                {group: 16500, version: 15}, | 	{Group: "coordination.k8s.io", Version: "v1"}:                {group: 16500, version: 15}, | ||||||
| 	{Group: "coordination.k8s.io", Version: "v1beta1"}:           {group: 16500, version: 9}, | 	{Group: "coordination.k8s.io", Version: "v1beta1"}:           {group: 16500, version: 9}, | ||||||
| 	{Group: "auditregistration.k8s.io", Version: "v1alpha1"}:     {group: 16400, version: 1}, |  | ||||||
| 	{Group: "node.k8s.io", Version: "v1alpha1"}:                  {group: 16300, version: 1}, | 	{Group: "node.k8s.io", Version: "v1alpha1"}:                  {group: 16300, version: 1}, | ||||||
| 	{Group: "node.k8s.io", Version: "v1beta1"}:                   {group: 16300, version: 9}, | 	{Group: "node.k8s.io", Version: "v1beta1"}:                   {group: 16300, version: 9}, | ||||||
| 	{Group: "discovery.k8s.io", Version: "v1beta1"}:              {group: 16200, version: 12}, | 	{Group: "discovery.k8s.io", Version: "v1beta1"}:              {group: 16200, version: 12}, | ||||||
|   | |||||||
| @@ -60,7 +60,6 @@ go_test( | |||||||
|         "//staging/src/k8s.io/apiserver/pkg/storage/storagebackend:go_default_library", |         "//staging/src/k8s.io/apiserver/pkg/storage/storagebackend:go_default_library", | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", |         "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/buffered:go_default_library", |         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/buffered:go_default_library", | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/dynamic:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/truncate:go_default_library", |         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/truncate:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/rest:go_default_library", |         "//staging/src/k8s.io/client-go/rest:go_default_library", | ||||||
|         "//staging/src/k8s.io/component-base/cli/flag:go_default_library", |         "//staging/src/k8s.io/component-base/cli/flag:go_default_library", | ||||||
|   | |||||||
| @@ -30,7 +30,6 @@ import ( | |||||||
| 	apiserveroptions "k8s.io/apiserver/pkg/server/options" | 	apiserveroptions "k8s.io/apiserver/pkg/server/options" | ||||||
| 	"k8s.io/apiserver/pkg/storage/storagebackend" | 	"k8s.io/apiserver/pkg/storage/storagebackend" | ||||||
| 	auditbuffered "k8s.io/apiserver/plugin/pkg/audit/buffered" | 	auditbuffered "k8s.io/apiserver/plugin/pkg/audit/buffered" | ||||||
| 	auditdynamic "k8s.io/apiserver/plugin/pkg/audit/dynamic" |  | ||||||
| 	audittruncate "k8s.io/apiserver/plugin/pkg/audit/truncate" | 	audittruncate "k8s.io/apiserver/plugin/pkg/audit/truncate" | ||||||
| 	restclient "k8s.io/client-go/rest" | 	restclient "k8s.io/client-go/rest" | ||||||
| 	cliflag "k8s.io/component-base/cli/flag" | 	cliflag "k8s.io/component-base/cli/flag" | ||||||
| @@ -252,9 +251,6 @@ func TestAddFlags(t *testing.T) { | |||||||
| 				InitialBackoff:     2 * time.Second, | 				InitialBackoff:     2 * time.Second, | ||||||
| 				GroupVersionString: "audit.k8s.io/v1alpha1", | 				GroupVersionString: "audit.k8s.io/v1alpha1", | ||||||
| 			}, | 			}, | ||||||
| 			DynamicOptions: apiserveroptions.AuditDynamicOptions{ |  | ||||||
| 				BatchConfig: auditdynamic.NewDefaultWebhookBatchConfig(), |  | ||||||
| 			}, |  | ||||||
| 			PolicyFile: "/policy", | 			PolicyFile: "/policy", | ||||||
| 		}, | 		}, | ||||||
| 		Features: &apiserveroptions.FeatureOptions{ | 		Features: &apiserveroptions.FeatureOptions{ | ||||||
|   | |||||||
| @@ -505,29 +505,17 @@ func buildGenericConfig( | |||||||
| 		genericConfig.DisabledPostStartHooks.Insert(rbacrest.PostStartHookName) | 		genericConfig.DisabledPostStartHooks.Insert(rbacrest.PostStartHookName) | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
|  | 	lastErr = s.Audit.ApplyTo(genericConfig) | ||||||
|  | 	if lastErr != nil { | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  |  | ||||||
| 	admissionConfig := &kubeapiserveradmission.Config{ | 	admissionConfig := &kubeapiserveradmission.Config{ | ||||||
| 		ExternalInformers:    versionedInformers, | 		ExternalInformers:    versionedInformers, | ||||||
| 		LoopbackClientConfig: genericConfig.LoopbackClientConfig, | 		LoopbackClientConfig: genericConfig.LoopbackClientConfig, | ||||||
| 		CloudConfigFile:      s.CloudProvider.CloudConfigFile, | 		CloudConfigFile:      s.CloudProvider.CloudConfigFile, | ||||||
| 	} | 	} | ||||||
| 	serviceResolver = buildServiceResolver(s.EnableAggregatorRouting, genericConfig.LoopbackClientConfig.Host, versionedInformers) | 	serviceResolver = buildServiceResolver(s.EnableAggregatorRouting, genericConfig.LoopbackClientConfig.Host, versionedInformers) | ||||||
|  |  | ||||||
| 	authInfoResolverWrapper := webhook.NewDefaultAuthenticationInfoResolverWrapper(proxyTransport, genericConfig.EgressSelector, genericConfig.LoopbackClientConfig) |  | ||||||
|  |  | ||||||
| 	lastErr = s.Audit.ApplyTo( |  | ||||||
| 		genericConfig, |  | ||||||
| 		genericConfig.LoopbackClientConfig, |  | ||||||
| 		versionedInformers, |  | ||||||
| 		serveroptions.NewProcessInfo("kube-apiserver", "kube-system"), |  | ||||||
| 		&serveroptions.WebhookOptions{ |  | ||||||
| 			AuthInfoResolverWrapper: authInfoResolverWrapper, |  | ||||||
| 			ServiceResolver:         serviceResolver, |  | ||||||
| 		}, |  | ||||||
| 	) |  | ||||||
| 	if lastErr != nil { |  | ||||||
| 		return |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	pluginInitializers, admissionPostStartHook, err = admissionConfig.New(proxyTransport, genericConfig.EgressSelector, serviceResolver) | 	pluginInitializers, admissionPostStartHook, err = admissionConfig.New(proxyTransport, genericConfig.EgressSelector, serviceResolver) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		lastErr = fmt.Errorf("failed to create admission plugin initializer: %v", err) | 		lastErr = fmt.Errorf("failed to create admission plugin initializer: %v", err) | ||||||
|   | |||||||
| @@ -12,7 +12,6 @@ pkg/apis/admissionregistration/validation | |||||||
| pkg/apis/apps/v1 | pkg/apis/apps/v1 | ||||||
| pkg/apis/apps/v1beta1 | pkg/apis/apps/v1beta1 | ||||||
| pkg/apis/apps/v1beta2 | pkg/apis/apps/v1beta2 | ||||||
| pkg/apis/auditregistration/v1alpha1 |  | ||||||
| pkg/apis/authentication/v1 | pkg/apis/authentication/v1 | ||||||
| pkg/apis/autoscaling/v1 | pkg/apis/autoscaling/v1 | ||||||
| pkg/apis/autoscaling/v2beta1 | pkg/apis/autoscaling/v2beta1 | ||||||
| @@ -125,7 +124,6 @@ pkg/proxy/userspace | |||||||
| pkg/proxy/winkernel | pkg/proxy/winkernel | ||||||
| pkg/proxy/winuserspace | pkg/proxy/winuserspace | ||||||
| pkg/registry/admissionregistration/rest | pkg/registry/admissionregistration/rest | ||||||
| pkg/registry/auditregistration/rest |  | ||||||
| pkg/registry/authentication/rest | pkg/registry/authentication/rest | ||||||
| pkg/registry/authentication/tokenreview | pkg/registry/authentication/tokenreview | ||||||
| pkg/registry/authorization/localsubjectaccessreview | pkg/registry/authorization/localsubjectaccessreview | ||||||
| @@ -217,7 +215,6 @@ staging/src/k8s.io/api/admissionregistration/v1beta1 | |||||||
| staging/src/k8s.io/api/apps/v1 | staging/src/k8s.io/api/apps/v1 | ||||||
| staging/src/k8s.io/api/apps/v1beta1 | staging/src/k8s.io/api/apps/v1beta1 | ||||||
| staging/src/k8s.io/api/apps/v1beta2 | staging/src/k8s.io/api/apps/v1beta2 | ||||||
| staging/src/k8s.io/api/auditregistration/v1alpha1 |  | ||||||
| staging/src/k8s.io/api/authentication/v1 | staging/src/k8s.io/api/authentication/v1 | ||||||
| staging/src/k8s.io/api/authentication/v1beta1 | staging/src/k8s.io/api/authentication/v1beta1 | ||||||
| staging/src/k8s.io/api/authorization/v1 | staging/src/k8s.io/api/authorization/v1 | ||||||
|   | |||||||
| @@ -6,7 +6,6 @@ | |||||||
|   "k8s.io/api/apps/v1": "appsv1", |   "k8s.io/api/apps/v1": "appsv1", | ||||||
|   "k8s.io/api/apps/v1beta1": "appsv1beta1", |   "k8s.io/api/apps/v1beta1": "appsv1beta1", | ||||||
|   "k8s.io/api/apps/v1beta2": "appsv1beta2", |   "k8s.io/api/apps/v1beta2": "appsv1beta2", | ||||||
|   "k8s.io/api/auditregistration/v1alpha1": "auditregistrationv1alpha1", |  | ||||||
|   "k8s.io/api/authentication/v1": "authenticationv1", |   "k8s.io/api/authentication/v1": "authenticationv1", | ||||||
|   "k8s.io/api/authentication/v1beta1": "authenticationv1beta1", |   "k8s.io/api/authentication/v1beta1": "authenticationv1beta1", | ||||||
|   "k8s.io/api/authorization/v1": "authorizationv1", |   "k8s.io/api/authorization/v1": "authorizationv1", | ||||||
|   | |||||||
| @@ -70,7 +70,6 @@ admission.k8s.io/v1beta1 \ | |||||||
| apps/v1 \ | apps/v1 \ | ||||||
| apps/v1beta1 \ | apps/v1beta1 \ | ||||||
| apps/v1beta2 \ | apps/v1beta2 \ | ||||||
| auditregistration.k8s.io/v1alpha1 \ |  | ||||||
| authentication.k8s.io/v1 \ | authentication.k8s.io/v1 \ | ||||||
| authentication.k8s.io/v1beta1 \ | authentication.k8s.io/v1beta1 \ | ||||||
| authorization.k8s.io/v1 \ | authorization.k8s.io/v1 \ | ||||||
|   | |||||||
| @@ -28,7 +28,6 @@ filegroup( | |||||||
|         "//pkg/apis/admission:all-srcs", |         "//pkg/apis/admission:all-srcs", | ||||||
|         "//pkg/apis/admissionregistration:all-srcs", |         "//pkg/apis/admissionregistration:all-srcs", | ||||||
|         "//pkg/apis/apps:all-srcs", |         "//pkg/apis/apps:all-srcs", | ||||||
|         "//pkg/apis/auditregistration:all-srcs", |  | ||||||
|         "//pkg/apis/authentication:all-srcs", |         "//pkg/apis/authentication:all-srcs", | ||||||
|         "//pkg/apis/authorization:all-srcs", |         "//pkg/apis/authorization:all-srcs", | ||||||
|         "//pkg/apis/autoscaling:all-srcs", |         "//pkg/apis/autoscaling:all-srcs", | ||||||
|   | |||||||
| @@ -23,8 +23,6 @@ go_library( | |||||||
|         "//pkg/apis/apps:go_default_library", |         "//pkg/apis/apps:go_default_library", | ||||||
|         "//pkg/apis/apps/fuzzer:go_default_library", |         "//pkg/apis/apps/fuzzer:go_default_library", | ||||||
|         "//pkg/apis/apps/install:go_default_library", |         "//pkg/apis/apps/install:go_default_library", | ||||||
|         "//pkg/apis/auditregistration/fuzzer:go_default_library", |  | ||||||
|         "//pkg/apis/auditregistration/install:go_default_library", |  | ||||||
|         "//pkg/apis/authentication/install:go_default_library", |         "//pkg/apis/authentication/install:go_default_library", | ||||||
|         "//pkg/apis/authorization/install:go_default_library", |         "//pkg/apis/authorization/install:go_default_library", | ||||||
|         "//pkg/apis/autoscaling/fuzzer:go_default_library", |         "//pkg/apis/autoscaling/fuzzer:go_default_library", | ||||||
|   | |||||||
| @@ -145,8 +145,6 @@ func TestDefaulting(t *testing.T) { | |||||||
| 		{Group: "admissionregistration.k8s.io", Version: "v1", Kind: "ValidatingWebhookConfigurationList"}:      {}, | 		{Group: "admissionregistration.k8s.io", Version: "v1", Kind: "ValidatingWebhookConfigurationList"}:      {}, | ||||||
| 		{Group: "admissionregistration.k8s.io", Version: "v1", Kind: "MutatingWebhookConfiguration"}:            {}, | 		{Group: "admissionregistration.k8s.io", Version: "v1", Kind: "MutatingWebhookConfiguration"}:            {}, | ||||||
| 		{Group: "admissionregistration.k8s.io", Version: "v1", Kind: "MutatingWebhookConfigurationList"}:        {}, | 		{Group: "admissionregistration.k8s.io", Version: "v1", Kind: "MutatingWebhookConfigurationList"}:        {}, | ||||||
| 		{Group: "auditregistration.k8s.io", Version: "v1alpha1", Kind: "AuditSink"}:                             {}, |  | ||||||
| 		{Group: "auditregistration.k8s.io", Version: "v1alpha1", Kind: "AuditSinkList"}:                         {}, |  | ||||||
| 		{Group: "networking.k8s.io", Version: "v1", Kind: "NetworkPolicy"}:                                      {}, | 		{Group: "networking.k8s.io", Version: "v1", Kind: "NetworkPolicy"}:                                      {}, | ||||||
| 		{Group: "networking.k8s.io", Version: "v1", Kind: "NetworkPolicyList"}:                                  {}, | 		{Group: "networking.k8s.io", Version: "v1", Kind: "NetworkPolicyList"}:                                  {}, | ||||||
| 		{Group: "networking.k8s.io", Version: "v1beta1", Kind: "Ingress"}:                                       {}, | 		{Group: "networking.k8s.io", Version: "v1beta1", Kind: "Ingress"}:                                       {}, | ||||||
|   | |||||||
| @@ -31,7 +31,6 @@ import ( | |||||||
| 	admissionregistrationfuzzer "k8s.io/kubernetes/pkg/apis/admissionregistration/fuzzer" | 	admissionregistrationfuzzer "k8s.io/kubernetes/pkg/apis/admissionregistration/fuzzer" | ||||||
| 	"k8s.io/kubernetes/pkg/apis/apps" | 	"k8s.io/kubernetes/pkg/apis/apps" | ||||||
| 	appsfuzzer "k8s.io/kubernetes/pkg/apis/apps/fuzzer" | 	appsfuzzer "k8s.io/kubernetes/pkg/apis/apps/fuzzer" | ||||||
| 	auditregistrationfuzzer "k8s.io/kubernetes/pkg/apis/auditregistration/fuzzer" |  | ||||||
| 	autoscalingfuzzer "k8s.io/kubernetes/pkg/apis/autoscaling/fuzzer" | 	autoscalingfuzzer "k8s.io/kubernetes/pkg/apis/autoscaling/fuzzer" | ||||||
| 	batchfuzzer "k8s.io/kubernetes/pkg/apis/batch/fuzzer" | 	batchfuzzer "k8s.io/kubernetes/pkg/apis/batch/fuzzer" | ||||||
| 	certificatesfuzzer "k8s.io/kubernetes/pkg/apis/certificates/fuzzer" | 	certificatesfuzzer "k8s.io/kubernetes/pkg/apis/certificates/fuzzer" | ||||||
| @@ -103,7 +102,6 @@ var FuzzerFuncs = fuzzer.MergeFuzzerFuncs( | |||||||
| 	policyfuzzer.Funcs, | 	policyfuzzer.Funcs, | ||||||
| 	certificatesfuzzer.Funcs, | 	certificatesfuzzer.Funcs, | ||||||
| 	admissionregistrationfuzzer.Funcs, | 	admissionregistrationfuzzer.Funcs, | ||||||
| 	auditregistrationfuzzer.Funcs, |  | ||||||
| 	storagefuzzer.Funcs, | 	storagefuzzer.Funcs, | ||||||
| 	networkingfuzzer.Funcs, | 	networkingfuzzer.Funcs, | ||||||
| 	metafuzzer.Funcs, | 	metafuzzer.Funcs, | ||||||
|   | |||||||
| @@ -21,7 +21,6 @@ import ( | |||||||
| 	_ "k8s.io/kubernetes/pkg/apis/admission/install" | 	_ "k8s.io/kubernetes/pkg/apis/admission/install" | ||||||
| 	_ "k8s.io/kubernetes/pkg/apis/admissionregistration/install" | 	_ "k8s.io/kubernetes/pkg/apis/admissionregistration/install" | ||||||
| 	_ "k8s.io/kubernetes/pkg/apis/apps/install" | 	_ "k8s.io/kubernetes/pkg/apis/apps/install" | ||||||
| 	_ "k8s.io/kubernetes/pkg/apis/auditregistration/install" |  | ||||||
| 	_ "k8s.io/kubernetes/pkg/apis/authentication/install" | 	_ "k8s.io/kubernetes/pkg/apis/authentication/install" | ||||||
| 	_ "k8s.io/kubernetes/pkg/apis/authorization/install" | 	_ "k8s.io/kubernetes/pkg/apis/authorization/install" | ||||||
| 	_ "k8s.io/kubernetes/pkg/apis/autoscaling/install" | 	_ "k8s.io/kubernetes/pkg/apis/autoscaling/install" | ||||||
|   | |||||||
| @@ -1,38 +0,0 @@ | |||||||
| load("@io_bazel_rules_go//go:def.bzl", "go_library") |  | ||||||
|  |  | ||||||
| go_library( |  | ||||||
|     name = "go_default_library", |  | ||||||
|     srcs = [ |  | ||||||
|         "doc.go", |  | ||||||
|         "register.go", |  | ||||||
|         "types.go", |  | ||||||
|         "zz_generated.deepcopy.go", |  | ||||||
|     ], |  | ||||||
|     importpath = "k8s.io/kubernetes/pkg/apis/auditregistration", |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
|     deps = [ |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "package-srcs", |  | ||||||
|     srcs = glob(["**"]), |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:private"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "all-srcs", |  | ||||||
|     srcs = [ |  | ||||||
|         ":package-srcs", |  | ||||||
|         "//pkg/apis/auditregistration/fuzzer:all-srcs", |  | ||||||
|         "//pkg/apis/auditregistration/install:all-srcs", |  | ||||||
|         "//pkg/apis/auditregistration/v1alpha1:all-srcs", |  | ||||||
|         "//pkg/apis/auditregistration/validation:all-srcs", |  | ||||||
|     ], |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
| ) |  | ||||||
| @@ -1,20 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // +k8s:deepcopy-gen=package |  | ||||||
| // +groupName=auditregistration.k8s.io |  | ||||||
|  |  | ||||||
| package auditregistration // import "k8s.io/kubernetes/pkg/apis/auditregistration" |  | ||||||
| @@ -1,27 +0,0 @@ | |||||||
| load("@io_bazel_rules_go//go:def.bzl", "go_library") |  | ||||||
|  |  | ||||||
| go_library( |  | ||||||
|     name = "go_default_library", |  | ||||||
|     srcs = ["fuzzer.go"], |  | ||||||
|     importpath = "k8s.io/kubernetes/pkg/apis/auditregistration/fuzzer", |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
|     deps = [ |  | ||||||
|         "//pkg/apis/auditregistration:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library", |  | ||||||
|         "//vendor/github.com/google/gofuzz:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "package-srcs", |  | ||||||
|     srcs = glob(["**"]), |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:private"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "all-srcs", |  | ||||||
|     srcs = [":package-srcs"], |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
| ) |  | ||||||
| @@ -1,38 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package fuzzer |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	fuzz "github.com/google/gofuzz" |  | ||||||
|  |  | ||||||
| 	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer" |  | ||||||
| 	"k8s.io/kubernetes/pkg/apis/auditregistration" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // Funcs returns the fuzzer functions for the auditregistration api group. |  | ||||||
| var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} { |  | ||||||
| 	return []interface{}{ |  | ||||||
| 		func(obj *auditregistration.AuditSink, c fuzz.Continue) { |  | ||||||
| 			c.FuzzNoCustom(obj) |  | ||||||
| 			v := int64(1) |  | ||||||
| 			obj.Spec.Webhook.Throttle = &auditregistration.WebhookThrottleConfig{ |  | ||||||
| 				QPS:   &v, |  | ||||||
| 				Burst: &v, |  | ||||||
| 			} |  | ||||||
| 		}, |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
| @@ -1,29 +0,0 @@ | |||||||
| load("@io_bazel_rules_go//go:def.bzl", "go_library") |  | ||||||
|  |  | ||||||
| go_library( |  | ||||||
|     name = "go_default_library", |  | ||||||
|     srcs = ["install.go"], |  | ||||||
|     importpath = "k8s.io/kubernetes/pkg/apis/auditregistration/install", |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
|     deps = [ |  | ||||||
|         "//pkg/api/legacyscheme:go_default_library", |  | ||||||
|         "//pkg/apis/auditregistration:go_default_library", |  | ||||||
|         "//pkg/apis/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/util/runtime:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "package-srcs", |  | ||||||
|     srcs = glob(["**"]), |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:private"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "all-srcs", |  | ||||||
|     srcs = [":package-srcs"], |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
| ) |  | ||||||
| @@ -1,38 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // Package install adds the experimental API group, making it available as |  | ||||||
| // an option to all of the API encoding/decoding machinery. |  | ||||||
| package install |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"k8s.io/apimachinery/pkg/runtime" |  | ||||||
| 	utilruntime "k8s.io/apimachinery/pkg/util/runtime" |  | ||||||
| 	"k8s.io/kubernetes/pkg/api/legacyscheme" |  | ||||||
| 	"k8s.io/kubernetes/pkg/apis/auditregistration" |  | ||||||
| 	"k8s.io/kubernetes/pkg/apis/auditregistration/v1alpha1" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func init() { |  | ||||||
| 	Install(legacyscheme.Scheme) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Install registers the API group and adds types to a scheme |  | ||||||
| func Install(scheme *runtime.Scheme) { |  | ||||||
| 	utilruntime.Must(auditregistration.AddToScheme(scheme)) |  | ||||||
| 	utilruntime.Must(v1alpha1.AddToScheme(scheme)) |  | ||||||
| 	utilruntime.Must(scheme.SetVersionPriority(v1alpha1.SchemeGroupVersion)) |  | ||||||
| } |  | ||||||
| @@ -1,53 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package auditregistration |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"k8s.io/apimachinery/pkg/runtime" |  | ||||||
| 	"k8s.io/apimachinery/pkg/runtime/schema" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // GroupName is the group name use in this package |  | ||||||
| const GroupName = "auditregistration.k8s.io" |  | ||||||
|  |  | ||||||
| // SchemeGroupVersion is group version used to register these objects |  | ||||||
| var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} |  | ||||||
|  |  | ||||||
| // Kind takes an unqualified kind and returns a Group qualified GroupKind |  | ||||||
| func Kind(kind string) schema.GroupKind { |  | ||||||
| 	return SchemeGroupVersion.WithKind(kind).GroupKind() |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Resource takes an unqualified resource and returns a Group qualified GroupResource |  | ||||||
| func Resource(resource string) schema.GroupResource { |  | ||||||
| 	return SchemeGroupVersion.WithResource(resource).GroupResource() |  | ||||||
| } |  | ||||||
|  |  | ||||||
| var ( |  | ||||||
| 	// SchemeBuilder for audit registration |  | ||||||
| 	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) |  | ||||||
| 	// AddToScheme audit registration |  | ||||||
| 	AddToScheme = SchemeBuilder.AddToScheme |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func addKnownTypes(scheme *runtime.Scheme) error { |  | ||||||
| 	scheme.AddKnownTypes(SchemeGroupVersion, |  | ||||||
| 		&AuditSink{}, |  | ||||||
| 		&AuditSinkList{}, |  | ||||||
| 	) |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
| @@ -1,197 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // +k8s:openapi-gen=true |  | ||||||
|  |  | ||||||
| package auditregistration |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // Level defines the amount of information logged during auditing |  | ||||||
| type Level string |  | ||||||
|  |  | ||||||
| // Valid audit levels |  | ||||||
| const ( |  | ||||||
| 	// LevelNone disables auditing |  | ||||||
| 	LevelNone Level = "None" |  | ||||||
| 	// LevelMetadata provides the basic level of auditing. |  | ||||||
| 	LevelMetadata Level = "Metadata" |  | ||||||
| 	// LevelRequest provides Metadata level of auditing, and additionally |  | ||||||
| 	// logs the request object (does not apply for non-resource requests). |  | ||||||
| 	LevelRequest Level = "Request" |  | ||||||
| 	// LevelRequestResponse provides Request level of auditing, and additionally |  | ||||||
| 	// logs the response object (does not apply for non-resource requests and watches). |  | ||||||
| 	LevelRequestResponse Level = "RequestResponse" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // Stage defines the stages in request handling during which audit events may be generated. |  | ||||||
| type Stage string |  | ||||||
|  |  | ||||||
| // Valid audit stages. |  | ||||||
| const ( |  | ||||||
| 	// The stage for events generated after the audit handler receives the request, but before it |  | ||||||
| 	// is delegated down the handler chain. |  | ||||||
| 	StageRequestReceived = "RequestReceived" |  | ||||||
| 	// The stage for events generated after the response headers are sent, but before the response body |  | ||||||
| 	// is sent. This stage is only generated for long-running requests (e.g. watch). |  | ||||||
| 	StageResponseStarted = "ResponseStarted" |  | ||||||
| 	// The stage for events generated after the response body has been completed, and no more bytes |  | ||||||
| 	// will be sent. |  | ||||||
| 	StageResponseComplete = "ResponseComplete" |  | ||||||
| 	// The stage for events generated when a panic occurred. |  | ||||||
| 	StagePanic = "Panic" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |  | ||||||
|  |  | ||||||
| // AuditSink represents a cluster level sink for audit data |  | ||||||
| type AuditSink struct { |  | ||||||
| 	metav1.TypeMeta |  | ||||||
|  |  | ||||||
| 	// +optional |  | ||||||
| 	metav1.ObjectMeta |  | ||||||
|  |  | ||||||
| 	// Spec defines the audit sink spec |  | ||||||
| 	Spec AuditSinkSpec |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // AuditSinkSpec is the spec for the audit sink object |  | ||||||
| type AuditSinkSpec struct { |  | ||||||
| 	// Policy defines the policy for selecting which events should be sent to the backend |  | ||||||
| 	// required |  | ||||||
| 	Policy Policy |  | ||||||
|  |  | ||||||
| 	// Webhook to send events |  | ||||||
| 	// required |  | ||||||
| 	Webhook Webhook |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |  | ||||||
|  |  | ||||||
| // AuditSinkList is a list of a	audit sink items. |  | ||||||
| type AuditSinkList struct { |  | ||||||
| 	metav1.TypeMeta |  | ||||||
|  |  | ||||||
| 	// +optional |  | ||||||
| 	metav1.ListMeta |  | ||||||
|  |  | ||||||
| 	// List of audit configurations. |  | ||||||
| 	Items []AuditSink |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Policy defines the configuration of how audit events are logged |  | ||||||
| type Policy struct { |  | ||||||
| 	// The Level that all requests are recorded at. |  | ||||||
| 	// available options: None, Metadata, Request, RequestResponse |  | ||||||
| 	// required |  | ||||||
| 	Level Level |  | ||||||
|  |  | ||||||
| 	// Stages is a list of stages for which events are created. |  | ||||||
| 	// +optional |  | ||||||
| 	Stages []Stage |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Webhook holds the configuration of the webhooks |  | ||||||
| type Webhook struct { |  | ||||||
| 	// Throttle holds the options for throttling the webhook |  | ||||||
| 	// +optional |  | ||||||
| 	Throttle *WebhookThrottleConfig |  | ||||||
|  |  | ||||||
| 	// ClientConfig holds the connection parameters for the webhook |  | ||||||
| 	// required |  | ||||||
| 	ClientConfig WebhookClientConfig |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // WebhookThrottleConfig holds the configuration for throttling |  | ||||||
| type WebhookThrottleConfig struct { |  | ||||||
| 	// QPS maximum number of batches per second |  | ||||||
| 	// default 10 QPS |  | ||||||
| 	// +optional |  | ||||||
| 	QPS *int64 |  | ||||||
|  |  | ||||||
| 	// Burst is the maximum number of events sent at the same moment |  | ||||||
| 	// default 15 QPS |  | ||||||
| 	// +optional |  | ||||||
| 	Burst *int64 |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // WebhookClientConfig contains the information to make a connection with the webhook |  | ||||||
| type WebhookClientConfig struct { |  | ||||||
| 	// `url` gives the location of the webhook, in standard URL form |  | ||||||
| 	// (`scheme://host:port/path`). Exactly one of `url` or `service` |  | ||||||
| 	// must be specified. |  | ||||||
| 	// |  | ||||||
| 	// The `host` should not refer to a service running in the cluster; use |  | ||||||
| 	// the `service` field instead. The host might be resolved via external |  | ||||||
| 	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve |  | ||||||
| 	// in-cluster DNS as that would be a layering violation). `host` may |  | ||||||
| 	// also be an IP address. |  | ||||||
| 	// |  | ||||||
| 	// Please note that using `localhost` or `127.0.0.1` as a `host` is |  | ||||||
| 	// risky unless you take great care to run this webhook on all hosts |  | ||||||
| 	// which run an apiserver which might need to make calls to this |  | ||||||
| 	// webhook. Such installs are likely to be non-portable, i.e., not easy |  | ||||||
| 	// to turn up in a new cluster. |  | ||||||
| 	// |  | ||||||
| 	// The scheme must be "https"; the URL must begin with "https://". |  | ||||||
| 	// |  | ||||||
| 	// A path is optional, and if present may be any string permissible in |  | ||||||
| 	// a URL. You may use the path to pass an arbitrary string to the |  | ||||||
| 	// webhook, for example, a cluster identifier. |  | ||||||
| 	// |  | ||||||
| 	// Attempting to use a user or basic auth e.g. "user:password@" is not |  | ||||||
| 	// allowed. Fragments ("#...") and query parameters ("?...") are not |  | ||||||
| 	// allowed, either. |  | ||||||
| 	// |  | ||||||
| 	// +optional |  | ||||||
| 	URL *string |  | ||||||
|  |  | ||||||
| 	// `service` is a reference to the service for this webhook. Either |  | ||||||
| 	// `service` or `url` must be specified. |  | ||||||
| 	// |  | ||||||
| 	// If the webhook is running within the cluster, then you should use `service`. |  | ||||||
| 	// |  | ||||||
| 	// +optional |  | ||||||
| 	Service *ServiceReference |  | ||||||
|  |  | ||||||
| 	// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. |  | ||||||
| 	// If unspecified, system trust roots on the apiserver are used. |  | ||||||
| 	// +optional |  | ||||||
| 	CABundle []byte |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // ServiceReference holds a reference to Service.legacy.k8s.io |  | ||||||
| type ServiceReference struct { |  | ||||||
| 	// `namespace` is the namespace of the service. |  | ||||||
| 	// Required |  | ||||||
| 	Namespace string |  | ||||||
|  |  | ||||||
| 	// `name` is the name of the service. |  | ||||||
| 	// Required |  | ||||||
| 	Name string |  | ||||||
|  |  | ||||||
| 	// `path` is an optional URL path which will be sent in any request to |  | ||||||
| 	// this service. |  | ||||||
| 	// +optional |  | ||||||
| 	Path *string |  | ||||||
|  |  | ||||||
| 	// If specified, the port on the service that hosting webhook. |  | ||||||
| 	// `port` should be a valid port number (1-65535, inclusive). |  | ||||||
| 	// +optional |  | ||||||
| 	Port int32 |  | ||||||
| } |  | ||||||
| @@ -1,51 +0,0 @@ | |||||||
| load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") |  | ||||||
|  |  | ||||||
| go_library( |  | ||||||
|     name = "go_default_library", |  | ||||||
|     srcs = [ |  | ||||||
|         "defaults.go", |  | ||||||
|         "doc.go", |  | ||||||
|         "register.go", |  | ||||||
|         "zz_generated.conversion.go", |  | ||||||
|         "zz_generated.defaults.go", |  | ||||||
|     ], |  | ||||||
|     importpath = "k8s.io/kubernetes/pkg/apis/auditregistration/v1alpha1", |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
|     deps = [ |  | ||||||
|         "//pkg/apis/auditregistration:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/conversion:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", |  | ||||||
|         "//vendor/k8s.io/utils/pointer:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| go_test( |  | ||||||
|     name = "go_default_test", |  | ||||||
|     srcs = ["defaults_test.go"], |  | ||||||
|     embed = [":go_default_library"], |  | ||||||
|     deps = [ |  | ||||||
|         "//pkg/api/legacyscheme:go_default_library", |  | ||||||
|         "//pkg/apis/auditregistration/install:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", |  | ||||||
|         "//vendor/k8s.io/utils/pointer:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "package-srcs", |  | ||||||
|     srcs = glob(["**"]), |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:private"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "all-srcs", |  | ||||||
|     srcs = [":package-srcs"], |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
| ) |  | ||||||
| @@ -1,63 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package v1alpha1 |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	auditregistrationv1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	"k8s.io/apimachinery/pkg/runtime" |  | ||||||
| 	utilpointer "k8s.io/utils/pointer" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| const ( |  | ||||||
| 	// DefaultQPS is the default QPS value |  | ||||||
| 	DefaultQPS = int64(10) |  | ||||||
| 	// DefaultBurst is the default burst value |  | ||||||
| 	DefaultBurst = int64(15) |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // DefaultThrottle is a default throttle config |  | ||||||
| func DefaultThrottle() *auditregistrationv1alpha1.WebhookThrottleConfig { |  | ||||||
| 	return &auditregistrationv1alpha1.WebhookThrottleConfig{ |  | ||||||
| 		QPS:   utilpointer.Int64Ptr(DefaultQPS), |  | ||||||
| 		Burst: utilpointer.Int64Ptr(DefaultBurst), |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func addDefaultingFuncs(scheme *runtime.Scheme) error { |  | ||||||
| 	return RegisterDefaults(scheme) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // SetDefaults_AuditSink sets defaults if the audit sink isn't present |  | ||||||
| func SetDefaults_AuditSink(obj *auditregistrationv1alpha1.AuditSink) { |  | ||||||
| 	if obj.Spec.Webhook.Throttle != nil { |  | ||||||
| 		if obj.Spec.Webhook.Throttle.QPS == nil { |  | ||||||
| 			obj.Spec.Webhook.Throttle.QPS = utilpointer.Int64Ptr(DefaultQPS) |  | ||||||
| 		} |  | ||||||
| 		if obj.Spec.Webhook.Throttle.Burst == nil { |  | ||||||
| 			obj.Spec.Webhook.Throttle.Burst = utilpointer.Int64Ptr(DefaultBurst) |  | ||||||
| 		} |  | ||||||
| 	} else { |  | ||||||
| 		obj.Spec.Webhook.Throttle = DefaultThrottle() |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // SetDefaults_ServiceReference sets defaults for AuditSync Webhook's ServiceReference |  | ||||||
| func SetDefaults_ServiceReference(obj *auditregistrationv1alpha1.ServiceReference) { |  | ||||||
| 	if obj.Port == nil { |  | ||||||
| 		obj.Port = utilpointer.Int32Ptr(443) |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
| @@ -1,165 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package v1alpha1_test |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"reflect" |  | ||||||
| 	"testing" |  | ||||||
|  |  | ||||||
| 	auditregistrationv1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	apiequality "k8s.io/apimachinery/pkg/api/equality" |  | ||||||
| 	"k8s.io/apimachinery/pkg/runtime" |  | ||||||
| 	"k8s.io/kubernetes/pkg/api/legacyscheme" |  | ||||||
| 	_ "k8s.io/kubernetes/pkg/apis/auditregistration/install" |  | ||||||
| 	. "k8s.io/kubernetes/pkg/apis/auditregistration/v1alpha1" |  | ||||||
| 	utilpointer "k8s.io/utils/pointer" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func TestSetDefaultAuditSink(t *testing.T) { |  | ||||||
| 	defaultURL := "http://test" |  | ||||||
| 	tests := []struct { |  | ||||||
| 		original *auditregistrationv1alpha1.AuditSink |  | ||||||
| 		expected *auditregistrationv1alpha1.AuditSink |  | ||||||
| 	}{ |  | ||||||
| 		{ // Missing Throttle |  | ||||||
| 			original: &auditregistrationv1alpha1.AuditSink{ |  | ||||||
| 				Spec: auditregistrationv1alpha1.AuditSinkSpec{ |  | ||||||
| 					Policy: auditregistrationv1alpha1.Policy{ |  | ||||||
| 						Level: auditregistrationv1alpha1.LevelMetadata, |  | ||||||
| 					}, |  | ||||||
| 					Webhook: auditregistrationv1alpha1.Webhook{ |  | ||||||
| 						ClientConfig: auditregistrationv1alpha1.WebhookClientConfig{ |  | ||||||
| 							URL: &defaultURL, |  | ||||||
| 						}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expected: &auditregistrationv1alpha1.AuditSink{ |  | ||||||
| 				Spec: auditregistrationv1alpha1.AuditSinkSpec{ |  | ||||||
| 					Policy: auditregistrationv1alpha1.Policy{ |  | ||||||
| 						Level: auditregistrationv1alpha1.LevelMetadata, |  | ||||||
| 					}, |  | ||||||
| 					Webhook: auditregistrationv1alpha1.Webhook{ |  | ||||||
| 						Throttle: DefaultThrottle(), |  | ||||||
| 						ClientConfig: auditregistrationv1alpha1.WebhookClientConfig{ |  | ||||||
| 							URL: &defaultURL, |  | ||||||
| 						}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 		}, |  | ||||||
| 		{ // Missing QPS |  | ||||||
| 			original: &auditregistrationv1alpha1.AuditSink{ |  | ||||||
| 				Spec: auditregistrationv1alpha1.AuditSinkSpec{ |  | ||||||
| 					Policy: auditregistrationv1alpha1.Policy{ |  | ||||||
| 						Level: auditregistrationv1alpha1.LevelMetadata, |  | ||||||
| 					}, |  | ||||||
| 					Webhook: auditregistrationv1alpha1.Webhook{ |  | ||||||
| 						Throttle: &auditregistrationv1alpha1.WebhookThrottleConfig{ |  | ||||||
| 							Burst: utilpointer.Int64Ptr(1), |  | ||||||
| 						}, |  | ||||||
| 						ClientConfig: auditregistrationv1alpha1.WebhookClientConfig{ |  | ||||||
| 							URL: &defaultURL, |  | ||||||
| 						}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expected: &auditregistrationv1alpha1.AuditSink{ |  | ||||||
| 				Spec: auditregistrationv1alpha1.AuditSinkSpec{ |  | ||||||
| 					Policy: auditregistrationv1alpha1.Policy{ |  | ||||||
| 						Level: auditregistrationv1alpha1.LevelMetadata, |  | ||||||
| 					}, |  | ||||||
| 					Webhook: auditregistrationv1alpha1.Webhook{ |  | ||||||
| 						Throttle: &auditregistrationv1alpha1.WebhookThrottleConfig{ |  | ||||||
| 							QPS:   DefaultThrottle().QPS, |  | ||||||
| 							Burst: utilpointer.Int64Ptr(1), |  | ||||||
| 						}, |  | ||||||
| 						ClientConfig: auditregistrationv1alpha1.WebhookClientConfig{ |  | ||||||
| 							URL: &defaultURL, |  | ||||||
| 						}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 		}, |  | ||||||
| 		{ // Missing Burst |  | ||||||
| 			original: &auditregistrationv1alpha1.AuditSink{ |  | ||||||
| 				Spec: auditregistrationv1alpha1.AuditSinkSpec{ |  | ||||||
| 					Policy: auditregistrationv1alpha1.Policy{ |  | ||||||
| 						Level: auditregistrationv1alpha1.LevelMetadata, |  | ||||||
| 					}, |  | ||||||
| 					Webhook: auditregistrationv1alpha1.Webhook{ |  | ||||||
| 						Throttle: &auditregistrationv1alpha1.WebhookThrottleConfig{ |  | ||||||
| 							QPS: utilpointer.Int64Ptr(1), |  | ||||||
| 						}, |  | ||||||
| 						ClientConfig: auditregistrationv1alpha1.WebhookClientConfig{ |  | ||||||
| 							URL: &defaultURL, |  | ||||||
| 						}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expected: &auditregistrationv1alpha1.AuditSink{ |  | ||||||
| 				Spec: auditregistrationv1alpha1.AuditSinkSpec{ |  | ||||||
| 					Policy: auditregistrationv1alpha1.Policy{ |  | ||||||
| 						Level: auditregistrationv1alpha1.LevelMetadata, |  | ||||||
| 					}, |  | ||||||
| 					Webhook: auditregistrationv1alpha1.Webhook{ |  | ||||||
| 						Throttle: &auditregistrationv1alpha1.WebhookThrottleConfig{ |  | ||||||
| 							QPS:   utilpointer.Int64Ptr(1), |  | ||||||
| 							Burst: DefaultThrottle().Burst, |  | ||||||
| 						}, |  | ||||||
| 						ClientConfig: auditregistrationv1alpha1.WebhookClientConfig{ |  | ||||||
| 							URL: &defaultURL, |  | ||||||
| 						}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 		}, |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	for i, test := range tests { |  | ||||||
| 		original := test.original |  | ||||||
| 		expected := test.expected |  | ||||||
| 		obj2 := roundTrip(t, runtime.Object(original)) |  | ||||||
| 		got, ok := obj2.(*auditregistrationv1alpha1.AuditSink) |  | ||||||
| 		if !ok { |  | ||||||
| 			t.Fatalf("(%d) unexpected object: %v", i, obj2) |  | ||||||
| 		} |  | ||||||
| 		if !apiequality.Semantic.DeepEqual(got.Spec, expected.Spec) { |  | ||||||
| 			t.Errorf("(%d) got different than expected\ngot:\n\t%+v\nexpected:\n\t%+v", i, got.Spec, expected.Spec) |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func roundTrip(t *testing.T, obj runtime.Object) runtime.Object { |  | ||||||
| 	data, err := runtime.Encode(legacyscheme.Codecs.LegacyCodec(SchemeGroupVersion), obj) |  | ||||||
| 	if err != nil { |  | ||||||
| 		t.Errorf("%v\n %#v", err, obj) |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	obj2, err := runtime.Decode(legacyscheme.Codecs.UniversalDecoder(), data) |  | ||||||
| 	if err != nil { |  | ||||||
| 		t.Errorf("%v\nData: %s\nSource: %#v", err, string(data), obj) |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	obj3 := reflect.New(reflect.TypeOf(obj).Elem()).Interface().(runtime.Object) |  | ||||||
| 	err = legacyscheme.Scheme.Convert(obj2, obj3, nil) |  | ||||||
| 	if err != nil { |  | ||||||
| 		t.Errorf("%v\nSource: %#v", err, obj2) |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	return obj3 |  | ||||||
| } |  | ||||||
| @@ -1,24 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/auditregistration |  | ||||||
| // +k8s:conversion-gen-external-types=k8s.io/api/auditregistration/v1alpha1 |  | ||||||
| // +k8s:defaulter-gen=TypeMeta |  | ||||||
| // +k8s:defaulter-gen-input=../../../../vendor/k8s.io/api/auditregistration/v1alpha1 |  | ||||||
|  |  | ||||||
| // +groupName=auditregistration.k8s.io |  | ||||||
|  |  | ||||||
| package v1alpha1 // import "k8s.io/kubernetes/pkg/apis/auditregistration/v1alpha1" |  | ||||||
| @@ -1,46 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package v1alpha1 |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	auditregistrationv1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	"k8s.io/apimachinery/pkg/runtime/schema" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // GroupName for audit registration |  | ||||||
| const GroupName = "auditregistration.k8s.io" |  | ||||||
|  |  | ||||||
| // SchemeGroupVersion is group version used to register these objects |  | ||||||
| var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} |  | ||||||
|  |  | ||||||
| // Resource takes an unqualified resource and returns a Group qualified GroupResource |  | ||||||
| func Resource(resource string) schema.GroupResource { |  | ||||||
| 	return SchemeGroupVersion.WithResource(resource).GroupResource() |  | ||||||
| } |  | ||||||
|  |  | ||||||
| var ( |  | ||||||
| 	localSchemeBuilder = &auditregistrationv1alpha1.SchemeBuilder |  | ||||||
| 	// AddToScheme audit registration |  | ||||||
| 	AddToScheme = localSchemeBuilder.AddToScheme |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func init() { |  | ||||||
| 	// We only register manually written functions here. The registration of the |  | ||||||
| 	// generated functions takes place in the generated files. The separation |  | ||||||
| 	// makes the code compile even when the generated files are missing. |  | ||||||
| 	localSchemeBuilder.Register(addDefaultingFuncs) |  | ||||||
| } |  | ||||||
| @@ -1,359 +0,0 @@ | |||||||
| // +build !ignore_autogenerated |  | ||||||
|  |  | ||||||
| /* |  | ||||||
| Copyright The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // Code generated by conversion-gen. DO NOT EDIT. |  | ||||||
|  |  | ||||||
| package v1alpha1 |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	unsafe "unsafe" |  | ||||||
|  |  | ||||||
| 	v1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1" |  | ||||||
| 	conversion "k8s.io/apimachinery/pkg/conversion" |  | ||||||
| 	runtime "k8s.io/apimachinery/pkg/runtime" |  | ||||||
| 	auditregistration "k8s.io/kubernetes/pkg/apis/auditregistration" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func init() { |  | ||||||
| 	localSchemeBuilder.Register(RegisterConversions) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // RegisterConversions adds conversion functions to the given scheme. |  | ||||||
| // Public to allow building arbitrary schemes. |  | ||||||
| func RegisterConversions(s *runtime.Scheme) error { |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*v1alpha1.AuditSink)(nil), (*auditregistration.AuditSink)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_v1alpha1_AuditSink_To_auditregistration_AuditSink(a.(*v1alpha1.AuditSink), b.(*auditregistration.AuditSink), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*auditregistration.AuditSink)(nil), (*v1alpha1.AuditSink)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_auditregistration_AuditSink_To_v1alpha1_AuditSink(a.(*auditregistration.AuditSink), b.(*v1alpha1.AuditSink), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*v1alpha1.AuditSinkList)(nil), (*auditregistration.AuditSinkList)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_v1alpha1_AuditSinkList_To_auditregistration_AuditSinkList(a.(*v1alpha1.AuditSinkList), b.(*auditregistration.AuditSinkList), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*auditregistration.AuditSinkList)(nil), (*v1alpha1.AuditSinkList)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_auditregistration_AuditSinkList_To_v1alpha1_AuditSinkList(a.(*auditregistration.AuditSinkList), b.(*v1alpha1.AuditSinkList), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*v1alpha1.AuditSinkSpec)(nil), (*auditregistration.AuditSinkSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_v1alpha1_AuditSinkSpec_To_auditregistration_AuditSinkSpec(a.(*v1alpha1.AuditSinkSpec), b.(*auditregistration.AuditSinkSpec), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*auditregistration.AuditSinkSpec)(nil), (*v1alpha1.AuditSinkSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_auditregistration_AuditSinkSpec_To_v1alpha1_AuditSinkSpec(a.(*auditregistration.AuditSinkSpec), b.(*v1alpha1.AuditSinkSpec), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*v1alpha1.Policy)(nil), (*auditregistration.Policy)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_v1alpha1_Policy_To_auditregistration_Policy(a.(*v1alpha1.Policy), b.(*auditregistration.Policy), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*auditregistration.Policy)(nil), (*v1alpha1.Policy)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_auditregistration_Policy_To_v1alpha1_Policy(a.(*auditregistration.Policy), b.(*v1alpha1.Policy), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*v1alpha1.ServiceReference)(nil), (*auditregistration.ServiceReference)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_v1alpha1_ServiceReference_To_auditregistration_ServiceReference(a.(*v1alpha1.ServiceReference), b.(*auditregistration.ServiceReference), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*auditregistration.ServiceReference)(nil), (*v1alpha1.ServiceReference)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_auditregistration_ServiceReference_To_v1alpha1_ServiceReference(a.(*auditregistration.ServiceReference), b.(*v1alpha1.ServiceReference), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*v1alpha1.Webhook)(nil), (*auditregistration.Webhook)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_v1alpha1_Webhook_To_auditregistration_Webhook(a.(*v1alpha1.Webhook), b.(*auditregistration.Webhook), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*auditregistration.Webhook)(nil), (*v1alpha1.Webhook)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_auditregistration_Webhook_To_v1alpha1_Webhook(a.(*auditregistration.Webhook), b.(*v1alpha1.Webhook), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*v1alpha1.WebhookClientConfig)(nil), (*auditregistration.WebhookClientConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_v1alpha1_WebhookClientConfig_To_auditregistration_WebhookClientConfig(a.(*v1alpha1.WebhookClientConfig), b.(*auditregistration.WebhookClientConfig), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*auditregistration.WebhookClientConfig)(nil), (*v1alpha1.WebhookClientConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_auditregistration_WebhookClientConfig_To_v1alpha1_WebhookClientConfig(a.(*auditregistration.WebhookClientConfig), b.(*v1alpha1.WebhookClientConfig), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*v1alpha1.WebhookThrottleConfig)(nil), (*auditregistration.WebhookThrottleConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_v1alpha1_WebhookThrottleConfig_To_auditregistration_WebhookThrottleConfig(a.(*v1alpha1.WebhookThrottleConfig), b.(*auditregistration.WebhookThrottleConfig), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := s.AddGeneratedConversionFunc((*auditregistration.WebhookThrottleConfig)(nil), (*v1alpha1.WebhookThrottleConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { |  | ||||||
| 		return Convert_auditregistration_WebhookThrottleConfig_To_v1alpha1_WebhookThrottleConfig(a.(*auditregistration.WebhookThrottleConfig), b.(*v1alpha1.WebhookThrottleConfig), scope) |  | ||||||
| 	}); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_v1alpha1_AuditSink_To_auditregistration_AuditSink(in *v1alpha1.AuditSink, out *auditregistration.AuditSink, s conversion.Scope) error { |  | ||||||
| 	out.ObjectMeta = in.ObjectMeta |  | ||||||
| 	if err := Convert_v1alpha1_AuditSinkSpec_To_auditregistration_AuditSinkSpec(&in.Spec, &out.Spec, s); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_v1alpha1_AuditSink_To_auditregistration_AuditSink is an autogenerated conversion function. |  | ||||||
| func Convert_v1alpha1_AuditSink_To_auditregistration_AuditSink(in *v1alpha1.AuditSink, out *auditregistration.AuditSink, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_v1alpha1_AuditSink_To_auditregistration_AuditSink(in, out, s) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_auditregistration_AuditSink_To_v1alpha1_AuditSink(in *auditregistration.AuditSink, out *v1alpha1.AuditSink, s conversion.Scope) error { |  | ||||||
| 	out.ObjectMeta = in.ObjectMeta |  | ||||||
| 	if err := Convert_auditregistration_AuditSinkSpec_To_v1alpha1_AuditSinkSpec(&in.Spec, &out.Spec, s); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_auditregistration_AuditSink_To_v1alpha1_AuditSink is an autogenerated conversion function. |  | ||||||
| func Convert_auditregistration_AuditSink_To_v1alpha1_AuditSink(in *auditregistration.AuditSink, out *v1alpha1.AuditSink, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_auditregistration_AuditSink_To_v1alpha1_AuditSink(in, out, s) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_v1alpha1_AuditSinkList_To_auditregistration_AuditSinkList(in *v1alpha1.AuditSinkList, out *auditregistration.AuditSinkList, s conversion.Scope) error { |  | ||||||
| 	out.ListMeta = in.ListMeta |  | ||||||
| 	if in.Items != nil { |  | ||||||
| 		in, out := &in.Items, &out.Items |  | ||||||
| 		*out = make([]auditregistration.AuditSink, len(*in)) |  | ||||||
| 		for i := range *in { |  | ||||||
| 			if err := Convert_v1alpha1_AuditSink_To_auditregistration_AuditSink(&(*in)[i], &(*out)[i], s); err != nil { |  | ||||||
| 				return err |  | ||||||
| 			} |  | ||||||
| 		} |  | ||||||
| 	} else { |  | ||||||
| 		out.Items = nil |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_v1alpha1_AuditSinkList_To_auditregistration_AuditSinkList is an autogenerated conversion function. |  | ||||||
| func Convert_v1alpha1_AuditSinkList_To_auditregistration_AuditSinkList(in *v1alpha1.AuditSinkList, out *auditregistration.AuditSinkList, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_v1alpha1_AuditSinkList_To_auditregistration_AuditSinkList(in, out, s) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_auditregistration_AuditSinkList_To_v1alpha1_AuditSinkList(in *auditregistration.AuditSinkList, out *v1alpha1.AuditSinkList, s conversion.Scope) error { |  | ||||||
| 	out.ListMeta = in.ListMeta |  | ||||||
| 	if in.Items != nil { |  | ||||||
| 		in, out := &in.Items, &out.Items |  | ||||||
| 		*out = make([]v1alpha1.AuditSink, len(*in)) |  | ||||||
| 		for i := range *in { |  | ||||||
| 			if err := Convert_auditregistration_AuditSink_To_v1alpha1_AuditSink(&(*in)[i], &(*out)[i], s); err != nil { |  | ||||||
| 				return err |  | ||||||
| 			} |  | ||||||
| 		} |  | ||||||
| 	} else { |  | ||||||
| 		out.Items = nil |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_auditregistration_AuditSinkList_To_v1alpha1_AuditSinkList is an autogenerated conversion function. |  | ||||||
| func Convert_auditregistration_AuditSinkList_To_v1alpha1_AuditSinkList(in *auditregistration.AuditSinkList, out *v1alpha1.AuditSinkList, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_auditregistration_AuditSinkList_To_v1alpha1_AuditSinkList(in, out, s) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_v1alpha1_AuditSinkSpec_To_auditregistration_AuditSinkSpec(in *v1alpha1.AuditSinkSpec, out *auditregistration.AuditSinkSpec, s conversion.Scope) error { |  | ||||||
| 	if err := Convert_v1alpha1_Policy_To_auditregistration_Policy(&in.Policy, &out.Policy, s); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := Convert_v1alpha1_Webhook_To_auditregistration_Webhook(&in.Webhook, &out.Webhook, s); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_v1alpha1_AuditSinkSpec_To_auditregistration_AuditSinkSpec is an autogenerated conversion function. |  | ||||||
| func Convert_v1alpha1_AuditSinkSpec_To_auditregistration_AuditSinkSpec(in *v1alpha1.AuditSinkSpec, out *auditregistration.AuditSinkSpec, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_v1alpha1_AuditSinkSpec_To_auditregistration_AuditSinkSpec(in, out, s) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_auditregistration_AuditSinkSpec_To_v1alpha1_AuditSinkSpec(in *auditregistration.AuditSinkSpec, out *v1alpha1.AuditSinkSpec, s conversion.Scope) error { |  | ||||||
| 	if err := Convert_auditregistration_Policy_To_v1alpha1_Policy(&in.Policy, &out.Policy, s); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if err := Convert_auditregistration_Webhook_To_v1alpha1_Webhook(&in.Webhook, &out.Webhook, s); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_auditregistration_AuditSinkSpec_To_v1alpha1_AuditSinkSpec is an autogenerated conversion function. |  | ||||||
| func Convert_auditregistration_AuditSinkSpec_To_v1alpha1_AuditSinkSpec(in *auditregistration.AuditSinkSpec, out *v1alpha1.AuditSinkSpec, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_auditregistration_AuditSinkSpec_To_v1alpha1_AuditSinkSpec(in, out, s) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_v1alpha1_Policy_To_auditregistration_Policy(in *v1alpha1.Policy, out *auditregistration.Policy, s conversion.Scope) error { |  | ||||||
| 	out.Level = auditregistration.Level(in.Level) |  | ||||||
| 	out.Stages = *(*[]auditregistration.Stage)(unsafe.Pointer(&in.Stages)) |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_v1alpha1_Policy_To_auditregistration_Policy is an autogenerated conversion function. |  | ||||||
| func Convert_v1alpha1_Policy_To_auditregistration_Policy(in *v1alpha1.Policy, out *auditregistration.Policy, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_v1alpha1_Policy_To_auditregistration_Policy(in, out, s) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_auditregistration_Policy_To_v1alpha1_Policy(in *auditregistration.Policy, out *v1alpha1.Policy, s conversion.Scope) error { |  | ||||||
| 	out.Level = v1alpha1.Level(in.Level) |  | ||||||
| 	out.Stages = *(*[]v1alpha1.Stage)(unsafe.Pointer(&in.Stages)) |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_auditregistration_Policy_To_v1alpha1_Policy is an autogenerated conversion function. |  | ||||||
| func Convert_auditregistration_Policy_To_v1alpha1_Policy(in *auditregistration.Policy, out *v1alpha1.Policy, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_auditregistration_Policy_To_v1alpha1_Policy(in, out, s) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_v1alpha1_ServiceReference_To_auditregistration_ServiceReference(in *v1alpha1.ServiceReference, out *auditregistration.ServiceReference, s conversion.Scope) error { |  | ||||||
| 	out.Namespace = in.Namespace |  | ||||||
| 	out.Name = in.Name |  | ||||||
| 	out.Path = (*string)(unsafe.Pointer(in.Path)) |  | ||||||
| 	if err := v1.Convert_Pointer_int32_To_int32(&in.Port, &out.Port, s); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_v1alpha1_ServiceReference_To_auditregistration_ServiceReference is an autogenerated conversion function. |  | ||||||
| func Convert_v1alpha1_ServiceReference_To_auditregistration_ServiceReference(in *v1alpha1.ServiceReference, out *auditregistration.ServiceReference, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_v1alpha1_ServiceReference_To_auditregistration_ServiceReference(in, out, s) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_auditregistration_ServiceReference_To_v1alpha1_ServiceReference(in *auditregistration.ServiceReference, out *v1alpha1.ServiceReference, s conversion.Scope) error { |  | ||||||
| 	out.Namespace = in.Namespace |  | ||||||
| 	out.Name = in.Name |  | ||||||
| 	out.Path = (*string)(unsafe.Pointer(in.Path)) |  | ||||||
| 	if err := v1.Convert_int32_To_Pointer_int32(&in.Port, &out.Port, s); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_auditregistration_ServiceReference_To_v1alpha1_ServiceReference is an autogenerated conversion function. |  | ||||||
| func Convert_auditregistration_ServiceReference_To_v1alpha1_ServiceReference(in *auditregistration.ServiceReference, out *v1alpha1.ServiceReference, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_auditregistration_ServiceReference_To_v1alpha1_ServiceReference(in, out, s) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_v1alpha1_Webhook_To_auditregistration_Webhook(in *v1alpha1.Webhook, out *auditregistration.Webhook, s conversion.Scope) error { |  | ||||||
| 	out.Throttle = (*auditregistration.WebhookThrottleConfig)(unsafe.Pointer(in.Throttle)) |  | ||||||
| 	if err := Convert_v1alpha1_WebhookClientConfig_To_auditregistration_WebhookClientConfig(&in.ClientConfig, &out.ClientConfig, s); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_v1alpha1_Webhook_To_auditregistration_Webhook is an autogenerated conversion function. |  | ||||||
| func Convert_v1alpha1_Webhook_To_auditregistration_Webhook(in *v1alpha1.Webhook, out *auditregistration.Webhook, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_v1alpha1_Webhook_To_auditregistration_Webhook(in, out, s) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_auditregistration_Webhook_To_v1alpha1_Webhook(in *auditregistration.Webhook, out *v1alpha1.Webhook, s conversion.Scope) error { |  | ||||||
| 	out.Throttle = (*v1alpha1.WebhookThrottleConfig)(unsafe.Pointer(in.Throttle)) |  | ||||||
| 	if err := Convert_auditregistration_WebhookClientConfig_To_v1alpha1_WebhookClientConfig(&in.ClientConfig, &out.ClientConfig, s); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_auditregistration_Webhook_To_v1alpha1_Webhook is an autogenerated conversion function. |  | ||||||
| func Convert_auditregistration_Webhook_To_v1alpha1_Webhook(in *auditregistration.Webhook, out *v1alpha1.Webhook, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_auditregistration_Webhook_To_v1alpha1_Webhook(in, out, s) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_v1alpha1_WebhookClientConfig_To_auditregistration_WebhookClientConfig(in *v1alpha1.WebhookClientConfig, out *auditregistration.WebhookClientConfig, s conversion.Scope) error { |  | ||||||
| 	out.URL = (*string)(unsafe.Pointer(in.URL)) |  | ||||||
| 	if in.Service != nil { |  | ||||||
| 		in, out := &in.Service, &out.Service |  | ||||||
| 		*out = new(auditregistration.ServiceReference) |  | ||||||
| 		if err := Convert_v1alpha1_ServiceReference_To_auditregistration_ServiceReference(*in, *out, s); err != nil { |  | ||||||
| 			return err |  | ||||||
| 		} |  | ||||||
| 	} else { |  | ||||||
| 		out.Service = nil |  | ||||||
| 	} |  | ||||||
| 	out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle)) |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_v1alpha1_WebhookClientConfig_To_auditregistration_WebhookClientConfig is an autogenerated conversion function. |  | ||||||
| func Convert_v1alpha1_WebhookClientConfig_To_auditregistration_WebhookClientConfig(in *v1alpha1.WebhookClientConfig, out *auditregistration.WebhookClientConfig, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_v1alpha1_WebhookClientConfig_To_auditregistration_WebhookClientConfig(in, out, s) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_auditregistration_WebhookClientConfig_To_v1alpha1_WebhookClientConfig(in *auditregistration.WebhookClientConfig, out *v1alpha1.WebhookClientConfig, s conversion.Scope) error { |  | ||||||
| 	out.URL = (*string)(unsafe.Pointer(in.URL)) |  | ||||||
| 	if in.Service != nil { |  | ||||||
| 		in, out := &in.Service, &out.Service |  | ||||||
| 		*out = new(v1alpha1.ServiceReference) |  | ||||||
| 		if err := Convert_auditregistration_ServiceReference_To_v1alpha1_ServiceReference(*in, *out, s); err != nil { |  | ||||||
| 			return err |  | ||||||
| 		} |  | ||||||
| 	} else { |  | ||||||
| 		out.Service = nil |  | ||||||
| 	} |  | ||||||
| 	out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle)) |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_auditregistration_WebhookClientConfig_To_v1alpha1_WebhookClientConfig is an autogenerated conversion function. |  | ||||||
| func Convert_auditregistration_WebhookClientConfig_To_v1alpha1_WebhookClientConfig(in *auditregistration.WebhookClientConfig, out *v1alpha1.WebhookClientConfig, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_auditregistration_WebhookClientConfig_To_v1alpha1_WebhookClientConfig(in, out, s) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_v1alpha1_WebhookThrottleConfig_To_auditregistration_WebhookThrottleConfig(in *v1alpha1.WebhookThrottleConfig, out *auditregistration.WebhookThrottleConfig, s conversion.Scope) error { |  | ||||||
| 	out.QPS = (*int64)(unsafe.Pointer(in.QPS)) |  | ||||||
| 	out.Burst = (*int64)(unsafe.Pointer(in.Burst)) |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_v1alpha1_WebhookThrottleConfig_To_auditregistration_WebhookThrottleConfig is an autogenerated conversion function. |  | ||||||
| func Convert_v1alpha1_WebhookThrottleConfig_To_auditregistration_WebhookThrottleConfig(in *v1alpha1.WebhookThrottleConfig, out *auditregistration.WebhookThrottleConfig, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_v1alpha1_WebhookThrottleConfig_To_auditregistration_WebhookThrottleConfig(in, out, s) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func autoConvert_auditregistration_WebhookThrottleConfig_To_v1alpha1_WebhookThrottleConfig(in *auditregistration.WebhookThrottleConfig, out *v1alpha1.WebhookThrottleConfig, s conversion.Scope) error { |  | ||||||
| 	out.QPS = (*int64)(unsafe.Pointer(in.QPS)) |  | ||||||
| 	out.Burst = (*int64)(unsafe.Pointer(in.Burst)) |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Convert_auditregistration_WebhookThrottleConfig_To_v1alpha1_WebhookThrottleConfig is an autogenerated conversion function. |  | ||||||
| func Convert_auditregistration_WebhookThrottleConfig_To_v1alpha1_WebhookThrottleConfig(in *auditregistration.WebhookThrottleConfig, out *v1alpha1.WebhookThrottleConfig, s conversion.Scope) error { |  | ||||||
| 	return autoConvert_auditregistration_WebhookThrottleConfig_To_v1alpha1_WebhookThrottleConfig(in, out, s) |  | ||||||
| } |  | ||||||
| @@ -1,49 +0,0 @@ | |||||||
| // +build !ignore_autogenerated |  | ||||||
|  |  | ||||||
| /* |  | ||||||
| Copyright The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // Code generated by defaulter-gen. DO NOT EDIT. |  | ||||||
|  |  | ||||||
| package v1alpha1 |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	v1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	runtime "k8s.io/apimachinery/pkg/runtime" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // RegisterDefaults adds defaulters functions to the given scheme. |  | ||||||
| // Public to allow building arbitrary schemes. |  | ||||||
| // All generated defaulters are covering - they call all nested defaulters. |  | ||||||
| func RegisterDefaults(scheme *runtime.Scheme) error { |  | ||||||
| 	scheme.AddTypeDefaultingFunc(&v1alpha1.AuditSink{}, func(obj interface{}) { SetObjectDefaults_AuditSink(obj.(*v1alpha1.AuditSink)) }) |  | ||||||
| 	scheme.AddTypeDefaultingFunc(&v1alpha1.AuditSinkList{}, func(obj interface{}) { SetObjectDefaults_AuditSinkList(obj.(*v1alpha1.AuditSinkList)) }) |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func SetObjectDefaults_AuditSink(in *v1alpha1.AuditSink) { |  | ||||||
| 	SetDefaults_AuditSink(in) |  | ||||||
| 	if in.Spec.Webhook.ClientConfig.Service != nil { |  | ||||||
| 		SetDefaults_ServiceReference(in.Spec.Webhook.ClientConfig.Service) |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func SetObjectDefaults_AuditSinkList(in *v1alpha1.AuditSinkList) { |  | ||||||
| 	for i := range in.Items { |  | ||||||
| 		a := &in.Items[i] |  | ||||||
| 		SetObjectDefaults_AuditSink(a) |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
| @@ -1,42 +0,0 @@ | |||||||
| load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") |  | ||||||
|  |  | ||||||
| go_library( |  | ||||||
|     name = "go_default_library", |  | ||||||
|     srcs = ["validation.go"], |  | ||||||
|     importpath = "k8s.io/kubernetes/pkg/apis/auditregistration/validation", |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
|     deps = [ |  | ||||||
|         "//pkg/apis/auditregistration:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/api/validation:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| go_test( |  | ||||||
|     name = "go_default_test", |  | ||||||
|     srcs = ["validation_test.go"], |  | ||||||
|     embed = [":go_default_library"], |  | ||||||
|     deps = [ |  | ||||||
|         "//pkg/apis/auditregistration:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", |  | ||||||
|         "//vendor/github.com/stretchr/testify/require:go_default_library", |  | ||||||
|         "//vendor/k8s.io/utils/pointer:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "package-srcs", |  | ||||||
|     srcs = glob(["**"]), |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:private"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "all-srcs", |  | ||||||
|     srcs = [":package-srcs"], |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
| ) |  | ||||||
| @@ -1,123 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package validation |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"strings" |  | ||||||
|  |  | ||||||
| 	genericvalidation "k8s.io/apimachinery/pkg/api/validation" |  | ||||||
| 	"k8s.io/apimachinery/pkg/util/sets" |  | ||||||
| 	"k8s.io/apimachinery/pkg/util/validation/field" |  | ||||||
| 	"k8s.io/apiserver/pkg/util/webhook" |  | ||||||
| 	"k8s.io/kubernetes/pkg/apis/auditregistration" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // ValidateAuditSink validates the AuditSinks |  | ||||||
| func ValidateAuditSink(as *auditregistration.AuditSink) field.ErrorList { |  | ||||||
| 	allErrs := genericvalidation.ValidateObjectMeta(&as.ObjectMeta, false, genericvalidation.NameIsDNSSubdomain, field.NewPath("metadata")) |  | ||||||
| 	allErrs = append(allErrs, ValidateAuditSinkSpec(as.Spec, field.NewPath("spec"))...) |  | ||||||
| 	return allErrs |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // ValidateAuditSinkSpec validates the sink spec for audit |  | ||||||
| func ValidateAuditSinkSpec(s auditregistration.AuditSinkSpec, fldPath *field.Path) field.ErrorList { |  | ||||||
| 	var allErrs field.ErrorList |  | ||||||
| 	allErrs = append(allErrs, ValidatePolicy(s.Policy, fldPath.Child("policy"))...) |  | ||||||
| 	allErrs = append(allErrs, ValidateWebhook(s.Webhook, fldPath.Child("webhook"))...) |  | ||||||
| 	return allErrs |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // ValidateWebhook validates the webhook |  | ||||||
| func ValidateWebhook(w auditregistration.Webhook, fldPath *field.Path) field.ErrorList { |  | ||||||
| 	var allErrs field.ErrorList |  | ||||||
| 	if w.Throttle != nil { |  | ||||||
| 		allErrs = append(allErrs, ValidateWebhookThrottleConfig(w.Throttle, fldPath.Child("throttle"))...) |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	cc := w.ClientConfig |  | ||||||
| 	switch { |  | ||||||
| 	case (cc.URL == nil) == (cc.Service == nil): |  | ||||||
| 		allErrs = append(allErrs, field.Required(fldPath.Child("clientConfig"), "exactly one of url or service is required")) |  | ||||||
| 	case cc.URL != nil: |  | ||||||
| 		allErrs = append(allErrs, webhook.ValidateWebhookURL(fldPath.Child("clientConfig").Child("url"), *cc.URL, false)...) |  | ||||||
| 	case cc.Service != nil: |  | ||||||
| 		allErrs = append(allErrs, webhook.ValidateWebhookService(fldPath.Child("clientConfig").Child("service"), cc.Service.Name, cc.Service.Namespace, cc.Service.Path, cc.Service.Port)...) |  | ||||||
| 	} |  | ||||||
| 	return allErrs |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // ValidateWebhookThrottleConfig validates the throttle config |  | ||||||
| func ValidateWebhookThrottleConfig(c *auditregistration.WebhookThrottleConfig, fldPath *field.Path) field.ErrorList { |  | ||||||
| 	var allErrs field.ErrorList |  | ||||||
| 	if c.QPS != nil && *c.QPS <= 0 { |  | ||||||
| 		allErrs = append(allErrs, field.Invalid(fldPath.Child("qps"), c.QPS, "qps must be a positive number")) |  | ||||||
| 	} |  | ||||||
| 	if c.Burst != nil && *c.Burst <= 0 { |  | ||||||
| 		allErrs = append(allErrs, field.Invalid(fldPath.Child("burst"), c.Burst, "burst must be a positive number")) |  | ||||||
| 	} |  | ||||||
| 	return allErrs |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // ValidatePolicy validates the audit policy |  | ||||||
| func ValidatePolicy(policy auditregistration.Policy, fldPath *field.Path) field.ErrorList { |  | ||||||
| 	var allErrs field.ErrorList |  | ||||||
| 	allErrs = append(allErrs, validateStages(policy.Stages, fldPath.Child("stages"))...) |  | ||||||
| 	allErrs = append(allErrs, validateLevel(policy.Level, fldPath.Child("level"))...) |  | ||||||
| 	if policy.Level != auditregistration.LevelNone && len(policy.Stages) == 0 { |  | ||||||
| 		return field.ErrorList{field.Required(fldPath.Child("stages"), "")} |  | ||||||
| 	} |  | ||||||
| 	return allErrs |  | ||||||
| } |  | ||||||
|  |  | ||||||
| var validLevels = sets.NewString( |  | ||||||
| 	string(auditregistration.LevelNone), |  | ||||||
| 	string(auditregistration.LevelMetadata), |  | ||||||
| 	string(auditregistration.LevelRequest), |  | ||||||
| 	string(auditregistration.LevelRequestResponse), |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| var validStages = sets.NewString( |  | ||||||
| 	string(auditregistration.StageRequestReceived), |  | ||||||
| 	string(auditregistration.StageResponseStarted), |  | ||||||
| 	string(auditregistration.StageResponseComplete), |  | ||||||
| 	string(auditregistration.StagePanic), |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func validateLevel(level auditregistration.Level, fldPath *field.Path) field.ErrorList { |  | ||||||
| 	if string(level) == "" { |  | ||||||
| 		return field.ErrorList{field.Required(fldPath, "")} |  | ||||||
| 	} |  | ||||||
| 	if !validLevels.Has(string(level)) { |  | ||||||
| 		return field.ErrorList{field.NotSupported(fldPath, level, validLevels.List())} |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func validateStages(stages []auditregistration.Stage, fldPath *field.Path) field.ErrorList { |  | ||||||
| 	var allErrs field.ErrorList |  | ||||||
| 	for i, stage := range stages { |  | ||||||
| 		if !validStages.Has(string(stage)) { |  | ||||||
| 			allErrs = append(allErrs, field.Invalid(fldPath.Index(i), string(stage), "allowed stages are "+strings.Join(validStages.List(), ","))) |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
| 	return allErrs |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // ValidateAuditSinkUpdate validates an update to the object |  | ||||||
| func ValidateAuditSinkUpdate(newC, oldC *auditregistration.AuditSink) field.ErrorList { |  | ||||||
| 	return ValidateAuditSink(newC) |  | ||||||
| } |  | ||||||
| @@ -1,359 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package validation |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"strings" |  | ||||||
| 	"testing" |  | ||||||
|  |  | ||||||
| 	"github.com/stretchr/testify/require" |  | ||||||
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |  | ||||||
| 	"k8s.io/apimachinery/pkg/util/validation/field" |  | ||||||
| 	"k8s.io/kubernetes/pkg/apis/auditregistration" |  | ||||||
| 	utilpointer "k8s.io/utils/pointer" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func TestValidateAuditSink(t *testing.T) { |  | ||||||
| 	testQPS := int64(10) |  | ||||||
| 	testURL := "http://localhost" |  | ||||||
| 	testCases := []struct { |  | ||||||
| 		name   string |  | ||||||
| 		conf   auditregistration.AuditSink |  | ||||||
| 		numErr int |  | ||||||
| 	}{ |  | ||||||
| 		{ |  | ||||||
| 			name: "should pass full config", |  | ||||||
| 			conf: auditregistration.AuditSink{ |  | ||||||
| 				ObjectMeta: metav1.ObjectMeta{ |  | ||||||
| 					Name: "myconf", |  | ||||||
| 				}, |  | ||||||
| 				Spec: auditregistration.AuditSinkSpec{ |  | ||||||
| 					Policy: auditregistration.Policy{ |  | ||||||
| 						Level: auditregistration.LevelRequest, |  | ||||||
| 						Stages: []auditregistration.Stage{ |  | ||||||
| 							auditregistration.StageRequestReceived, |  | ||||||
| 						}, |  | ||||||
| 					}, |  | ||||||
| 					Webhook: auditregistration.Webhook{ |  | ||||||
| 						Throttle: &auditregistration.WebhookThrottleConfig{ |  | ||||||
| 							QPS: &testQPS, |  | ||||||
| 						}, |  | ||||||
| 						ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 							URL: &testURL, |  | ||||||
| 						}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			numErr: 0, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "should fail no policy", |  | ||||||
| 			conf: auditregistration.AuditSink{ |  | ||||||
| 				ObjectMeta: metav1.ObjectMeta{ |  | ||||||
| 					Name: "myconf", |  | ||||||
| 				}, |  | ||||||
| 				Spec: auditregistration.AuditSinkSpec{ |  | ||||||
| 					Webhook: auditregistration.Webhook{ |  | ||||||
| 						ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 							URL: &testURL, |  | ||||||
| 						}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			numErr: 1, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "should fail no webhook", |  | ||||||
| 			conf: auditregistration.AuditSink{ |  | ||||||
| 				ObjectMeta: metav1.ObjectMeta{ |  | ||||||
| 					Name: "myconf", |  | ||||||
| 				}, |  | ||||||
| 				Spec: auditregistration.AuditSinkSpec{ |  | ||||||
| 					Policy: auditregistration.Policy{ |  | ||||||
| 						Level: auditregistration.LevelMetadata, |  | ||||||
| 						Stages: []auditregistration.Stage{ |  | ||||||
| 							auditregistration.StageRequestReceived, |  | ||||||
| 						}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			numErr: 1, |  | ||||||
| 		}, |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	for _, test := range testCases { |  | ||||||
| 		t.Run(test.name, func(t *testing.T) { |  | ||||||
| 			errs := ValidateAuditSink(&test.conf) |  | ||||||
| 			require.Len(t, errs, test.numErr) |  | ||||||
| 		}) |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func TestValidatePolicy(t *testing.T) { |  | ||||||
| 	successCases := []auditregistration.Policy{} |  | ||||||
| 	successCases = append(successCases, auditregistration.Policy{ // Policy with omitStages and level |  | ||||||
| 		Level: auditregistration.LevelRequest, |  | ||||||
| 		Stages: []auditregistration.Stage{ |  | ||||||
| 			auditregistration.Stage("RequestReceived"), |  | ||||||
| 			auditregistration.Stage("ResponseStarted"), |  | ||||||
| 		}, |  | ||||||
| 	}) |  | ||||||
| 	successCases = append(successCases, auditregistration.Policy{Level: auditregistration.LevelNone}) // Policy with none level only |  | ||||||
|  |  | ||||||
| 	for i, policy := range successCases { |  | ||||||
| 		if errs := ValidatePolicy(policy, field.NewPath("policy")); len(errs) != 0 { |  | ||||||
| 			t.Errorf("[%d] Expected policy %#v to be valid: %v", i, policy, errs) |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	errorCases := []auditregistration.Policy{} |  | ||||||
| 	errorCases = append(errorCases, auditregistration.Policy{})                                 // Empty policy                                      // Policy with missing level |  | ||||||
| 	errorCases = append(errorCases, auditregistration.Policy{Stages: []auditregistration.Stage{ // Policy with invalid stages |  | ||||||
| 		auditregistration.Stage("Bad")}}) |  | ||||||
| 	errorCases = append(errorCases, auditregistration.Policy{Level: auditregistration.Level("invalid")}) // Policy with bad level |  | ||||||
| 	errorCases = append(errorCases, auditregistration.Policy{Level: auditregistration.LevelMetadata})    // Policy without stages |  | ||||||
|  |  | ||||||
| 	for i, policy := range errorCases { |  | ||||||
| 		if errs := ValidatePolicy(policy, field.NewPath("policy")); len(errs) == 0 { |  | ||||||
| 			t.Errorf("[%d] Expected policy %#v to be invalid!", i, policy) |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func TestValidateWebhookConfiguration(t *testing.T) { |  | ||||||
| 	tests := []struct { |  | ||||||
| 		name          string |  | ||||||
| 		config        auditregistration.Webhook |  | ||||||
| 		expectedError string |  | ||||||
| 	}{ |  | ||||||
| 		{ |  | ||||||
| 			name: "both service and URL missing", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: `exactly one of`, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "both service and URL provided", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					Service: &auditregistration.ServiceReference{ |  | ||||||
| 						Namespace: "ns", |  | ||||||
| 						Name:      "n", |  | ||||||
| 						Port:      443, |  | ||||||
| 					}, |  | ||||||
| 					URL: utilpointer.StringPtr("example.com/k8s/webhook"), |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: `webhook.clientConfig: Required value: exactly one of url or service is required`, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "blank URL", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					URL: utilpointer.StringPtr(""), |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: `webhook.clientConfig.url: Invalid value: "": host must be provided`, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "missing host", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					URL: utilpointer.StringPtr("https:///fancy/webhook"), |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: `host must be provided`, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "fragment", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					URL: utilpointer.StringPtr("https://example.com/#bookmark"), |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: `"bookmark": fragments are not permitted`, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "query", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					URL: utilpointer.StringPtr("https://example.com?arg=value"), |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: `"arg=value": query parameters are not permitted`, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "user", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					URL: utilpointer.StringPtr("https://harry.potter@example.com/"), |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: `"harry.potter": user information is not permitted`, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "just totally wrong", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					URL: utilpointer.StringPtr("arg#backwards=thisis?html.index/port:host//:https"), |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: `host must be provided`, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "path must start with slash", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					Service: &auditregistration.ServiceReference{ |  | ||||||
| 						Namespace: "ns", |  | ||||||
| 						Name:      "n", |  | ||||||
| 						Path:      utilpointer.StringPtr("foo/"), |  | ||||||
| 						Port:      443, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: `clientConfig.service.path: Invalid value: "foo/": must start with a '/'`, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "invalid port >65535", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					Service: &auditregistration.ServiceReference{ |  | ||||||
| 						Namespace: "ns", |  | ||||||
| 						Name:      "n", |  | ||||||
| 						Path:      utilpointer.StringPtr("foo/"), |  | ||||||
| 						Port:      65536, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: `Invalid value: 65536: port is not valid: must be between 1 and 65535, inclusive`, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "invalid port 0", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					Service: &auditregistration.ServiceReference{ |  | ||||||
| 						Namespace: "ns", |  | ||||||
| 						Name:      "n", |  | ||||||
| 						Path:      utilpointer.StringPtr("foo/"), |  | ||||||
| 						Port:      0, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: `Invalid value: 0: port is not valid: must be between 1 and 65535, inclusive`, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "path accepts slash", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					Service: &auditregistration.ServiceReference{ |  | ||||||
| 						Namespace: "ns", |  | ||||||
| 						Name:      "n", |  | ||||||
| 						Path:      utilpointer.StringPtr("/"), |  | ||||||
| 						Port:      443, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: ``, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "path accepts no trailing slash", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					Service: &auditregistration.ServiceReference{ |  | ||||||
| 						Namespace: "ns", |  | ||||||
| 						Name:      "n", |  | ||||||
| 						Path:      utilpointer.StringPtr("/foo"), |  | ||||||
| 						Port:      443, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: ``, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "path fails //", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					Service: &auditregistration.ServiceReference{ |  | ||||||
| 						Namespace: "ns", |  | ||||||
| 						Name:      "n", |  | ||||||
| 						Path:      utilpointer.StringPtr("//"), |  | ||||||
| 						Port:      443, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: `clientConfig.service.path: Invalid value: "//": segment[0] may not be empty`, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "path no empty step", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					Service: &auditregistration.ServiceReference{ |  | ||||||
| 						Namespace: "ns", |  | ||||||
| 						Name:      "n", |  | ||||||
| 						Path:      utilpointer.StringPtr("/foo//bar/"), |  | ||||||
| 						Port:      443, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: `clientConfig.service.path: Invalid value: "/foo//bar/": segment[1] may not be empty`, |  | ||||||
| 		}, { |  | ||||||
| 			name: "path no empty step 2", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					Service: &auditregistration.ServiceReference{ |  | ||||||
| 						Namespace: "ns", |  | ||||||
| 						Name:      "n", |  | ||||||
| 						Path:      utilpointer.StringPtr("/foo/bar//"), |  | ||||||
| 						Port:      443, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: `clientConfig.service.path: Invalid value: "/foo/bar//": segment[2] may not be empty`, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "path no non-subdomain", |  | ||||||
| 			config: auditregistration.Webhook{ |  | ||||||
| 				ClientConfig: auditregistration.WebhookClientConfig{ |  | ||||||
| 					Service: &auditregistration.ServiceReference{ |  | ||||||
| 						Namespace: "ns", |  | ||||||
| 						Name:      "n", |  | ||||||
| 						Path:      utilpointer.StringPtr("/apis/foo.bar/v1alpha1/--bad"), |  | ||||||
| 						Port:      443, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedError: `clientConfig.service.path: Invalid value: "/apis/foo.bar/v1alpha1/--bad": segment[3]: a DNS-1123 subdomain`, |  | ||||||
| 		}, |  | ||||||
| 	} |  | ||||||
| 	for _, test := range tests { |  | ||||||
| 		t.Run(test.name, func(t *testing.T) { |  | ||||||
| 			errs := ValidateWebhook(test.config, field.NewPath("webhook")) |  | ||||||
| 			err := errs.ToAggregate() |  | ||||||
| 			if err != nil { |  | ||||||
| 				if e, a := test.expectedError, err.Error(); !strings.Contains(a, e) || e == "" { |  | ||||||
| 					t.Errorf("expected to contain \nerr: %s \ngot: %s", e, a) |  | ||||||
| 				} |  | ||||||
| 			} else { |  | ||||||
| 				if test.expectedError != "" { |  | ||||||
| 					t.Errorf("unexpected no error, expected to contain %s", test.expectedError) |  | ||||||
| 				} |  | ||||||
| 			} |  | ||||||
| 		}) |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
							
								
								
									
										224
									
								
								pkg/apis/auditregistration/zz_generated.deepcopy.go
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										224
									
								
								pkg/apis/auditregistration/zz_generated.deepcopy.go
									
									
									
										generated
									
									
									
								
							| @@ -1,224 +0,0 @@ | |||||||
| // +build !ignore_autogenerated |  | ||||||
|  |  | ||||||
| /* |  | ||||||
| Copyright The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // Code generated by deepcopy-gen. DO NOT EDIT. |  | ||||||
|  |  | ||||||
| package auditregistration |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	runtime "k8s.io/apimachinery/pkg/runtime" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *AuditSink) DeepCopyInto(out *AuditSink) { |  | ||||||
| 	*out = *in |  | ||||||
| 	out.TypeMeta = in.TypeMeta |  | ||||||
| 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) |  | ||||||
| 	in.Spec.DeepCopyInto(&out.Spec) |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditSink. |  | ||||||
| func (in *AuditSink) DeepCopy() *AuditSink { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(AuditSink) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. |  | ||||||
| func (in *AuditSink) DeepCopyObject() runtime.Object { |  | ||||||
| 	if c := in.DeepCopy(); c != nil { |  | ||||||
| 		return c |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *AuditSinkList) DeepCopyInto(out *AuditSinkList) { |  | ||||||
| 	*out = *in |  | ||||||
| 	out.TypeMeta = in.TypeMeta |  | ||||||
| 	in.ListMeta.DeepCopyInto(&out.ListMeta) |  | ||||||
| 	if in.Items != nil { |  | ||||||
| 		in, out := &in.Items, &out.Items |  | ||||||
| 		*out = make([]AuditSink, len(*in)) |  | ||||||
| 		for i := range *in { |  | ||||||
| 			(*in)[i].DeepCopyInto(&(*out)[i]) |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditSinkList. |  | ||||||
| func (in *AuditSinkList) DeepCopy() *AuditSinkList { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(AuditSinkList) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. |  | ||||||
| func (in *AuditSinkList) DeepCopyObject() runtime.Object { |  | ||||||
| 	if c := in.DeepCopy(); c != nil { |  | ||||||
| 		return c |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *AuditSinkSpec) DeepCopyInto(out *AuditSinkSpec) { |  | ||||||
| 	*out = *in |  | ||||||
| 	in.Policy.DeepCopyInto(&out.Policy) |  | ||||||
| 	in.Webhook.DeepCopyInto(&out.Webhook) |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditSinkSpec. |  | ||||||
| func (in *AuditSinkSpec) DeepCopy() *AuditSinkSpec { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(AuditSinkSpec) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *Policy) DeepCopyInto(out *Policy) { |  | ||||||
| 	*out = *in |  | ||||||
| 	if in.Stages != nil { |  | ||||||
| 		in, out := &in.Stages, &out.Stages |  | ||||||
| 		*out = make([]Stage, len(*in)) |  | ||||||
| 		copy(*out, *in) |  | ||||||
| 	} |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. |  | ||||||
| func (in *Policy) DeepCopy() *Policy { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(Policy) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *ServiceReference) DeepCopyInto(out *ServiceReference) { |  | ||||||
| 	*out = *in |  | ||||||
| 	if in.Path != nil { |  | ||||||
| 		in, out := &in.Path, &out.Path |  | ||||||
| 		*out = new(string) |  | ||||||
| 		**out = **in |  | ||||||
| 	} |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceReference. |  | ||||||
| func (in *ServiceReference) DeepCopy() *ServiceReference { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(ServiceReference) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *Webhook) DeepCopyInto(out *Webhook) { |  | ||||||
| 	*out = *in |  | ||||||
| 	if in.Throttle != nil { |  | ||||||
| 		in, out := &in.Throttle, &out.Throttle |  | ||||||
| 		*out = new(WebhookThrottleConfig) |  | ||||||
| 		(*in).DeepCopyInto(*out) |  | ||||||
| 	} |  | ||||||
| 	in.ClientConfig.DeepCopyInto(&out.ClientConfig) |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Webhook. |  | ||||||
| func (in *Webhook) DeepCopy() *Webhook { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(Webhook) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *WebhookClientConfig) DeepCopyInto(out *WebhookClientConfig) { |  | ||||||
| 	*out = *in |  | ||||||
| 	if in.URL != nil { |  | ||||||
| 		in, out := &in.URL, &out.URL |  | ||||||
| 		*out = new(string) |  | ||||||
| 		**out = **in |  | ||||||
| 	} |  | ||||||
| 	if in.Service != nil { |  | ||||||
| 		in, out := &in.Service, &out.Service |  | ||||||
| 		*out = new(ServiceReference) |  | ||||||
| 		(*in).DeepCopyInto(*out) |  | ||||||
| 	} |  | ||||||
| 	if in.CABundle != nil { |  | ||||||
| 		in, out := &in.CABundle, &out.CABundle |  | ||||||
| 		*out = make([]byte, len(*in)) |  | ||||||
| 		copy(*out, *in) |  | ||||||
| 	} |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookClientConfig. |  | ||||||
| func (in *WebhookClientConfig) DeepCopy() *WebhookClientConfig { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(WebhookClientConfig) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *WebhookThrottleConfig) DeepCopyInto(out *WebhookThrottleConfig) { |  | ||||||
| 	*out = *in |  | ||||||
| 	if in.QPS != nil { |  | ||||||
| 		in, out := &in.QPS, &out.QPS |  | ||||||
| 		*out = new(int64) |  | ||||||
| 		**out = **in |  | ||||||
| 	} |  | ||||||
| 	if in.Burst != nil { |  | ||||||
| 		in, out := &in.Burst, &out.Burst |  | ||||||
| 		*out = new(int64) |  | ||||||
| 		**out = **in |  | ||||||
| 	} |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookThrottleConfig. |  | ||||||
| func (in *WebhookThrottleConfig) DeepCopy() *WebhookThrottleConfig { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(WebhookThrottleConfig) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
| @@ -669,7 +669,6 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS | |||||||
| 	genericfeatures.StreamingProxyRedirects: {Default: true, PreRelease: featuregate.Deprecated}, | 	genericfeatures.StreamingProxyRedirects: {Default: true, PreRelease: featuregate.Deprecated}, | ||||||
| 	genericfeatures.ValidateProxyRedirects:  {Default: true, PreRelease: featuregate.Beta}, | 	genericfeatures.ValidateProxyRedirects:  {Default: true, PreRelease: featuregate.Beta}, | ||||||
| 	genericfeatures.AdvancedAuditing:        {Default: true, PreRelease: featuregate.GA}, | 	genericfeatures.AdvancedAuditing:        {Default: true, PreRelease: featuregate.GA}, | ||||||
| 	genericfeatures.DynamicAuditing:         {Default: false, PreRelease: featuregate.Alpha}, |  | ||||||
| 	genericfeatures.APIResponseCompression:  {Default: true, PreRelease: featuregate.Beta}, | 	genericfeatures.APIResponseCompression:  {Default: true, PreRelease: featuregate.Beta}, | ||||||
| 	genericfeatures.APIListChunking:         {Default: true, PreRelease: featuregate.Beta}, | 	genericfeatures.APIListChunking:         {Default: true, PreRelease: featuregate.Beta}, | ||||||
| 	genericfeatures.DryRun:                  {Default: true, PreRelease: featuregate.GA}, | 	genericfeatures.DryRun:                  {Default: true, PreRelease: featuregate.GA}, | ||||||
|   | |||||||
| @@ -16,7 +16,6 @@ go_library( | |||||||
|         "//pkg/apis/admission/install:go_default_library", |         "//pkg/apis/admission/install:go_default_library", | ||||||
|         "//pkg/apis/admissionregistration/install:go_default_library", |         "//pkg/apis/admissionregistration/install:go_default_library", | ||||||
|         "//pkg/apis/apps/install:go_default_library", |         "//pkg/apis/apps/install:go_default_library", | ||||||
|         "//pkg/apis/auditregistration/install:go_default_library", |  | ||||||
|         "//pkg/apis/authentication/install:go_default_library", |         "//pkg/apis/authentication/install:go_default_library", | ||||||
|         "//pkg/apis/authorization/install:go_default_library", |         "//pkg/apis/authorization/install:go_default_library", | ||||||
|         "//pkg/apis/autoscaling/install:go_default_library", |         "//pkg/apis/autoscaling/install:go_default_library", | ||||||
| @@ -45,7 +44,6 @@ go_library( | |||||||
|         "//pkg/master/tunneler:go_default_library", |         "//pkg/master/tunneler:go_default_library", | ||||||
|         "//pkg/registry/admissionregistration/rest:go_default_library", |         "//pkg/registry/admissionregistration/rest:go_default_library", | ||||||
|         "//pkg/registry/apps/rest:go_default_library", |         "//pkg/registry/apps/rest:go_default_library", | ||||||
|         "//pkg/registry/auditregistration/rest:go_default_library", |  | ||||||
|         "//pkg/registry/authentication/rest:go_default_library", |         "//pkg/registry/authentication/rest:go_default_library", | ||||||
|         "//pkg/registry/authorization/rest:go_default_library", |         "//pkg/registry/authorization/rest:go_default_library", | ||||||
|         "//pkg/registry/autoscaling/rest:go_default_library", |         "//pkg/registry/autoscaling/rest:go_default_library", | ||||||
| @@ -74,7 +72,6 @@ go_library( | |||||||
|         "//staging/src/k8s.io/api/admissionregistration/v1:go_default_library", |         "//staging/src/k8s.io/api/admissionregistration/v1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/admissionregistration/v1beta1:go_default_library", |         "//staging/src/k8s.io/api/admissionregistration/v1beta1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/apps/v1:go_default_library", |         "//staging/src/k8s.io/api/apps/v1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/api/authentication/v1:go_default_library", |         "//staging/src/k8s.io/api/authentication/v1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/authentication/v1beta1:go_default_library", |         "//staging/src/k8s.io/api/authentication/v1beta1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/authorization/v1:go_default_library", |         "//staging/src/k8s.io/api/authorization/v1:go_default_library", | ||||||
|   | |||||||
| @@ -21,7 +21,6 @@ import ( | |||||||
| 	_ "k8s.io/kubernetes/pkg/apis/admission/install" | 	_ "k8s.io/kubernetes/pkg/apis/admission/install" | ||||||
| 	_ "k8s.io/kubernetes/pkg/apis/admissionregistration/install" | 	_ "k8s.io/kubernetes/pkg/apis/admissionregistration/install" | ||||||
| 	_ "k8s.io/kubernetes/pkg/apis/apps/install" | 	_ "k8s.io/kubernetes/pkg/apis/apps/install" | ||||||
| 	_ "k8s.io/kubernetes/pkg/apis/auditregistration/install" |  | ||||||
| 	_ "k8s.io/kubernetes/pkg/apis/authentication/install" | 	_ "k8s.io/kubernetes/pkg/apis/authentication/install" | ||||||
| 	_ "k8s.io/kubernetes/pkg/apis/authorization/install" | 	_ "k8s.io/kubernetes/pkg/apis/authorization/install" | ||||||
| 	_ "k8s.io/kubernetes/pkg/apis/autoscaling/install" | 	_ "k8s.io/kubernetes/pkg/apis/autoscaling/install" | ||||||
|   | |||||||
| @@ -28,7 +28,6 @@ import ( | |||||||
| 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1" | 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1" | ||||||
| 	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1" | 	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1" | ||||||
| 	appsv1 "k8s.io/api/apps/v1" | 	appsv1 "k8s.io/api/apps/v1" | ||||||
| 	auditregistrationv1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	authenticationv1 "k8s.io/api/authentication/v1" | 	authenticationv1 "k8s.io/api/authentication/v1" | ||||||
| 	authenticationv1beta1 "k8s.io/api/authentication/v1beta1" | 	authenticationv1beta1 "k8s.io/api/authentication/v1beta1" | ||||||
| 	authorizationapiv1 "k8s.io/api/authorization/v1" | 	authorizationapiv1 "k8s.io/api/authorization/v1" | ||||||
| @@ -93,7 +92,6 @@ import ( | |||||||
| 	// RESTStorage installers | 	// RESTStorage installers | ||||||
| 	admissionregistrationrest "k8s.io/kubernetes/pkg/registry/admissionregistration/rest" | 	admissionregistrationrest "k8s.io/kubernetes/pkg/registry/admissionregistration/rest" | ||||||
| 	appsrest "k8s.io/kubernetes/pkg/registry/apps/rest" | 	appsrest "k8s.io/kubernetes/pkg/registry/apps/rest" | ||||||
| 	auditregistrationrest "k8s.io/kubernetes/pkg/registry/auditregistration/rest" |  | ||||||
| 	authenticationrest "k8s.io/kubernetes/pkg/registry/authentication/rest" | 	authenticationrest "k8s.io/kubernetes/pkg/registry/authentication/rest" | ||||||
| 	authorizationrest "k8s.io/kubernetes/pkg/registry/authorization/rest" | 	authorizationrest "k8s.io/kubernetes/pkg/registry/authorization/rest" | ||||||
| 	autoscalingrest "k8s.io/kubernetes/pkg/registry/autoscaling/rest" | 	autoscalingrest "k8s.io/kubernetes/pkg/registry/autoscaling/rest" | ||||||
| @@ -415,7 +413,6 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget) | |||||||
| 	// TODO: describe the priority all the way down in the RESTStorageProviders and plumb it back through the various discovery | 	// TODO: describe the priority all the way down in the RESTStorageProviders and plumb it back through the various discovery | ||||||
| 	// handlers that we have. | 	// handlers that we have. | ||||||
| 	restStorageProviders := []RESTStorageProvider{ | 	restStorageProviders := []RESTStorageProvider{ | ||||||
| 		auditregistrationrest.RESTStorageProvider{}, |  | ||||||
| 		authenticationrest.RESTStorageProvider{Authenticator: c.GenericConfig.Authentication.Authenticator, APIAudiences: c.GenericConfig.Authentication.APIAudiences}, | 		authenticationrest.RESTStorageProvider{Authenticator: c.GenericConfig.Authentication.Authenticator, APIAudiences: c.GenericConfig.Authentication.APIAudiences}, | ||||||
| 		authorizationrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorization.Authorizer, RuleResolver: c.GenericConfig.RuleResolver}, | 		authorizationrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorization.Authorizer, RuleResolver: c.GenericConfig.RuleResolver}, | ||||||
| 		autoscalingrest.RESTStorageProvider{}, | 		autoscalingrest.RESTStorageProvider{}, | ||||||
| @@ -632,7 +629,6 @@ func DefaultAPIResourceConfigSource() *serverstorage.ResourceConfig { | |||||||
| 	) | 	) | ||||||
| 	// disable alpha versions explicitly so we have a full list of what's possible to serve | 	// disable alpha versions explicitly so we have a full list of what's possible to serve | ||||||
| 	ret.DisableVersions( | 	ret.DisableVersions( | ||||||
| 		auditregistrationv1alpha1.SchemeGroupVersion, |  | ||||||
| 		batchapiv2alpha1.SchemeGroupVersion, | 		batchapiv2alpha1.SchemeGroupVersion, | ||||||
| 		nodev1alpha1.SchemeGroupVersion, | 		nodev1alpha1.SchemeGroupVersion, | ||||||
| 		rbacv1alpha1.SchemeGroupVersion, | 		rbacv1alpha1.SchemeGroupVersion, | ||||||
|   | |||||||
| @@ -31,8 +31,6 @@ filegroup( | |||||||
|         "//pkg/registry/apps/replicaset:all-srcs", |         "//pkg/registry/apps/replicaset:all-srcs", | ||||||
|         "//pkg/registry/apps/rest:all-srcs", |         "//pkg/registry/apps/rest:all-srcs", | ||||||
|         "//pkg/registry/apps/statefulset:all-srcs", |         "//pkg/registry/apps/statefulset:all-srcs", | ||||||
|         "//pkg/registry/auditregistration/auditsink:all-srcs", |  | ||||||
|         "//pkg/registry/auditregistration/rest:all-srcs", |  | ||||||
|         "//pkg/registry/authentication/rest:all-srcs", |         "//pkg/registry/authentication/rest:all-srcs", | ||||||
|         "//pkg/registry/authentication/tokenreview:all-srcs", |         "//pkg/registry/authentication/tokenreview:all-srcs", | ||||||
|         "//pkg/registry/authorization/localsubjectaccessreview:all-srcs", |         "//pkg/registry/authorization/localsubjectaccessreview:all-srcs", | ||||||
|   | |||||||
| @@ -1,36 +0,0 @@ | |||||||
| load("@io_bazel_rules_go//go:def.bzl", "go_library") |  | ||||||
|  |  | ||||||
| go_library( |  | ||||||
|     name = "go_default_library", |  | ||||||
|     srcs = [ |  | ||||||
|         "doc.go", |  | ||||||
|         "strategy.go", |  | ||||||
|     ], |  | ||||||
|     importpath = "k8s.io/kubernetes/pkg/registry/auditregistration/auditsink", |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
|     deps = [ |  | ||||||
|         "//pkg/api/legacyscheme:go_default_library", |  | ||||||
|         "//pkg/apis/auditregistration:go_default_library", |  | ||||||
|         "//pkg/apis/auditregistration/validation:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/storage/names:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "package-srcs", |  | ||||||
|     srcs = glob(["**"]), |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:private"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "all-srcs", |  | ||||||
|     srcs = [ |  | ||||||
|         ":package-srcs", |  | ||||||
|         "//pkg/registry/auditregistration/auditsink/storage:all-srcs", |  | ||||||
|     ], |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
| ) |  | ||||||
| @@ -1,17 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package auditsink // import "k8s.io/kubernetes/pkg/registry/auditregistration/auditsink" |  | ||||||
| @@ -1,30 +0,0 @@ | |||||||
| load("@io_bazel_rules_go//go:def.bzl", "go_library") |  | ||||||
|  |  | ||||||
| go_library( |  | ||||||
|     name = "go_default_library", |  | ||||||
|     srcs = ["storage.go"], |  | ||||||
|     importpath = "k8s.io/kubernetes/pkg/registry/auditregistration/auditsink/storage", |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
|     deps = [ |  | ||||||
|         "//pkg/apis/auditregistration:go_default_library", |  | ||||||
|         "//pkg/registry/auditregistration/auditsink:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/registry/generic:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/registry/generic/registry:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/registry/rest:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "package-srcs", |  | ||||||
|     srcs = glob(["**"]), |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:private"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "all-srcs", |  | ||||||
|     srcs = [":package-srcs"], |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
| ) |  | ||||||
| @@ -1,55 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package storage |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"k8s.io/apimachinery/pkg/runtime" |  | ||||||
| 	"k8s.io/apiserver/pkg/registry/generic" |  | ||||||
| 	genericregistry "k8s.io/apiserver/pkg/registry/generic/registry" |  | ||||||
| 	"k8s.io/apiserver/pkg/registry/rest" |  | ||||||
| 	"k8s.io/kubernetes/pkg/apis/auditregistration" |  | ||||||
| 	auditstrategy "k8s.io/kubernetes/pkg/registry/auditregistration/auditsink" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // REST implements a RESTStorage for audit sink against etcd |  | ||||||
| type REST struct { |  | ||||||
| 	*genericregistry.Store |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // NewREST returns a RESTStorage object that will work against audit sinks |  | ||||||
| func NewREST(optsGetter generic.RESTOptionsGetter) (*REST, error) { |  | ||||||
| 	store := &genericregistry.Store{ |  | ||||||
| 		NewFunc:     func() runtime.Object { return &auditregistration.AuditSink{} }, |  | ||||||
| 		NewListFunc: func() runtime.Object { return &auditregistration.AuditSinkList{} }, |  | ||||||
| 		ObjectNameFunc: func(obj runtime.Object) (string, error) { |  | ||||||
| 			return obj.(*auditregistration.AuditSink).Name, nil |  | ||||||
| 		}, |  | ||||||
| 		DefaultQualifiedResource: auditregistration.Resource("auditsinks"), |  | ||||||
|  |  | ||||||
| 		CreateStrategy: auditstrategy.Strategy, |  | ||||||
| 		UpdateStrategy: auditstrategy.Strategy, |  | ||||||
| 		DeleteStrategy: auditstrategy.Strategy, |  | ||||||
|  |  | ||||||
| 		// TODO: define table converter that exposes more than name/creation timestamp |  | ||||||
| 		TableConvertor: rest.NewDefaultTableConvertor(auditregistration.Resource("auditsinks")), |  | ||||||
| 	} |  | ||||||
| 	options := &generic.StoreOptions{RESTOptions: optsGetter} |  | ||||||
| 	if err := store.CompleteWithOptions(options); err != nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
| 	return &REST{store}, nil |  | ||||||
| } |  | ||||||
| @@ -1,89 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package auditsink |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"context" |  | ||||||
| 	"reflect" |  | ||||||
|  |  | ||||||
| 	"k8s.io/apimachinery/pkg/runtime" |  | ||||||
| 	"k8s.io/apimachinery/pkg/util/validation/field" |  | ||||||
| 	"k8s.io/apiserver/pkg/storage/names" |  | ||||||
| 	"k8s.io/kubernetes/pkg/api/legacyscheme" |  | ||||||
| 	audit "k8s.io/kubernetes/pkg/apis/auditregistration" |  | ||||||
| 	"k8s.io/kubernetes/pkg/apis/auditregistration/validation" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // auditSinkStrategy implements verification logic for AuditSink. |  | ||||||
| type auditSinkStrategy struct { |  | ||||||
| 	runtime.ObjectTyper |  | ||||||
| 	names.NameGenerator |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Strategy is the default logic that applies when creating and updating AuditSink objects. |  | ||||||
| var Strategy = auditSinkStrategy{legacyscheme.Scheme, names.SimpleNameGenerator} |  | ||||||
|  |  | ||||||
| // NamespaceScoped returns false because all AuditSink's need to be cluster scoped |  | ||||||
| func (auditSinkStrategy) NamespaceScoped() bool { |  | ||||||
| 	return false |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // PrepareForCreate clears the status of an AuditSink before creation. |  | ||||||
| func (auditSinkStrategy) PrepareForCreate(ctx context.Context, obj runtime.Object) { |  | ||||||
| 	ic := obj.(*audit.AuditSink) |  | ||||||
| 	ic.Generation = 1 |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // PrepareForUpdate clears fields that are not allowed to be set by end users on update. |  | ||||||
| func (auditSinkStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) { |  | ||||||
| 	newIC := obj.(*audit.AuditSink) |  | ||||||
| 	oldIC := old.(*audit.AuditSink) |  | ||||||
|  |  | ||||||
| 	// Any changes to the policy or backend increment the generation number |  | ||||||
| 	// See metav1.ObjectMeta description for more information on Generation. |  | ||||||
| 	if !reflect.DeepEqual(oldIC.Spec, newIC.Spec) { |  | ||||||
| 		newIC.Generation = oldIC.Generation + 1 |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Validate validates a new auditSink. |  | ||||||
| func (auditSinkStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList { |  | ||||||
| 	ic := obj.(*audit.AuditSink) |  | ||||||
| 	return validation.ValidateAuditSink(ic) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Canonicalize normalizes the object after validation. |  | ||||||
| func (auditSinkStrategy) Canonicalize(obj runtime.Object) { |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // AllowCreateOnUpdate is true for auditSink; this means you may create one with a PUT request. |  | ||||||
| func (auditSinkStrategy) AllowCreateOnUpdate() bool { |  | ||||||
| 	return false |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // ValidateUpdate is the default update validation for an end user. |  | ||||||
| func (auditSinkStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList { |  | ||||||
| 	validationErrorList := validation.ValidateAuditSink(obj.(*audit.AuditSink)) |  | ||||||
| 	updateErrorList := validation.ValidateAuditSinkUpdate(obj.(*audit.AuditSink), old.(*audit.AuditSink)) |  | ||||||
| 	return append(validationErrorList, updateErrorList...) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // AllowUnconditionalUpdate is the default update policy for auditSink objects. Status update should |  | ||||||
| // only be allowed if version match. |  | ||||||
| func (auditSinkStrategy) AllowUnconditionalUpdate() bool { |  | ||||||
| 	return false |  | ||||||
| } |  | ||||||
| @@ -1,31 +0,0 @@ | |||||||
| load("@io_bazel_rules_go//go:def.bzl", "go_library") |  | ||||||
|  |  | ||||||
| go_library( |  | ||||||
|     name = "go_default_library", |  | ||||||
|     srcs = ["storage_auditregistration.go"], |  | ||||||
|     importpath = "k8s.io/kubernetes/pkg/registry/auditregistration/rest", |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
|     deps = [ |  | ||||||
|         "//pkg/api/legacyscheme:go_default_library", |  | ||||||
|         "//pkg/registry/auditregistration/auditsink/storage:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/registry/generic:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/registry/rest:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/server:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/server/storage:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "package-srcs", |  | ||||||
|     srcs = glob(["**"]), |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:private"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "all-srcs", |  | ||||||
|     srcs = [":package-srcs"], |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
| ) |  | ||||||
| @@ -1,57 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package rest |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	auditv1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	"k8s.io/apiserver/pkg/registry/generic" |  | ||||||
| 	"k8s.io/apiserver/pkg/registry/rest" |  | ||||||
| 	genericapiserver "k8s.io/apiserver/pkg/server" |  | ||||||
| 	serverstorage "k8s.io/apiserver/pkg/server/storage" |  | ||||||
| 	"k8s.io/kubernetes/pkg/api/legacyscheme" |  | ||||||
| 	auditstorage "k8s.io/kubernetes/pkg/registry/auditregistration/auditsink/storage" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // RESTStorageProvider is a REST storage provider for audit.k8s.io |  | ||||||
| type RESTStorageProvider struct{} |  | ||||||
|  |  | ||||||
| // NewRESTStorage returns a RESTStorageProvider |  | ||||||
| func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (genericapiserver.APIGroupInfo, bool, error) { |  | ||||||
| 	apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(auditv1alpha1.GroupName, legacyscheme.Scheme, legacyscheme.ParameterCodec, legacyscheme.Codecs) |  | ||||||
|  |  | ||||||
| 	if apiResourceConfigSource.VersionEnabled(auditv1alpha1.SchemeGroupVersion) { |  | ||||||
| 		if storageMap, err := p.v1alpha1Storage(apiResourceConfigSource, restOptionsGetter); err != nil { |  | ||||||
| 			return genericapiserver.APIGroupInfo{}, false, err |  | ||||||
| 		} else { |  | ||||||
| 			apiGroupInfo.VersionedResourcesStorageMap[auditv1alpha1.SchemeGroupVersion.Version] = storageMap |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
| 	return apiGroupInfo, true, nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) { |  | ||||||
| 	storage := map[string]rest.Storage{} |  | ||||||
| 	s, err := auditstorage.NewREST(restOptionsGetter) |  | ||||||
| 	storage["auditsinks"] = s |  | ||||||
|  |  | ||||||
| 	return storage, err |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // GroupName is the group name for the storage provider |  | ||||||
| func (p RESTStorageProvider) GroupName() string { |  | ||||||
| 	return auditv1alpha1.GroupName |  | ||||||
| } |  | ||||||
| @@ -71,7 +71,6 @@ filegroup( | |||||||
|         "//staging/src/k8s.io/api/apps/v1:all-srcs", |         "//staging/src/k8s.io/api/apps/v1:all-srcs", | ||||||
|         "//staging/src/k8s.io/api/apps/v1beta1:all-srcs", |         "//staging/src/k8s.io/api/apps/v1beta1:all-srcs", | ||||||
|         "//staging/src/k8s.io/api/apps/v1beta2:all-srcs", |         "//staging/src/k8s.io/api/apps/v1beta2:all-srcs", | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:all-srcs", |  | ||||||
|         "//staging/src/k8s.io/api/authentication/v1:all-srcs", |         "//staging/src/k8s.io/api/authentication/v1:all-srcs", | ||||||
|         "//staging/src/k8s.io/api/authentication/v1beta1:all-srcs", |         "//staging/src/k8s.io/api/authentication/v1beta1:all-srcs", | ||||||
|         "//staging/src/k8s.io/api/authorization/v1:all-srcs", |         "//staging/src/k8s.io/api/authorization/v1:all-srcs", | ||||||
|   | |||||||
| @@ -1,8 +0,0 @@ | |||||||
| # See the OWNERS docs at https://go.k8s.io/owners |  | ||||||
|  |  | ||||||
| reviewers: |  | ||||||
| - sig-auth-audit-approvers |  | ||||||
| - sig-auth-audit-reviewers |  | ||||||
| labels: |  | ||||||
| - sig/auth |  | ||||||
|  |  | ||||||
| @@ -1,36 +0,0 @@ | |||||||
| load("@io_bazel_rules_go//go:def.bzl", "go_library") |  | ||||||
|  |  | ||||||
| go_library( |  | ||||||
|     name = "go_default_library", |  | ||||||
|     srcs = [ |  | ||||||
|         "doc.go", |  | ||||||
|         "generated.pb.go", |  | ||||||
|         "register.go", |  | ||||||
|         "types.go", |  | ||||||
|         "types_swagger_doc_generated.go", |  | ||||||
|         "zz_generated.deepcopy.go", |  | ||||||
|     ], |  | ||||||
|     importmap = "k8s.io/kubernetes/vendor/k8s.io/api/auditregistration/v1alpha1", |  | ||||||
|     importpath = "k8s.io/api/auditregistration/v1alpha1", |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
|     deps = [ |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", |  | ||||||
|         "//vendor/github.com/gogo/protobuf/proto:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "package-srcs", |  | ||||||
|     srcs = glob(["**"]), |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:private"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "all-srcs", |  | ||||||
|     srcs = [":package-srcs"], |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
| ) |  | ||||||
| @@ -1,23 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // +k8s:deepcopy-gen=package |  | ||||||
| // +k8s:protobuf-gen=package |  | ||||||
| // +k8s:openapi-gen=true |  | ||||||
|  |  | ||||||
| // +groupName=auditregistration.k8s.io |  | ||||||
|  |  | ||||||
| package v1alpha1 // import "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @@ -1,162 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
|  |  | ||||||
| // This file was autogenerated by go-to-protobuf. Do not edit it manually! |  | ||||||
|  |  | ||||||
| syntax = 'proto2'; |  | ||||||
|  |  | ||||||
| package k8s.io.api.auditregistration.v1alpha1; |  | ||||||
|  |  | ||||||
| import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto"; |  | ||||||
| import "k8s.io/apimachinery/pkg/runtime/generated.proto"; |  | ||||||
| import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto"; |  | ||||||
|  |  | ||||||
| // Package-wide variables from generator "generated". |  | ||||||
| option go_package = "v1alpha1"; |  | ||||||
|  |  | ||||||
| // AuditSink represents a cluster level audit sink |  | ||||||
| message AuditSink { |  | ||||||
|   // +optional |  | ||||||
|   optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; |  | ||||||
|  |  | ||||||
|   // Spec defines the audit configuration spec |  | ||||||
|   optional AuditSinkSpec spec = 2; |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // AuditSinkList is a list of AuditSink items. |  | ||||||
| message AuditSinkList { |  | ||||||
|   // +optional |  | ||||||
|   optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; |  | ||||||
|  |  | ||||||
|   // List of audit configurations. |  | ||||||
|   repeated AuditSink items = 2; |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // AuditSinkSpec holds the spec for the audit sink |  | ||||||
| message AuditSinkSpec { |  | ||||||
|   // Policy defines the policy for selecting which events should be sent to the webhook |  | ||||||
|   // required |  | ||||||
|   optional Policy policy = 1; |  | ||||||
|  |  | ||||||
|   // Webhook to send events |  | ||||||
|   // required |  | ||||||
|   optional Webhook webhook = 2; |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Policy defines the configuration of how audit events are logged |  | ||||||
| message Policy { |  | ||||||
|   // The Level that all requests are recorded at. |  | ||||||
|   // available options: None, Metadata, Request, RequestResponse |  | ||||||
|   // required |  | ||||||
|   optional string level = 1; |  | ||||||
|  |  | ||||||
|   // Stages is a list of stages for which events are created. |  | ||||||
|   // +optional |  | ||||||
|   repeated string stages = 2; |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // ServiceReference holds a reference to Service.legacy.k8s.io |  | ||||||
| message ServiceReference { |  | ||||||
|   // `namespace` is the namespace of the service. |  | ||||||
|   // Required |  | ||||||
|   optional string namespace = 1; |  | ||||||
|  |  | ||||||
|   // `name` is the name of the service. |  | ||||||
|   // Required |  | ||||||
|   optional string name = 2; |  | ||||||
|  |  | ||||||
|   // `path` is an optional URL path which will be sent in any request to |  | ||||||
|   // this service. |  | ||||||
|   // +optional |  | ||||||
|   optional string path = 3; |  | ||||||
|  |  | ||||||
|   // If specified, the port on the service that hosting webhook. |  | ||||||
|   // Default to 443 for backward compatibility. |  | ||||||
|   // `port` should be a valid port number (1-65535, inclusive). |  | ||||||
|   // +optional |  | ||||||
|   optional int32 port = 4; |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Webhook holds the configuration of the webhook |  | ||||||
| message Webhook { |  | ||||||
|   // Throttle holds the options for throttling the webhook |  | ||||||
|   // +optional |  | ||||||
|   optional WebhookThrottleConfig throttle = 1; |  | ||||||
|  |  | ||||||
|   // ClientConfig holds the connection parameters for the webhook |  | ||||||
|   // required |  | ||||||
|   optional WebhookClientConfig clientConfig = 2; |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // WebhookClientConfig contains the information to make a connection with the webhook |  | ||||||
| message WebhookClientConfig { |  | ||||||
|   // `url` gives the location of the webhook, in standard URL form |  | ||||||
|   // (`scheme://host:port/path`). Exactly one of `url` or `service` |  | ||||||
|   // must be specified. |  | ||||||
|   // |  | ||||||
|   // The `host` should not refer to a service running in the cluster; use |  | ||||||
|   // the `service` field instead. The host might be resolved via external |  | ||||||
|   // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve |  | ||||||
|   // in-cluster DNS as that would be a layering violation). `host` may |  | ||||||
|   // also be an IP address. |  | ||||||
|   // |  | ||||||
|   // Please note that using `localhost` or `127.0.0.1` as a `host` is |  | ||||||
|   // risky unless you take great care to run this webhook on all hosts |  | ||||||
|   // which run an apiserver which might need to make calls to this |  | ||||||
|   // webhook. Such installs are likely to be non-portable, i.e., not easy |  | ||||||
|   // to turn up in a new cluster. |  | ||||||
|   // |  | ||||||
|   // The scheme must be "https"; the URL must begin with "https://". |  | ||||||
|   // |  | ||||||
|   // A path is optional, and if present may be any string permissible in |  | ||||||
|   // a URL. You may use the path to pass an arbitrary string to the |  | ||||||
|   // webhook, for example, a cluster identifier. |  | ||||||
|   // |  | ||||||
|   // Attempting to use a user or basic auth e.g. "user:password@" is not |  | ||||||
|   // allowed. Fragments ("#...") and query parameters ("?...") are not |  | ||||||
|   // allowed, either. |  | ||||||
|   // |  | ||||||
|   // +optional |  | ||||||
|   optional string url = 1; |  | ||||||
|  |  | ||||||
|   // `service` is a reference to the service for this webhook. Either |  | ||||||
|   // `service` or `url` must be specified. |  | ||||||
|   // |  | ||||||
|   // If the webhook is running within the cluster, then you should use `service`. |  | ||||||
|   // |  | ||||||
|   // +optional |  | ||||||
|   optional ServiceReference service = 2; |  | ||||||
|  |  | ||||||
|   // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. |  | ||||||
|   // If unspecified, system trust roots on the apiserver are used. |  | ||||||
|   // +optional |  | ||||||
|   optional bytes caBundle = 3; |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // WebhookThrottleConfig holds the configuration for throttling events |  | ||||||
| message WebhookThrottleConfig { |  | ||||||
|   // ThrottleQPS maximum number of batches per second |  | ||||||
|   // default 10 QPS |  | ||||||
|   // +optional |  | ||||||
|   optional int64 qps = 1; |  | ||||||
|  |  | ||||||
|   // ThrottleBurst is the maximum number of events sent at the same moment |  | ||||||
|   // default 15 QPS |  | ||||||
|   // +optional |  | ||||||
|   optional int64 burst = 2; |  | ||||||
| } |  | ||||||
|  |  | ||||||
| @@ -1,56 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package v1alpha1 |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |  | ||||||
| 	"k8s.io/apimachinery/pkg/runtime" |  | ||||||
| 	"k8s.io/apimachinery/pkg/runtime/schema" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // GroupName is the group name use in this package |  | ||||||
| const GroupName = "auditregistration.k8s.io" |  | ||||||
|  |  | ||||||
| // SchemeGroupVersion is group version used to register these objects |  | ||||||
| var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} |  | ||||||
|  |  | ||||||
| // Resource takes an unqualified resource and returns a Group qualified GroupResource |  | ||||||
| func Resource(resource string) schema.GroupResource { |  | ||||||
| 	return SchemeGroupVersion.WithResource(resource).GroupResource() |  | ||||||
| } |  | ||||||
|  |  | ||||||
| var ( |  | ||||||
| 	SchemeBuilder      runtime.SchemeBuilder |  | ||||||
| 	localSchemeBuilder = &SchemeBuilder |  | ||||||
| 	AddToScheme        = localSchemeBuilder.AddToScheme |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func init() { |  | ||||||
| 	// We only register manually written functions here. The registration of the |  | ||||||
| 	// generated functions takes place in the generated files. The separation |  | ||||||
| 	// makes the code compile even when the generated files are missing. |  | ||||||
| 	localSchemeBuilder.Register(addKnownTypes) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func addKnownTypes(scheme *runtime.Scheme) error { |  | ||||||
| 	scheme.AddKnownTypes(SchemeGroupVersion, |  | ||||||
| 		&AuditSink{}, |  | ||||||
| 		&AuditSinkList{}, |  | ||||||
| 	) |  | ||||||
| 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion) |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
| @@ -1,198 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // +k8s:openapi-gen=true |  | ||||||
|  |  | ||||||
| package v1alpha1 |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // Level defines the amount of information logged during auditing |  | ||||||
| type Level string |  | ||||||
|  |  | ||||||
| // Valid audit levels |  | ||||||
| const ( |  | ||||||
| 	// LevelNone disables auditing |  | ||||||
| 	LevelNone Level = "None" |  | ||||||
| 	// LevelMetadata provides the basic level of auditing. |  | ||||||
| 	LevelMetadata Level = "Metadata" |  | ||||||
| 	// LevelRequest provides Metadata level of auditing, and additionally |  | ||||||
| 	// logs the request object (does not apply for non-resource requests). |  | ||||||
| 	LevelRequest Level = "Request" |  | ||||||
| 	// LevelRequestResponse provides Request level of auditing, and additionally |  | ||||||
| 	// logs the response object (does not apply for non-resource requests and watches). |  | ||||||
| 	LevelRequestResponse Level = "RequestResponse" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // Stage defines the stages in request handling during which audit events may be generated. |  | ||||||
| type Stage string |  | ||||||
|  |  | ||||||
| // Valid audit stages. |  | ||||||
| const ( |  | ||||||
| 	// The stage for events generated after the audit handler receives the request, but before it |  | ||||||
| 	// is delegated down the handler chain. |  | ||||||
| 	StageRequestReceived = "RequestReceived" |  | ||||||
| 	// The stage for events generated after the response headers are sent, but before the response body |  | ||||||
| 	// is sent. This stage is only generated for long-running requests (e.g. watch). |  | ||||||
| 	StageResponseStarted = "ResponseStarted" |  | ||||||
| 	// The stage for events generated after the response body has been completed, and no more bytes |  | ||||||
| 	// will be sent. |  | ||||||
| 	StageResponseComplete = "ResponseComplete" |  | ||||||
| 	// The stage for events generated when a panic occurred. |  | ||||||
| 	StagePanic = "Panic" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // +genclient |  | ||||||
| // +genclient:nonNamespaced |  | ||||||
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |  | ||||||
|  |  | ||||||
| // AuditSink represents a cluster level audit sink |  | ||||||
| type AuditSink struct { |  | ||||||
| 	metav1.TypeMeta `json:",inline"` |  | ||||||
| 	// +optional |  | ||||||
| 	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |  | ||||||
|  |  | ||||||
| 	// Spec defines the audit configuration spec |  | ||||||
| 	Spec AuditSinkSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // AuditSinkSpec holds the spec for the audit sink |  | ||||||
| type AuditSinkSpec struct { |  | ||||||
| 	// Policy defines the policy for selecting which events should be sent to the webhook |  | ||||||
| 	// required |  | ||||||
| 	Policy Policy `json:"policy" protobuf:"bytes,1,opt,name=policy"` |  | ||||||
|  |  | ||||||
| 	// Webhook to send events |  | ||||||
| 	// required |  | ||||||
| 	Webhook Webhook `json:"webhook" protobuf:"bytes,2,opt,name=webhook"` |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |  | ||||||
|  |  | ||||||
| // AuditSinkList is a list of AuditSink items. |  | ||||||
| type AuditSinkList struct { |  | ||||||
| 	metav1.TypeMeta `json:",inline"` |  | ||||||
| 	// +optional |  | ||||||
| 	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |  | ||||||
|  |  | ||||||
| 	// List of audit configurations. |  | ||||||
| 	Items []AuditSink `json:"items" protobuf:"bytes,2,rep,name=items"` |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Policy defines the configuration of how audit events are logged |  | ||||||
| type Policy struct { |  | ||||||
| 	// The Level that all requests are recorded at. |  | ||||||
| 	// available options: None, Metadata, Request, RequestResponse |  | ||||||
| 	// required |  | ||||||
| 	Level Level `json:"level" protobuf:"bytes,1,opt,name=level"` |  | ||||||
|  |  | ||||||
| 	// Stages is a list of stages for which events are created. |  | ||||||
| 	// +optional |  | ||||||
| 	Stages []Stage `json:"stages" protobuf:"bytes,2,opt,name=stages"` |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Webhook holds the configuration of the webhook |  | ||||||
| type Webhook struct { |  | ||||||
| 	// Throttle holds the options for throttling the webhook |  | ||||||
| 	// +optional |  | ||||||
| 	Throttle *WebhookThrottleConfig `json:"throttle,omitempty" protobuf:"bytes,1,opt,name=throttle"` |  | ||||||
|  |  | ||||||
| 	// ClientConfig holds the connection parameters for the webhook |  | ||||||
| 	// required |  | ||||||
| 	ClientConfig WebhookClientConfig `json:"clientConfig" protobuf:"bytes,2,opt,name=clientConfig"` |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // WebhookThrottleConfig holds the configuration for throttling events |  | ||||||
| type WebhookThrottleConfig struct { |  | ||||||
| 	// ThrottleQPS maximum number of batches per second |  | ||||||
| 	// default 10 QPS |  | ||||||
| 	// +optional |  | ||||||
| 	QPS *int64 `json:"qps,omitempty" protobuf:"bytes,1,opt,name=qps"` |  | ||||||
|  |  | ||||||
| 	// ThrottleBurst is the maximum number of events sent at the same moment |  | ||||||
| 	// default 15 QPS |  | ||||||
| 	// +optional |  | ||||||
| 	Burst *int64 `json:"burst,omitempty" protobuf:"bytes,2,opt,name=burst"` |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // WebhookClientConfig contains the information to make a connection with the webhook |  | ||||||
| type WebhookClientConfig struct { |  | ||||||
| 	// `url` gives the location of the webhook, in standard URL form |  | ||||||
| 	// (`scheme://host:port/path`). Exactly one of `url` or `service` |  | ||||||
| 	// must be specified. |  | ||||||
| 	// |  | ||||||
| 	// The `host` should not refer to a service running in the cluster; use |  | ||||||
| 	// the `service` field instead. The host might be resolved via external |  | ||||||
| 	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve |  | ||||||
| 	// in-cluster DNS as that would be a layering violation). `host` may |  | ||||||
| 	// also be an IP address. |  | ||||||
| 	// |  | ||||||
| 	// Please note that using `localhost` or `127.0.0.1` as a `host` is |  | ||||||
| 	// risky unless you take great care to run this webhook on all hosts |  | ||||||
| 	// which run an apiserver which might need to make calls to this |  | ||||||
| 	// webhook. Such installs are likely to be non-portable, i.e., not easy |  | ||||||
| 	// to turn up in a new cluster. |  | ||||||
| 	// |  | ||||||
| 	// The scheme must be "https"; the URL must begin with "https://". |  | ||||||
| 	// |  | ||||||
| 	// A path is optional, and if present may be any string permissible in |  | ||||||
| 	// a URL. You may use the path to pass an arbitrary string to the |  | ||||||
| 	// webhook, for example, a cluster identifier. |  | ||||||
| 	// |  | ||||||
| 	// Attempting to use a user or basic auth e.g. "user:password@" is not |  | ||||||
| 	// allowed. Fragments ("#...") and query parameters ("?...") are not |  | ||||||
| 	// allowed, either. |  | ||||||
| 	// |  | ||||||
| 	// +optional |  | ||||||
| 	URL *string `json:"url,omitempty" protobuf:"bytes,1,opt,name=url"` |  | ||||||
|  |  | ||||||
| 	// `service` is a reference to the service for this webhook. Either |  | ||||||
| 	// `service` or `url` must be specified. |  | ||||||
| 	// |  | ||||||
| 	// If the webhook is running within the cluster, then you should use `service`. |  | ||||||
| 	// |  | ||||||
| 	// +optional |  | ||||||
| 	Service *ServiceReference `json:"service,omitempty" protobuf:"bytes,2,opt,name=service"` |  | ||||||
|  |  | ||||||
| 	// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. |  | ||||||
| 	// If unspecified, system trust roots on the apiserver are used. |  | ||||||
| 	// +optional |  | ||||||
| 	CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,3,opt,name=caBundle"` |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // ServiceReference holds a reference to Service.legacy.k8s.io |  | ||||||
| type ServiceReference struct { |  | ||||||
| 	// `namespace` is the namespace of the service. |  | ||||||
| 	// Required |  | ||||||
| 	Namespace string `json:"namespace" protobuf:"bytes,1,opt,name=namespace"` |  | ||||||
|  |  | ||||||
| 	// `name` is the name of the service. |  | ||||||
| 	// Required |  | ||||||
| 	Name string `json:"name" protobuf:"bytes,2,opt,name=name"` |  | ||||||
|  |  | ||||||
| 	// `path` is an optional URL path which will be sent in any request to |  | ||||||
| 	// this service. |  | ||||||
| 	// +optional |  | ||||||
| 	Path *string `json:"path,omitempty" protobuf:"bytes,3,opt,name=path"` |  | ||||||
|  |  | ||||||
| 	// If specified, the port on the service that hosting webhook. |  | ||||||
| 	// Default to 443 for backward compatibility. |  | ||||||
| 	// `port` should be a valid port number (1-65535, inclusive). |  | ||||||
| 	// +optional |  | ||||||
| 	Port *int32 `json:"port,omitempty" protobuf:"varint,4,opt,name=port"` |  | ||||||
| } |  | ||||||
| @@ -1,111 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package v1alpha1 |  | ||||||
|  |  | ||||||
| // This file contains a collection of methods that can be used from go-restful to |  | ||||||
| // generate Swagger API documentation for its models. Please read this PR for more |  | ||||||
| // information on the implementation: https://github.com/emicklei/go-restful/pull/215 |  | ||||||
| // |  | ||||||
| // TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if |  | ||||||
| // they are on one line! For multiple line or blocks that you want to ignore use ---. |  | ||||||
| // Any context after a --- is ignored. |  | ||||||
| // |  | ||||||
| // Those methods can be generated by using hack/update-generated-swagger-docs.sh |  | ||||||
|  |  | ||||||
| // AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT. |  | ||||||
| var map_AuditSink = map[string]string{ |  | ||||||
| 	"":     "AuditSink represents a cluster level audit sink", |  | ||||||
| 	"spec": "Spec defines the audit configuration spec", |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (AuditSink) SwaggerDoc() map[string]string { |  | ||||||
| 	return map_AuditSink |  | ||||||
| } |  | ||||||
|  |  | ||||||
| var map_AuditSinkList = map[string]string{ |  | ||||||
| 	"":      "AuditSinkList is a list of AuditSink items.", |  | ||||||
| 	"items": "List of audit configurations.", |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (AuditSinkList) SwaggerDoc() map[string]string { |  | ||||||
| 	return map_AuditSinkList |  | ||||||
| } |  | ||||||
|  |  | ||||||
| var map_AuditSinkSpec = map[string]string{ |  | ||||||
| 	"":        "AuditSinkSpec holds the spec for the audit sink", |  | ||||||
| 	"policy":  "Policy defines the policy for selecting which events should be sent to the webhook required", |  | ||||||
| 	"webhook": "Webhook to send events required", |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (AuditSinkSpec) SwaggerDoc() map[string]string { |  | ||||||
| 	return map_AuditSinkSpec |  | ||||||
| } |  | ||||||
|  |  | ||||||
| var map_Policy = map[string]string{ |  | ||||||
| 	"":       "Policy defines the configuration of how audit events are logged", |  | ||||||
| 	"level":  "The Level that all requests are recorded at. available options: None, Metadata, Request, RequestResponse required", |  | ||||||
| 	"stages": "Stages is a list of stages for which events are created.", |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (Policy) SwaggerDoc() map[string]string { |  | ||||||
| 	return map_Policy |  | ||||||
| } |  | ||||||
|  |  | ||||||
| var map_ServiceReference = map[string]string{ |  | ||||||
| 	"":          "ServiceReference holds a reference to Service.legacy.k8s.io", |  | ||||||
| 	"namespace": "`namespace` is the namespace of the service. Required", |  | ||||||
| 	"name":      "`name` is the name of the service. Required", |  | ||||||
| 	"path":      "`path` is an optional URL path which will be sent in any request to this service.", |  | ||||||
| 	"port":      "If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).", |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (ServiceReference) SwaggerDoc() map[string]string { |  | ||||||
| 	return map_ServiceReference |  | ||||||
| } |  | ||||||
|  |  | ||||||
| var map_Webhook = map[string]string{ |  | ||||||
| 	"":             "Webhook holds the configuration of the webhook", |  | ||||||
| 	"throttle":     "Throttle holds the options for throttling the webhook", |  | ||||||
| 	"clientConfig": "ClientConfig holds the connection parameters for the webhook required", |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (Webhook) SwaggerDoc() map[string]string { |  | ||||||
| 	return map_Webhook |  | ||||||
| } |  | ||||||
|  |  | ||||||
| var map_WebhookClientConfig = map[string]string{ |  | ||||||
| 	"":         "WebhookClientConfig contains the information to make a connection with the webhook", |  | ||||||
| 	"url":      "`url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either.", |  | ||||||
| 	"service":  "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.", |  | ||||||
| 	"caBundle": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.", |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (WebhookClientConfig) SwaggerDoc() map[string]string { |  | ||||||
| 	return map_WebhookClientConfig |  | ||||||
| } |  | ||||||
|  |  | ||||||
| var map_WebhookThrottleConfig = map[string]string{ |  | ||||||
| 	"":      "WebhookThrottleConfig holds the configuration for throttling events", |  | ||||||
| 	"qps":   "ThrottleQPS maximum number of batches per second default 10 QPS", |  | ||||||
| 	"burst": "ThrottleBurst is the maximum number of events sent at the same moment default 15 QPS", |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (WebhookThrottleConfig) SwaggerDoc() map[string]string { |  | ||||||
| 	return map_WebhookThrottleConfig |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // AUTO-GENERATED FUNCTIONS END HERE |  | ||||||
| @@ -1,229 +0,0 @@ | |||||||
| // +build !ignore_autogenerated |  | ||||||
|  |  | ||||||
| /* |  | ||||||
| Copyright The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // Code generated by deepcopy-gen. DO NOT EDIT. |  | ||||||
|  |  | ||||||
| package v1alpha1 |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	runtime "k8s.io/apimachinery/pkg/runtime" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *AuditSink) DeepCopyInto(out *AuditSink) { |  | ||||||
| 	*out = *in |  | ||||||
| 	out.TypeMeta = in.TypeMeta |  | ||||||
| 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) |  | ||||||
| 	in.Spec.DeepCopyInto(&out.Spec) |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditSink. |  | ||||||
| func (in *AuditSink) DeepCopy() *AuditSink { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(AuditSink) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. |  | ||||||
| func (in *AuditSink) DeepCopyObject() runtime.Object { |  | ||||||
| 	if c := in.DeepCopy(); c != nil { |  | ||||||
| 		return c |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *AuditSinkList) DeepCopyInto(out *AuditSinkList) { |  | ||||||
| 	*out = *in |  | ||||||
| 	out.TypeMeta = in.TypeMeta |  | ||||||
| 	in.ListMeta.DeepCopyInto(&out.ListMeta) |  | ||||||
| 	if in.Items != nil { |  | ||||||
| 		in, out := &in.Items, &out.Items |  | ||||||
| 		*out = make([]AuditSink, len(*in)) |  | ||||||
| 		for i := range *in { |  | ||||||
| 			(*in)[i].DeepCopyInto(&(*out)[i]) |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditSinkList. |  | ||||||
| func (in *AuditSinkList) DeepCopy() *AuditSinkList { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(AuditSinkList) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. |  | ||||||
| func (in *AuditSinkList) DeepCopyObject() runtime.Object { |  | ||||||
| 	if c := in.DeepCopy(); c != nil { |  | ||||||
| 		return c |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *AuditSinkSpec) DeepCopyInto(out *AuditSinkSpec) { |  | ||||||
| 	*out = *in |  | ||||||
| 	in.Policy.DeepCopyInto(&out.Policy) |  | ||||||
| 	in.Webhook.DeepCopyInto(&out.Webhook) |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditSinkSpec. |  | ||||||
| func (in *AuditSinkSpec) DeepCopy() *AuditSinkSpec { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(AuditSinkSpec) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *Policy) DeepCopyInto(out *Policy) { |  | ||||||
| 	*out = *in |  | ||||||
| 	if in.Stages != nil { |  | ||||||
| 		in, out := &in.Stages, &out.Stages |  | ||||||
| 		*out = make([]Stage, len(*in)) |  | ||||||
| 		copy(*out, *in) |  | ||||||
| 	} |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. |  | ||||||
| func (in *Policy) DeepCopy() *Policy { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(Policy) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *ServiceReference) DeepCopyInto(out *ServiceReference) { |  | ||||||
| 	*out = *in |  | ||||||
| 	if in.Path != nil { |  | ||||||
| 		in, out := &in.Path, &out.Path |  | ||||||
| 		*out = new(string) |  | ||||||
| 		**out = **in |  | ||||||
| 	} |  | ||||||
| 	if in.Port != nil { |  | ||||||
| 		in, out := &in.Port, &out.Port |  | ||||||
| 		*out = new(int32) |  | ||||||
| 		**out = **in |  | ||||||
| 	} |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceReference. |  | ||||||
| func (in *ServiceReference) DeepCopy() *ServiceReference { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(ServiceReference) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *Webhook) DeepCopyInto(out *Webhook) { |  | ||||||
| 	*out = *in |  | ||||||
| 	if in.Throttle != nil { |  | ||||||
| 		in, out := &in.Throttle, &out.Throttle |  | ||||||
| 		*out = new(WebhookThrottleConfig) |  | ||||||
| 		(*in).DeepCopyInto(*out) |  | ||||||
| 	} |  | ||||||
| 	in.ClientConfig.DeepCopyInto(&out.ClientConfig) |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Webhook. |  | ||||||
| func (in *Webhook) DeepCopy() *Webhook { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(Webhook) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *WebhookClientConfig) DeepCopyInto(out *WebhookClientConfig) { |  | ||||||
| 	*out = *in |  | ||||||
| 	if in.URL != nil { |  | ||||||
| 		in, out := &in.URL, &out.URL |  | ||||||
| 		*out = new(string) |  | ||||||
| 		**out = **in |  | ||||||
| 	} |  | ||||||
| 	if in.Service != nil { |  | ||||||
| 		in, out := &in.Service, &out.Service |  | ||||||
| 		*out = new(ServiceReference) |  | ||||||
| 		(*in).DeepCopyInto(*out) |  | ||||||
| 	} |  | ||||||
| 	if in.CABundle != nil { |  | ||||||
| 		in, out := &in.CABundle, &out.CABundle |  | ||||||
| 		*out = make([]byte, len(*in)) |  | ||||||
| 		copy(*out, *in) |  | ||||||
| 	} |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookClientConfig. |  | ||||||
| func (in *WebhookClientConfig) DeepCopy() *WebhookClientConfig { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(WebhookClientConfig) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. |  | ||||||
| func (in *WebhookThrottleConfig) DeepCopyInto(out *WebhookThrottleConfig) { |  | ||||||
| 	*out = *in |  | ||||||
| 	if in.QPS != nil { |  | ||||||
| 		in, out := &in.QPS, &out.QPS |  | ||||||
| 		*out = new(int64) |  | ||||||
| 		**out = **in |  | ||||||
| 	} |  | ||||||
| 	if in.Burst != nil { |  | ||||||
| 		in, out := &in.Burst, &out.Burst |  | ||||||
| 		*out = new(int64) |  | ||||||
| 		**out = **in |  | ||||||
| 	} |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookThrottleConfig. |  | ||||||
| func (in *WebhookThrottleConfig) DeepCopy() *WebhookThrottleConfig { |  | ||||||
| 	if in == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	out := new(WebhookThrottleConfig) |  | ||||||
| 	in.DeepCopyInto(out) |  | ||||||
| 	return out |  | ||||||
| } |  | ||||||
| @@ -24,7 +24,7 @@ import ( | |||||||
|  |  | ||||||
| 	"github.com/spf13/pflag" | 	"github.com/spf13/pflag" | ||||||
|  |  | ||||||
| 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" | 	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" | ||||||
| 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" | 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" | ||||||
| 	"k8s.io/apiextensions-apiserver/pkg/apiserver" | 	"k8s.io/apiextensions-apiserver/pkg/apiserver" | ||||||
| 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" | 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" | ||||||
| @@ -54,7 +54,6 @@ func NewCustomResourceDefinitionsServerOptions(out, errOut io.Writer) *CustomRes | |||||||
| 		RecommendedOptions: genericoptions.NewRecommendedOptions( | 		RecommendedOptions: genericoptions.NewRecommendedOptions( | ||||||
| 			defaultEtcdPathPrefix, | 			defaultEtcdPathPrefix, | ||||||
| 			apiserver.Codecs.LegacyCodec(v1beta1.SchemeGroupVersion, v1.SchemeGroupVersion), | 			apiserver.Codecs.LegacyCodec(v1beta1.SchemeGroupVersion, v1.SchemeGroupVersion), | ||||||
| 			genericoptions.NewProcessInfo("apiextensions-apiserver", "kube-system"), |  | ||||||
| 		), | 		), | ||||||
| 		APIEnablement: genericoptions.NewAPIEnablementOptions(), | 		APIEnablement: genericoptions.NewAPIEnablementOptions(), | ||||||
|  |  | ||||||
|   | |||||||
| @@ -71,7 +71,6 @@ filegroup( | |||||||
|         ":package-srcs", |         ":package-srcs", | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/audit/event:all-srcs", |         "//staging/src/k8s.io/apiserver/pkg/audit/event:all-srcs", | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/audit/policy:all-srcs", |         "//staging/src/k8s.io/apiserver/pkg/audit/policy:all-srcs", | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/audit/util:all-srcs", |  | ||||||
|     ], |     ], | ||||||
|     tags = ["automanaged"], |     tags = ["automanaged"], | ||||||
| ) | ) | ||||||
|   | |||||||
| @@ -10,14 +10,12 @@ go_test( | |||||||
|     name = "go_default_test", |     name = "go_default_test", | ||||||
|     srcs = [ |     srcs = [ | ||||||
|         "checker_test.go", |         "checker_test.go", | ||||||
|         "dynamic_test.go", |  | ||||||
|         "enforce_test.go", |         "enforce_test.go", | ||||||
|         "reader_test.go", |         "reader_test.go", | ||||||
|         "util_test.go", |         "util_test.go", | ||||||
|     ], |     ], | ||||||
|     embed = [":go_default_library"], |     embed = [":go_default_library"], | ||||||
|     deps = [ |     deps = [ | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/api/apitesting/fuzzer:go_default_library", |         "//staging/src/k8s.io/apimachinery/pkg/api/apitesting/fuzzer:go_default_library", | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", |         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library", |         "//staging/src/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library", | ||||||
| @@ -37,7 +35,6 @@ go_library( | |||||||
|     name = "go_default_library", |     name = "go_default_library", | ||||||
|     srcs = [ |     srcs = [ | ||||||
|         "checker.go", |         "checker.go", | ||||||
|         "dynamic.go", |  | ||||||
|         "enforce.go", |         "enforce.go", | ||||||
|         "reader.go", |         "reader.go", | ||||||
|         "util.go", |         "util.go", | ||||||
| @@ -45,7 +42,6 @@ go_library( | |||||||
|     importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/audit/policy", |     importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/audit/policy", | ||||||
|     importpath = "k8s.io/apiserver/pkg/audit/policy", |     importpath = "k8s.io/apiserver/pkg/audit/policy", | ||||||
|     deps = [ |     deps = [ | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", |         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", |         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/apis/audit:go_default_library", |         "//staging/src/k8s.io/apiserver/pkg/apis/audit:go_default_library", | ||||||
|   | |||||||
| @@ -1,54 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package policy |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	"k8s.io/apiserver/pkg/apis/audit" |  | ||||||
| 	"k8s.io/apiserver/pkg/authorization/authorizer" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // ConvertDynamicPolicyToInternal constructs an internal policy type from a |  | ||||||
| // v1alpha1 dynamic type |  | ||||||
| func ConvertDynamicPolicyToInternal(p *v1alpha1.Policy) *audit.Policy { |  | ||||||
| 	stages := make([]audit.Stage, len(p.Stages)) |  | ||||||
| 	for i, stage := range p.Stages { |  | ||||||
| 		stages[i] = audit.Stage(stage) |  | ||||||
| 	} |  | ||||||
| 	return &audit.Policy{ |  | ||||||
| 		Rules: []audit.PolicyRule{ |  | ||||||
| 			{ |  | ||||||
| 				Level: audit.Level(p.Level), |  | ||||||
| 			}, |  | ||||||
| 		}, |  | ||||||
| 		OmitStages: InvertStages(stages), |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // NewDynamicChecker returns a new dynamic policy checker |  | ||||||
| func NewDynamicChecker() Checker { |  | ||||||
| 	return &dynamicPolicyChecker{} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| type dynamicPolicyChecker struct{} |  | ||||||
|  |  | ||||||
| // LevelAndStages returns returns a fixed level of the full event, this is so that the downstream policy |  | ||||||
| // can be applied per sink. |  | ||||||
| // TODO: this needs benchmarking before the API moves to beta to determine the effect this has on the apiserver |  | ||||||
| func (d *dynamicPolicyChecker) LevelAndStages(authorizer.Attributes) (audit.Level, []audit.Stage) { |  | ||||||
| 	return audit.LevelRequestResponse, []audit.Stage{} |  | ||||||
| } |  | ||||||
| @@ -1,81 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package policy |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"testing" |  | ||||||
|  |  | ||||||
| 	"github.com/stretchr/testify/require" |  | ||||||
|  |  | ||||||
| 	"k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	"k8s.io/apiserver/pkg/apis/audit" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func TestConvertDynamicPolicyToInternal(t *testing.T) { |  | ||||||
| 	for _, test := range []struct { |  | ||||||
| 		desc     string |  | ||||||
| 		dynamic  *v1alpha1.Policy |  | ||||||
| 		internal *audit.Policy |  | ||||||
| 	}{ |  | ||||||
| 		{ |  | ||||||
| 			desc: "should convert full", |  | ||||||
| 			dynamic: &v1alpha1.Policy{ |  | ||||||
| 				Level: v1alpha1.LevelMetadata, |  | ||||||
| 				Stages: []v1alpha1.Stage{ |  | ||||||
| 					v1alpha1.StageResponseComplete, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			internal: &audit.Policy{ |  | ||||||
| 				Rules: []audit.PolicyRule{ |  | ||||||
| 					{ |  | ||||||
| 						Level: audit.LevelMetadata, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 				OmitStages: []audit.Stage{ |  | ||||||
| 					audit.StageRequestReceived, |  | ||||||
| 					audit.StageResponseStarted, |  | ||||||
| 					audit.StagePanic, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			desc: "should convert missing stages", |  | ||||||
| 			dynamic: &v1alpha1.Policy{ |  | ||||||
| 				Level: v1alpha1.LevelMetadata, |  | ||||||
| 			}, |  | ||||||
| 			internal: &audit.Policy{ |  | ||||||
| 				Rules: []audit.PolicyRule{ |  | ||||||
| 					{ |  | ||||||
| 						Level: audit.LevelMetadata, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 				OmitStages: []audit.Stage{ |  | ||||||
| 					audit.StageRequestReceived, |  | ||||||
| 					audit.StageResponseStarted, |  | ||||||
| 					audit.StageResponseComplete, |  | ||||||
| 					audit.StagePanic, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 		}, |  | ||||||
| 	} { |  | ||||||
| 		t.Run(test.desc, func(t *testing.T) { |  | ||||||
| 			d := ConvertDynamicPolicyToInternal(test.dynamic) |  | ||||||
| 			require.ElementsMatch(t, test.internal.OmitStages, d.OmitStages) |  | ||||||
| 			require.Equal(t, test.internal.Rules, d.Rules) |  | ||||||
| 		}) |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
| @@ -1,40 +0,0 @@ | |||||||
| load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") |  | ||||||
|  |  | ||||||
| go_library( |  | ||||||
|     name = "go_default_library", |  | ||||||
|     srcs = ["conversion.go"], |  | ||||||
|     importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/audit/util", |  | ||||||
|     importpath = "k8s.io/apiserver/pkg/audit/util", |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
|     deps = [ |  | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "package-srcs", |  | ||||||
|     srcs = glob(["**"]), |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:private"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "all-srcs", |  | ||||||
|     srcs = [":package-srcs"], |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| go_test( |  | ||||||
|     name = "go_default_test", |  | ||||||
|     srcs = ["conversion_test.go"], |  | ||||||
|     embed = [":go_default_library"], |  | ||||||
|     deps = [ |  | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library", |  | ||||||
|         "//vendor/github.com/stretchr/testify/require:go_default_library", |  | ||||||
|         "//vendor/k8s.io/utils/pointer:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
| @@ -1,49 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package util |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	"k8s.io/apiserver/pkg/util/webhook" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // HookClientConfigForSink constructs a webhook.ClientConfig using a v1alpha1.AuditSink API object. |  | ||||||
| // webhook.ClientConfig is used to create a HookClient and the purpose of the config struct is to |  | ||||||
| // share that with other packages that need to create a HookClient. |  | ||||||
| func HookClientConfigForSink(a *v1alpha1.AuditSink) webhook.ClientConfig { |  | ||||||
| 	c := a.Spec.Webhook.ClientConfig |  | ||||||
| 	ret := webhook.ClientConfig{Name: a.Name, CABundle: c.CABundle} |  | ||||||
| 	if c.URL != nil { |  | ||||||
| 		ret.URL = *c.URL |  | ||||||
| 	} |  | ||||||
| 	if c.Service != nil { |  | ||||||
| 		ret.Service = &webhook.ClientConfigService{ |  | ||||||
| 			Name:      c.Service.Name, |  | ||||||
| 			Namespace: c.Service.Namespace, |  | ||||||
| 		} |  | ||||||
| 		if c.Service.Port != nil { |  | ||||||
| 			ret.Service.Port = *c.Service.Port |  | ||||||
| 		} else { |  | ||||||
| 			ret.Service.Port = 443 |  | ||||||
| 		} |  | ||||||
|  |  | ||||||
| 		if c.Service.Path != nil { |  | ||||||
| 			ret.Service.Path = *c.Service.Path |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
| 	return ret |  | ||||||
| } |  | ||||||
| @@ -1,91 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package util |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"testing" |  | ||||||
|  |  | ||||||
| 	"github.com/stretchr/testify/require" |  | ||||||
|  |  | ||||||
| 	auditregv1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |  | ||||||
| 	"k8s.io/apiserver/pkg/util/webhook" |  | ||||||
| 	"k8s.io/utils/pointer" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func TestHookClientConfigForSink(t *testing.T) { |  | ||||||
| 	testURL := "http://localhost" |  | ||||||
| 	path := "/path" |  | ||||||
| 	for _, tc := range []struct { |  | ||||||
| 		desc         string |  | ||||||
| 		sink         *auditregv1alpha1.AuditSink |  | ||||||
| 		clientConfig webhook.ClientConfig |  | ||||||
| 	}{ |  | ||||||
| 		{ |  | ||||||
| 			desc: "build full", |  | ||||||
| 			sink: &auditregv1alpha1.AuditSink{ |  | ||||||
| 				ObjectMeta: metav1.ObjectMeta{ |  | ||||||
| 					Name: "test", |  | ||||||
| 				}, |  | ||||||
| 				Spec: auditregv1alpha1.AuditSinkSpec{ |  | ||||||
| 					Webhook: auditregv1alpha1.Webhook{ |  | ||||||
| 						ClientConfig: auditregv1alpha1.WebhookClientConfig{ |  | ||||||
| 							URL: &testURL, |  | ||||||
| 							Service: &auditregv1alpha1.ServiceReference{ |  | ||||||
| 								Name:      "test", |  | ||||||
| 								Path:      &path, |  | ||||||
| 								Namespace: "test", |  | ||||||
| 								Port:      pointer.Int32Ptr(123), |  | ||||||
| 							}, |  | ||||||
| 						}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			clientConfig: webhook.ClientConfig{ |  | ||||||
| 				Name: "test", |  | ||||||
| 				URL:  testURL, |  | ||||||
| 				Service: &webhook.ClientConfigService{ |  | ||||||
| 					Name:      "test", |  | ||||||
| 					Namespace: "test", |  | ||||||
| 					Path:      path, |  | ||||||
| 					Port:      123, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			desc: "build empty client config", |  | ||||||
| 			sink: &auditregv1alpha1.AuditSink{ |  | ||||||
| 				ObjectMeta: metav1.ObjectMeta{ |  | ||||||
| 					Name: "test", |  | ||||||
| 				}, |  | ||||||
| 				Spec: auditregv1alpha1.AuditSinkSpec{ |  | ||||||
| 					Webhook: auditregv1alpha1.Webhook{ |  | ||||||
| 						ClientConfig: auditregv1alpha1.WebhookClientConfig{}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			clientConfig: webhook.ClientConfig{ |  | ||||||
| 				Name: "test", |  | ||||||
| 			}, |  | ||||||
| 		}, |  | ||||||
| 	} { |  | ||||||
| 		t.Run(tc.desc, func(t *testing.T) { |  | ||||||
| 			ret := HookClientConfigForSink(tc.sink) |  | ||||||
| 			require.Equal(t, tc.clientConfig, ret) |  | ||||||
| 		}) |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
| @@ -59,13 +59,6 @@ const ( | |||||||
| 	// audited. | 	// audited. | ||||||
| 	AdvancedAuditing featuregate.Feature = "AdvancedAuditing" | 	AdvancedAuditing featuregate.Feature = "AdvancedAuditing" | ||||||
|  |  | ||||||
| 	// owner: @pbarker |  | ||||||
| 	// alpha: v1.13 |  | ||||||
| 	// |  | ||||||
| 	// DynamicAuditing enables configuration of audit policy and webhook backends through an |  | ||||||
| 	// AuditSink API object. |  | ||||||
| 	DynamicAuditing featuregate.Feature = "DynamicAuditing" |  | ||||||
|  |  | ||||||
| 	// owner: @ilackams | 	// owner: @ilackams | ||||||
| 	// alpha: v1.7 | 	// alpha: v1.7 | ||||||
| 	// | 	// | ||||||
| @@ -163,7 +156,6 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS | |||||||
| 	StreamingProxyRedirects: {Default: true, PreRelease: featuregate.Deprecated}, | 	StreamingProxyRedirects: {Default: true, PreRelease: featuregate.Deprecated}, | ||||||
| 	ValidateProxyRedirects:  {Default: true, PreRelease: featuregate.Beta}, | 	ValidateProxyRedirects:  {Default: true, PreRelease: featuregate.Beta}, | ||||||
| 	AdvancedAuditing:        {Default: true, PreRelease: featuregate.GA}, | 	AdvancedAuditing:        {Default: true, PreRelease: featuregate.GA}, | ||||||
| 	DynamicAuditing:         {Default: false, PreRelease: featuregate.Alpha}, |  | ||||||
| 	APIResponseCompression:  {Default: true, PreRelease: featuregate.Beta}, | 	APIResponseCompression:  {Default: true, PreRelease: featuregate.Beta}, | ||||||
| 	APIListChunking:         {Default: true, PreRelease: featuregate.Beta}, | 	APIListChunking:         {Default: true, PreRelease: featuregate.Beta}, | ||||||
| 	DryRun:                  {Default: true, PreRelease: featuregate.GA}, | 	DryRun:                  {Default: true, PreRelease: featuregate.GA}, | ||||||
|   | |||||||
| @@ -14,7 +14,6 @@ go_library( | |||||||
|         "doc.go", |         "doc.go", | ||||||
|         "egress_selector.go", |         "egress_selector.go", | ||||||
|         "etcd.go", |         "etcd.go", | ||||||
|         "events.go", |  | ||||||
|         "feature.go", |         "feature.go", | ||||||
|         "recommended.go", |         "recommended.go", | ||||||
|         "server_run_options.go", |         "server_run_options.go", | ||||||
| @@ -22,13 +21,11 @@ go_library( | |||||||
|         "serving_unix.go", |         "serving_unix.go", | ||||||
|         "serving_windows.go", |         "serving_windows.go", | ||||||
|         "serving_with_loopback.go", |         "serving_with_loopback.go", | ||||||
|         "webhook.go", |  | ||||||
|     ], |     ], | ||||||
|     importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/options", |     importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/options", | ||||||
|     importpath = "k8s.io/apiserver/pkg/server/options", |     importpath = "k8s.io/apiserver/pkg/server/options", | ||||||
|     visibility = ["//visibility:public"], |     visibility = ["//visibility:public"], | ||||||
|     deps = [ |     deps = [ | ||||||
|         "//staging/src/k8s.io/api/core/v1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", |         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", |         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", |         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", | ||||||
| @@ -72,16 +69,12 @@ go_library( | |||||||
|         "//staging/src/k8s.io/apiserver/pkg/storage/storagebackend/factory:go_default_library", |         "//staging/src/k8s.io/apiserver/pkg/storage/storagebackend/factory:go_default_library", | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", |         "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/util/flowcontrol:go_default_library", |         "//staging/src/k8s.io/apiserver/pkg/util/flowcontrol:go_default_library", | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/buffered:go_default_library", |         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/buffered:go_default_library", | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/dynamic:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/dynamic/enforced:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/log:go_default_library", |         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/log:go_default_library", | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/truncate:go_default_library", |         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/truncate:go_default_library", | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/webhook:go_default_library", |         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/webhook:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/informers:go_default_library", |         "//staging/src/k8s.io/client-go/informers:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/kubernetes:go_default_library", |         "//staging/src/k8s.io/client-go/kubernetes:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/rest:go_default_library", |         "//staging/src/k8s.io/client-go/rest:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/tools/clientcmd:go_default_library", |         "//staging/src/k8s.io/client-go/tools/clientcmd:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/util/cert:go_default_library", |         "//staging/src/k8s.io/client-go/util/cert:go_default_library", | ||||||
| @@ -158,17 +151,12 @@ go_test( | |||||||
|         "//staging/src/k8s.io/apiserver/pkg/apis/audit/v1:go_default_library", |         "//staging/src/k8s.io/apiserver/pkg/apis/audit/v1:go_default_library", | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory:go_default_library", |         "//staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory:go_default_library", | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest:go_default_library", |         "//staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest:go_default_library", | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/features:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/server:go_default_library", |         "//staging/src/k8s.io/apiserver/pkg/server:go_default_library", | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/storage/storagebackend:go_default_library", |         "//staging/src/k8s.io/apiserver/pkg/storage/storagebackend:go_default_library", | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/discovery:go_default_library", |         "//staging/src/k8s.io/client-go/discovery:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/informers:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/kubernetes/fake:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/rest:go_default_library", |         "//staging/src/k8s.io/client-go/rest:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/tools/clientcmd/api/v1:go_default_library", |         "//staging/src/k8s.io/client-go/tools/clientcmd/api/v1:go_default_library", | ||||||
|         "//staging/src/k8s.io/component-base/cli/flag:go_default_library", |         "//staging/src/k8s.io/component-base/cli/flag:go_default_library", | ||||||
|         "//staging/src/k8s.io/component-base/featuregate/testing:go_default_library", |  | ||||||
|         "//vendor/github.com/spf13/pflag:go_default_library", |         "//vendor/github.com/spf13/pflag:go_default_library", | ||||||
|         "//vendor/github.com/stretchr/testify/assert:go_default_library", |         "//vendor/github.com/stretchr/testify/assert:go_default_library", | ||||||
|         "//vendor/github.com/stretchr/testify/require:go_default_library", |         "//vendor/github.com/stretchr/testify/require:go_default_library", | ||||||
|   | |||||||
| @@ -27,7 +27,6 @@ import ( | |||||||
| 	"gopkg.in/natefinch/lumberjack.v2" | 	"gopkg.in/natefinch/lumberjack.v2" | ||||||
| 	"k8s.io/klog/v2" | 	"k8s.io/klog/v2" | ||||||
|  |  | ||||||
| 	corev1 "k8s.io/api/core/v1" |  | ||||||
| 	"k8s.io/apimachinery/pkg/runtime/schema" | 	"k8s.io/apimachinery/pkg/runtime/schema" | ||||||
| 	utilnet "k8s.io/apimachinery/pkg/util/net" | 	utilnet "k8s.io/apimachinery/pkg/util/net" | ||||||
| 	auditinternal "k8s.io/apiserver/pkg/apis/audit" | 	auditinternal "k8s.io/apiserver/pkg/apis/audit" | ||||||
| @@ -36,20 +35,12 @@ import ( | |||||||
| 	auditv1beta1 "k8s.io/apiserver/pkg/apis/audit/v1beta1" | 	auditv1beta1 "k8s.io/apiserver/pkg/apis/audit/v1beta1" | ||||||
| 	"k8s.io/apiserver/pkg/audit" | 	"k8s.io/apiserver/pkg/audit" | ||||||
| 	"k8s.io/apiserver/pkg/audit/policy" | 	"k8s.io/apiserver/pkg/audit/policy" | ||||||
| 	"k8s.io/apiserver/pkg/features" |  | ||||||
| 	"k8s.io/apiserver/pkg/server" | 	"k8s.io/apiserver/pkg/server" | ||||||
| 	"k8s.io/apiserver/pkg/server/egressselector" | 	"k8s.io/apiserver/pkg/server/egressselector" | ||||||
| 	utilfeature "k8s.io/apiserver/pkg/util/feature" |  | ||||||
| 	pluginbuffered "k8s.io/apiserver/plugin/pkg/audit/buffered" | 	pluginbuffered "k8s.io/apiserver/plugin/pkg/audit/buffered" | ||||||
| 	plugindynamic "k8s.io/apiserver/plugin/pkg/audit/dynamic" |  | ||||||
| 	pluginenforced "k8s.io/apiserver/plugin/pkg/audit/dynamic/enforced" |  | ||||||
| 	pluginlog "k8s.io/apiserver/plugin/pkg/audit/log" | 	pluginlog "k8s.io/apiserver/plugin/pkg/audit/log" | ||||||
| 	plugintruncate "k8s.io/apiserver/plugin/pkg/audit/truncate" | 	plugintruncate "k8s.io/apiserver/plugin/pkg/audit/truncate" | ||||||
| 	pluginwebhook "k8s.io/apiserver/plugin/pkg/audit/webhook" | 	pluginwebhook "k8s.io/apiserver/plugin/pkg/audit/webhook" | ||||||
| 	"k8s.io/client-go/informers" |  | ||||||
| 	"k8s.io/client-go/kubernetes" |  | ||||||
| 	v1core "k8s.io/client-go/kubernetes/typed/core/v1" |  | ||||||
| 	restclient "k8s.io/client-go/rest" |  | ||||||
| ) | ) | ||||||
|  |  | ||||||
| const ( | const ( | ||||||
| @@ -80,7 +71,6 @@ type AuditOptions struct { | |||||||
| 	// Plugin options | 	// Plugin options | ||||||
| 	LogOptions     AuditLogOptions | 	LogOptions     AuditLogOptions | ||||||
| 	WebhookOptions AuditWebhookOptions | 	WebhookOptions AuditWebhookOptions | ||||||
| 	DynamicOptions AuditDynamicOptions |  | ||||||
| } | } | ||||||
|  |  | ||||||
| const ( | const ( | ||||||
| @@ -180,10 +170,6 @@ func NewAuditOptions() *AuditOptions { | |||||||
| 			TruncateOptions:    NewAuditTruncateOptions(), | 			TruncateOptions:    NewAuditTruncateOptions(), | ||||||
| 			GroupVersionString: "audit.k8s.io/v1", | 			GroupVersionString: "audit.k8s.io/v1", | ||||||
| 		}, | 		}, | ||||||
| 		DynamicOptions: AuditDynamicOptions{ |  | ||||||
| 			Enabled:     false, |  | ||||||
| 			BatchConfig: plugindynamic.NewDefaultWebhookBatchConfig(), |  | ||||||
| 		}, |  | ||||||
| 	} | 	} | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -206,7 +192,6 @@ func (o *AuditOptions) Validate() []error { | |||||||
| 	var allErrors []error | 	var allErrors []error | ||||||
| 	allErrors = append(allErrors, o.LogOptions.Validate()...) | 	allErrors = append(allErrors, o.LogOptions.Validate()...) | ||||||
| 	allErrors = append(allErrors, o.WebhookOptions.Validate()...) | 	allErrors = append(allErrors, o.WebhookOptions.Validate()...) | ||||||
| 	allErrors = append(allErrors, o.DynamicOptions.Validate()...) |  | ||||||
|  |  | ||||||
| 	return allErrors | 	return allErrors | ||||||
| } | } | ||||||
| @@ -286,15 +271,10 @@ func (o *AuditOptions) AddFlags(fs *pflag.FlagSet) { | |||||||
| 	o.WebhookOptions.AddFlags(fs) | 	o.WebhookOptions.AddFlags(fs) | ||||||
| 	o.WebhookOptions.BatchOptions.AddFlags(pluginwebhook.PluginName, fs) | 	o.WebhookOptions.BatchOptions.AddFlags(pluginwebhook.PluginName, fs) | ||||||
| 	o.WebhookOptions.TruncateOptions.AddFlags(pluginwebhook.PluginName, fs) | 	o.WebhookOptions.TruncateOptions.AddFlags(pluginwebhook.PluginName, fs) | ||||||
| 	o.DynamicOptions.AddFlags(fs) |  | ||||||
| } | } | ||||||
|  |  | ||||||
| func (o *AuditOptions) ApplyTo( | func (o *AuditOptions) ApplyTo( | ||||||
| 	c *server.Config, | 	c *server.Config, | ||||||
| 	kubeClientConfig *restclient.Config, |  | ||||||
| 	informers informers.SharedInformerFactory, |  | ||||||
| 	processInfo *ProcessInfo, |  | ||||||
| 	webhookOptions *WebhookOptions, |  | ||||||
| ) error { | ) error { | ||||||
| 	if o == nil { | 	if o == nil { | ||||||
| 		return nil | 		return nil | ||||||
| @@ -347,23 +327,7 @@ func (o *AuditOptions) ApplyTo( | |||||||
|  |  | ||||||
| 	// 4. Apply dynamic options. | 	// 4. Apply dynamic options. | ||||||
| 	var dynamicBackend audit.Backend | 	var dynamicBackend audit.Backend | ||||||
| 	if o.DynamicOptions.enabled() { |  | ||||||
| 		// if dynamic is enabled the webhook and log backends need to be wrapped in an enforced backend with the static policy |  | ||||||
| 	if webhookBackend != nil { | 	if webhookBackend != nil { | ||||||
| 			webhookBackend = pluginenforced.NewBackend(webhookBackend, checker) |  | ||||||
| 		} |  | ||||||
| 		if logBackend != nil { |  | ||||||
| 			logBackend = pluginenforced.NewBackend(logBackend, checker) |  | ||||||
| 		} |  | ||||||
| 		// build dynamic backend |  | ||||||
| 		dynamicBackend, checker, err = o.DynamicOptions.newBackend(c.ExternalAddress, kubeClientConfig, informers, processInfo, webhookOptions) |  | ||||||
| 		if err != nil { |  | ||||||
| 			return err |  | ||||||
| 		} |  | ||||||
| 		// union dynamic and webhook backends so that truncate options can be applied to both |  | ||||||
| 		dynamicBackend = appendBackend(webhookBackend, dynamicBackend) |  | ||||||
| 		dynamicBackend = o.WebhookOptions.TruncateOptions.wrapBackend(dynamicBackend, groupVersion) |  | ||||||
| 	} else if webhookBackend != nil { |  | ||||||
| 		// if only webhook is enabled wrap it in the truncate options | 		// if only webhook is enabled wrap it in the truncate options | ||||||
| 		dynamicBackend = o.WebhookOptions.TruncateOptions.wrapBackend(webhookBackend, groupVersion) | 		dynamicBackend = o.WebhookOptions.TruncateOptions.wrapBackend(webhookBackend, groupVersion) | ||||||
| 	} | 	} | ||||||
| @@ -610,66 +574,6 @@ func (o *AuditWebhookOptions) newUntruncatedBackend(customDial utilnet.DialFunc) | |||||||
| 	return webhook, nil | 	return webhook, nil | ||||||
| } | } | ||||||
|  |  | ||||||
| func (o *AuditDynamicOptions) AddFlags(fs *pflag.FlagSet) { |  | ||||||
| 	fs.BoolVar(&o.Enabled, "audit-dynamic-configuration", o.Enabled, |  | ||||||
| 		"Enables dynamic audit configuration. This feature also requires the DynamicAuditing feature flag") |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (o *AuditDynamicOptions) enabled() bool { |  | ||||||
| 	return o.Enabled && utilfeature.DefaultFeatureGate.Enabled(features.DynamicAuditing) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (o *AuditDynamicOptions) Validate() []error { |  | ||||||
| 	var allErrors []error |  | ||||||
| 	if o.Enabled && !utilfeature.DefaultFeatureGate.Enabled(features.DynamicAuditing) { |  | ||||||
| 		allErrors = append(allErrors, fmt.Errorf("--audit-dynamic-configuration set, but DynamicAuditing feature gate is not enabled")) |  | ||||||
| 	} |  | ||||||
| 	return allErrors |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (o *AuditDynamicOptions) newBackend( |  | ||||||
| 	hostname string, |  | ||||||
| 	kubeClientConfig *restclient.Config, |  | ||||||
| 	informers informers.SharedInformerFactory, |  | ||||||
| 	processInfo *ProcessInfo, |  | ||||||
| 	webhookOptions *WebhookOptions, |  | ||||||
| ) (audit.Backend, policy.Checker, error) { |  | ||||||
| 	if err := validateProcessInfo(processInfo); err != nil { |  | ||||||
| 		return nil, nil, err |  | ||||||
| 	} |  | ||||||
| 	clientset, err := kubernetes.NewForConfig(kubeClientConfig) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return nil, nil, err |  | ||||||
| 	} |  | ||||||
| 	if webhookOptions == nil { |  | ||||||
| 		webhookOptions = NewWebhookOptions() |  | ||||||
| 	} |  | ||||||
| 	checker := policy.NewDynamicChecker() |  | ||||||
| 	informer := informers.Auditregistration().V1alpha1().AuditSinks() |  | ||||||
| 	eventSink := &v1core.EventSinkImpl{Interface: clientset.CoreV1().Events(processInfo.Namespace)} |  | ||||||
|  |  | ||||||
| 	dc := &plugindynamic.Config{ |  | ||||||
| 		Informer:       informer, |  | ||||||
| 		BufferedConfig: o.BatchConfig, |  | ||||||
| 		EventConfig: plugindynamic.EventConfig{ |  | ||||||
| 			Sink: eventSink, |  | ||||||
| 			Source: corev1.EventSource{ |  | ||||||
| 				Component: processInfo.Name, |  | ||||||
| 				Host:      hostname, |  | ||||||
| 			}, |  | ||||||
| 		}, |  | ||||||
| 		WebhookConfig: plugindynamic.WebhookConfig{ |  | ||||||
| 			AuthInfoResolverWrapper: webhookOptions.AuthInfoResolverWrapper, |  | ||||||
| 			ServiceResolver:         webhookOptions.ServiceResolver, |  | ||||||
| 		}, |  | ||||||
| 	} |  | ||||||
| 	backend, err := plugindynamic.NewBackend(dc) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return nil, nil, fmt.Errorf("could not create dynamic audit backend: %v", err) |  | ||||||
| 	} |  | ||||||
| 	return backend, checker, nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // defaultWebhookBatchConfig returns the default BatchConfig used by the Webhook backend. | // defaultWebhookBatchConfig returns the default BatchConfig used by the Webhook backend. | ||||||
| func defaultWebhookBatchConfig() pluginbuffered.BatchConfig { | func defaultWebhookBatchConfig() pluginbuffered.BatchConfig { | ||||||
| 	return pluginbuffered.BatchConfig{ | 	return pluginbuffered.BatchConfig{ | ||||||
|   | |||||||
| @@ -23,20 +23,13 @@ import ( | |||||||
| 	"os" | 	"os" | ||||||
| 	"testing" | 	"testing" | ||||||
|  |  | ||||||
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |  | ||||||
| 	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1" |  | ||||||
| 	"k8s.io/apiserver/pkg/features" |  | ||||||
| 	"k8s.io/apiserver/pkg/server" |  | ||||||
| 	utilfeature "k8s.io/apiserver/pkg/util/feature" |  | ||||||
| 	"k8s.io/client-go/informers" |  | ||||||
| 	"k8s.io/client-go/kubernetes/fake" |  | ||||||
| 	restclient "k8s.io/client-go/rest" |  | ||||||
| 	"k8s.io/client-go/tools/clientcmd/api/v1" |  | ||||||
| 	featuregatetesting "k8s.io/component-base/featuregate/testing" |  | ||||||
|  |  | ||||||
| 	"github.com/spf13/pflag" | 	"github.com/spf13/pflag" | ||||||
| 	"github.com/stretchr/testify/assert" | 	"github.com/stretchr/testify/assert" | ||||||
| 	"github.com/stretchr/testify/require" | 	"github.com/stretchr/testify/require" | ||||||
|  | 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||||||
|  | 	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1" | ||||||
|  | 	"k8s.io/apiserver/pkg/server" | ||||||
|  | 	v1 "k8s.io/client-go/tools/clientcmd/api/v1" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| func TestAuditValidOptions(t *testing.T) { | func TestAuditValidOptions(t *testing.T) { | ||||||
| @@ -46,12 +39,6 @@ func TestAuditValidOptions(t *testing.T) { | |||||||
| 	policy := makeTmpPolicy(t) | 	policy := makeTmpPolicy(t) | ||||||
| 	defer os.Remove(policy) | 	defer os.Remove(policy) | ||||||
|  |  | ||||||
| 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DynamicAuditing, true)() |  | ||||||
|  |  | ||||||
| 	clientConfig := &restclient.Config{} |  | ||||||
| 	informerFactory := informers.NewSharedInformerFactory(fake.NewSimpleClientset(), 0) |  | ||||||
| 	processInfo := &ProcessInfo{"test", "test"} |  | ||||||
|  |  | ||||||
| 	testCases := []struct { | 	testCases := []struct { | ||||||
| 		name     string | 		name     string | ||||||
| 		options  func() *AuditOptions | 		options  func() *AuditOptions | ||||||
| @@ -135,56 +122,6 @@ func TestAuditValidOptions(t *testing.T) { | |||||||
| 			return o | 			return o | ||||||
| 		}, | 		}, | ||||||
| 		expected: "truncate<buffered<webhook>>", | 		expected: "truncate<buffered<webhook>>", | ||||||
| 	}, { |  | ||||||
| 		name: "dynamic", |  | ||||||
| 		options: func() *AuditOptions { |  | ||||||
| 			o := NewAuditOptions() |  | ||||||
| 			o.DynamicOptions.Enabled = true |  | ||||||
| 			return o |  | ||||||
| 		}, |  | ||||||
| 		expected: "dynamic[]", |  | ||||||
| 	}, { |  | ||||||
| 		name: "dynamic with truncating", |  | ||||||
| 		options: func() *AuditOptions { |  | ||||||
| 			o := NewAuditOptions() |  | ||||||
| 			o.DynamicOptions.Enabled = true |  | ||||||
| 			o.WebhookOptions.TruncateOptions.Enabled = true |  | ||||||
| 			return o |  | ||||||
| 		}, |  | ||||||
| 		expected: "truncate<dynamic[]>", |  | ||||||
| 	}, { |  | ||||||
| 		name: "dynamic with log", |  | ||||||
| 		options: func() *AuditOptions { |  | ||||||
| 			o := NewAuditOptions() |  | ||||||
| 			o.DynamicOptions.Enabled = true |  | ||||||
| 			o.LogOptions.Path = "/audit" |  | ||||||
| 			o.PolicyFile = policy |  | ||||||
| 			return o |  | ||||||
| 		}, |  | ||||||
| 		expected: "union[enforced<ignoreErrors<log>>,dynamic[]]", |  | ||||||
| 	}, { |  | ||||||
| 		name: "dynamic with truncating and webhook", |  | ||||||
| 		options: func() *AuditOptions { |  | ||||||
| 			o := NewAuditOptions() |  | ||||||
| 			o.DynamicOptions.Enabled = true |  | ||||||
| 			o.WebhookOptions.TruncateOptions.Enabled = true |  | ||||||
| 			o.WebhookOptions.ConfigFile = webhookConfig |  | ||||||
| 			o.PolicyFile = policy |  | ||||||
| 			return o |  | ||||||
| 		}, |  | ||||||
| 		expected: "truncate<union[enforced<buffered<webhook>>,dynamic[]]>", |  | ||||||
| 	}, { |  | ||||||
| 		name: "dynamic with truncating and webhook and log", |  | ||||||
| 		options: func() *AuditOptions { |  | ||||||
| 			o := NewAuditOptions() |  | ||||||
| 			o.DynamicOptions.Enabled = true |  | ||||||
| 			o.WebhookOptions.TruncateOptions.Enabled = true |  | ||||||
| 			o.WebhookOptions.ConfigFile = webhookConfig |  | ||||||
| 			o.PolicyFile = policy |  | ||||||
| 			o.LogOptions.Path = "/audit" |  | ||||||
| 			return o |  | ||||||
| 		}, |  | ||||||
| 		expected: "union[enforced<ignoreErrors<log>>,truncate<union[enforced<buffered<webhook>>,dynamic[]]>]", |  | ||||||
| 	}, | 	}, | ||||||
| 	} | 	} | ||||||
| 	for _, tc := range testCases { | 	for _, tc := range testCases { | ||||||
| @@ -200,7 +137,7 @@ func TestAuditValidOptions(t *testing.T) { | |||||||
|  |  | ||||||
| 			assert.Empty(t, options.Validate(), "Options should be valid.") | 			assert.Empty(t, options.Validate(), "Options should be valid.") | ||||||
| 			config := &server.Config{} | 			config := &server.Config{} | ||||||
| 			require.NoError(t, options.ApplyTo(config, clientConfig, informerFactory, processInfo, nil)) | 			require.NoError(t, options.ApplyTo(config)) | ||||||
| 			if tc.expected == "" { | 			if tc.expected == "" { | ||||||
| 				assert.Nil(t, config.AuditBackend) | 				assert.Nil(t, config.AuditBackend) | ||||||
| 			} else { | 			} else { | ||||||
| @@ -275,13 +212,6 @@ func TestAuditInvalidOptions(t *testing.T) { | |||||||
| 			o.WebhookOptions.TruncateOptions.TruncateConfig.MaxBatchSize = 1 | 			o.WebhookOptions.TruncateOptions.TruncateConfig.MaxBatchSize = 1 | ||||||
| 			return o | 			return o | ||||||
| 		}, | 		}, | ||||||
| 	}, { |  | ||||||
| 		name: "invalid dynamic flag group", |  | ||||||
| 		options: func() *AuditOptions { |  | ||||||
| 			o := NewAuditOptions() |  | ||||||
| 			o.DynamicOptions.Enabled = true |  | ||||||
| 			return o |  | ||||||
| 		}, |  | ||||||
| 	}, | 	}, | ||||||
| 	} | 	} | ||||||
| 	for _, tc := range testCases { | 	for _, tc := range testCases { | ||||||
|   | |||||||
| @@ -1,56 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package options |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"fmt" |  | ||||||
| 	"os" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // ProcessInfo holds the apiserver process information used to send events |  | ||||||
| type ProcessInfo struct { |  | ||||||
| 	// Name of the api process to identify events |  | ||||||
| 	Name string |  | ||||||
|  |  | ||||||
| 	// Namespace of the api process to send events |  | ||||||
| 	Namespace string |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // NewProcessInfo returns a new process info with the hostname concatenated to the name given |  | ||||||
| func NewProcessInfo(name, namespace string) *ProcessInfo { |  | ||||||
| 	// try to concat the hostname if available |  | ||||||
| 	host, _ := os.Hostname() |  | ||||||
| 	if host != "" { |  | ||||||
| 		name = fmt.Sprintf("%s-%s", name, host) |  | ||||||
| 	} |  | ||||||
| 	return &ProcessInfo{ |  | ||||||
| 		Name:      name, |  | ||||||
| 		Namespace: namespace, |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // validateProcessInfo checks for a complete process info |  | ||||||
| func validateProcessInfo(p *ProcessInfo) error { |  | ||||||
| 	if p == nil { |  | ||||||
| 		return fmt.Errorf("ProcessInfo must be set") |  | ||||||
| 	} else if p.Name == "" { |  | ||||||
| 		return fmt.Errorf("ProcessInfo name must be set") |  | ||||||
| 	} else if p.Namespace == "" { |  | ||||||
| 		return fmt.Errorf("ProcessInfo namespace must be set") |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
| @@ -48,14 +48,11 @@ type RecommendedOptions struct { | |||||||
| 	// admission plugin initializers to Admission.ApplyTo. | 	// admission plugin initializers to Admission.ApplyTo. | ||||||
| 	ExtraAdmissionInitializers func(c *server.RecommendedConfig) ([]admission.PluginInitializer, error) | 	ExtraAdmissionInitializers func(c *server.RecommendedConfig) ([]admission.PluginInitializer, error) | ||||||
| 	Admission                  *AdmissionOptions | 	Admission                  *AdmissionOptions | ||||||
| 	// ProcessInfo is used to identify events created by the server. |  | ||||||
| 	ProcessInfo *ProcessInfo |  | ||||||
| 	Webhook     *WebhookOptions |  | ||||||
| 	// API Server Egress Selector is used to control outbound traffic from the API Server | 	// API Server Egress Selector is used to control outbound traffic from the API Server | ||||||
| 	EgressSelector *EgressSelectorOptions | 	EgressSelector *EgressSelectorOptions | ||||||
| } | } | ||||||
|  |  | ||||||
| func NewRecommendedOptions(prefix string, codec runtime.Codec, processInfo *ProcessInfo) *RecommendedOptions { | func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptions { | ||||||
| 	sso := NewSecureServingOptions() | 	sso := NewSecureServingOptions() | ||||||
|  |  | ||||||
| 	// We are composing recommended options for an aggregated api-server, | 	// We are composing recommended options for an aggregated api-server, | ||||||
| @@ -78,8 +75,6 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec, processInfo *Proc | |||||||
| 		FeatureGate:                feature.DefaultFeatureGate, | 		FeatureGate:                feature.DefaultFeatureGate, | ||||||
| 		ExtraAdmissionInitializers: func(c *server.RecommendedConfig) ([]admission.PluginInitializer, error) { return nil, nil }, | 		ExtraAdmissionInitializers: func(c *server.RecommendedConfig) ([]admission.PluginInitializer, error) { return nil, nil }, | ||||||
| 		Admission:                  NewAdmissionOptions(), | 		Admission:                  NewAdmissionOptions(), | ||||||
| 		ProcessInfo:                processInfo, |  | ||||||
| 		Webhook:                    NewWebhookOptions(), |  | ||||||
| 		EgressSelector:             NewEgressSelectorOptions(), | 		EgressSelector:             NewEgressSelectorOptions(), | ||||||
| 	} | 	} | ||||||
| } | } | ||||||
| @@ -111,7 +106,7 @@ func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig) error { | |||||||
| 	if err := o.Authorization.ApplyTo(&config.Config.Authorization); err != nil { | 	if err := o.Authorization.ApplyTo(&config.Config.Authorization); err != nil { | ||||||
| 		return err | 		return err | ||||||
| 	} | 	} | ||||||
| 	if err := o.Audit.ApplyTo(&config.Config, config.ClientConfig, config.SharedInformerFactory, o.ProcessInfo, o.Webhook); err != nil { | 	if err := o.Audit.ApplyTo(&config.Config); err != nil { | ||||||
| 		return err | 		return err | ||||||
| 	} | 	} | ||||||
| 	if err := o.Features.ApplyTo(&config.Config); err != nil { | 	if err := o.Features.ApplyTo(&config.Config); err != nil { | ||||||
|   | |||||||
| @@ -1,34 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package options |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	utilwebhook "k8s.io/apiserver/pkg/util/webhook" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // WebhookOptions holds the outgoing webhook options |  | ||||||
| type WebhookOptions struct { |  | ||||||
| 	ServiceResolver         utilwebhook.ServiceResolver |  | ||||||
| 	AuthInfoResolverWrapper utilwebhook.AuthenticationInfoResolverWrapper |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // NewWebhookOptions returns the default options for outgoing webhooks |  | ||||||
| func NewWebhookOptions() *WebhookOptions { |  | ||||||
| 	return &WebhookOptions{ |  | ||||||
| 		ServiceResolver: utilwebhook.NewDefaultServiceResolver(), |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
| @@ -24,7 +24,6 @@ filegroup( | |||||||
|     srcs = [ |     srcs = [ | ||||||
|         ":package-srcs", |         ":package-srcs", | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/buffered:all-srcs", |         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/buffered:all-srcs", | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/dynamic:all-srcs", |  | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/fake:all-srcs", |         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/fake:all-srcs", | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/log:all-srcs", |         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/log:all-srcs", | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/truncate:all-srcs", |         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/truncate:all-srcs", | ||||||
|   | |||||||
| @@ -1,76 +0,0 @@ | |||||||
| load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") |  | ||||||
|  |  | ||||||
| go_library( |  | ||||||
|     name = "go_default_library", |  | ||||||
|     srcs = [ |  | ||||||
|         "defaults.go", |  | ||||||
|         "dynamic.go", |  | ||||||
|         "factory.go", |  | ||||||
|     ], |  | ||||||
|     importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/plugin/pkg/audit/dynamic", |  | ||||||
|     importpath = "k8s.io/apiserver/plugin/pkg/audit/dynamic", |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
|     deps = [ |  | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/api/core/v1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/apis/audit:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/apis/audit/install:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/apis/audit/v1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/audit:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/audit/policy:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/audit/util:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/buffered:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/dynamic/enforced:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/webhook:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/informers/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/tools/cache:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/tools/record:go_default_library", |  | ||||||
|         "//vendor/k8s.io/klog/v2:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| go_test( |  | ||||||
|     name = "go_default_test", |  | ||||||
|     srcs = [ |  | ||||||
|         "dynamic_test.go", |  | ||||||
|         "factory_test.go", |  | ||||||
|     ], |  | ||||||
|     embed = [":go_default_library"], |  | ||||||
|     deps = [ |  | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/apis/audit:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/apis/audit/v1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/audit:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/informers:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/kubernetes/fake:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library", |  | ||||||
|         "//vendor/github.com/stretchr/testify/require:go_default_library", |  | ||||||
|         "//vendor/k8s.io/utils/pointer:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "package-srcs", |  | ||||||
|     srcs = glob(["**"]), |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:private"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "all-srcs", |  | ||||||
|     srcs = [ |  | ||||||
|         ":package-srcs", |  | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/dynamic/enforced:all-srcs", |  | ||||||
|     ], |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
| ) |  | ||||||
| @@ -1,46 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package dynamic |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"time" |  | ||||||
|  |  | ||||||
| 	bufferedplugin "k8s.io/apiserver/plugin/pkg/audit/buffered" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| const ( |  | ||||||
| 	// Default configuration values for ModeBatch when applied to a dynamic plugin |  | ||||||
| 	defaultBatchBufferSize    = 5000             // Buffer up to 5000 events before starting discarding. |  | ||||||
| 	defaultBatchMaxSize       = 400              // Only send up to 400 events at a time. |  | ||||||
| 	defaultBatchMaxWait       = 30 * time.Second // Send events at least twice a minute. |  | ||||||
| 	defaultBatchThrottleQPS   = 10               // Limit the send rate by 10 QPS. |  | ||||||
| 	defaultBatchThrottleBurst = 15               // Allow up to 15 QPS burst. |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // NewDefaultWebhookBatchConfig returns new Batch Config objects populated by default values |  | ||||||
| // for dynamic webhooks |  | ||||||
| func NewDefaultWebhookBatchConfig() *bufferedplugin.BatchConfig { |  | ||||||
| 	return &bufferedplugin.BatchConfig{ |  | ||||||
| 		BufferSize:     defaultBatchBufferSize, |  | ||||||
| 		MaxBatchSize:   defaultBatchMaxSize, |  | ||||||
| 		MaxBatchWait:   defaultBatchMaxWait, |  | ||||||
| 		ThrottleEnable: true, |  | ||||||
| 		ThrottleQPS:    defaultBatchThrottleQPS, |  | ||||||
| 		ThrottleBurst:  defaultBatchThrottleBurst, |  | ||||||
| 		AsyncDelegate:  true, |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
| @@ -1,365 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package dynamic |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"fmt" |  | ||||||
| 	"reflect" |  | ||||||
| 	"strings" |  | ||||||
| 	"sync" |  | ||||||
| 	"sync/atomic" |  | ||||||
|  |  | ||||||
| 	"k8s.io/klog/v2" |  | ||||||
|  |  | ||||||
| 	auditregv1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	corev1 "k8s.io/api/core/v1" |  | ||||||
| 	"k8s.io/apimachinery/pkg/runtime" |  | ||||||
| 	"k8s.io/apimachinery/pkg/runtime/schema" |  | ||||||
| 	"k8s.io/apimachinery/pkg/types" |  | ||||||
| 	auditinternal "k8s.io/apiserver/pkg/apis/audit" |  | ||||||
| 	auditinstall "k8s.io/apiserver/pkg/apis/audit/install" |  | ||||||
| 	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1" |  | ||||||
| 	"k8s.io/apiserver/pkg/audit" |  | ||||||
| 	webhook "k8s.io/apiserver/pkg/util/webhook" |  | ||||||
| 	bufferedplugin "k8s.io/apiserver/plugin/pkg/audit/buffered" |  | ||||||
| 	auditinformer "k8s.io/client-go/informers/auditregistration/v1alpha1" |  | ||||||
| 	"k8s.io/client-go/tools/cache" |  | ||||||
| 	"k8s.io/client-go/tools/record" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // PluginName is the name reported in error metrics. |  | ||||||
| const PluginName = "dynamic" |  | ||||||
|  |  | ||||||
| // Config holds the configuration for the dynamic backend |  | ||||||
| type Config struct { |  | ||||||
| 	// Informer for the audit sinks |  | ||||||
| 	Informer auditinformer.AuditSinkInformer |  | ||||||
| 	// EventConfig holds the configuration for event notifications about the AuditSink API objects |  | ||||||
| 	EventConfig EventConfig |  | ||||||
| 	// BufferedConfig is the runtime buffered configuration |  | ||||||
| 	BufferedConfig *bufferedplugin.BatchConfig |  | ||||||
| 	// WebhookConfig holds the configuration for outgoing webhooks |  | ||||||
| 	WebhookConfig WebhookConfig |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // WebhookConfig holds the configurations for outgoing webhooks |  | ||||||
| type WebhookConfig struct { |  | ||||||
| 	// AuthInfoResolverWrapper provides the webhook authentication for in-cluster endpoints |  | ||||||
| 	AuthInfoResolverWrapper webhook.AuthenticationInfoResolverWrapper |  | ||||||
| 	// ServiceResolver knows how to convert a webhook service reference into an actual location. |  | ||||||
| 	ServiceResolver webhook.ServiceResolver |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // EventConfig holds the configurations for sending event notifiations about AuditSink API objects |  | ||||||
| type EventConfig struct { |  | ||||||
| 	// Sink for emitting events |  | ||||||
| 	Sink record.EventSink |  | ||||||
| 	// Source holds the source information about the event emitter |  | ||||||
| 	Source corev1.EventSource |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // delegate represents a delegate backend that was created from an audit sink configuration |  | ||||||
| type delegate struct { |  | ||||||
| 	audit.Backend |  | ||||||
| 	configuration *auditregv1alpha1.AuditSink |  | ||||||
| 	stopChan      chan struct{} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // gracefulShutdown will gracefully shutdown the delegate |  | ||||||
| func (d *delegate) gracefulShutdown() { |  | ||||||
| 	close(d.stopChan) |  | ||||||
| 	d.Shutdown() |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // NewBackend returns a backend that dynamically updates its configuration |  | ||||||
| // based on a shared informer. |  | ||||||
| func NewBackend(c *Config) (audit.Backend, error) { |  | ||||||
| 	eventBroadcaster := record.NewBroadcaster() |  | ||||||
| 	eventBroadcaster.StartLogging(klog.Infof) |  | ||||||
| 	eventBroadcaster.StartRecordingToSink(c.EventConfig.Sink) |  | ||||||
|  |  | ||||||
| 	scheme := runtime.NewScheme() |  | ||||||
| 	err := auditregv1alpha1.AddToScheme(scheme) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
| 	recorder := eventBroadcaster.NewRecorder(scheme, c.EventConfig.Source) |  | ||||||
|  |  | ||||||
| 	if c.BufferedConfig == nil { |  | ||||||
| 		c.BufferedConfig = NewDefaultWebhookBatchConfig() |  | ||||||
| 	} |  | ||||||
| 	cm, err := webhook.NewClientManager([]schema.GroupVersion{auditv1.SchemeGroupVersion}, func(s *runtime.Scheme) error { |  | ||||||
| 		auditinstall.Install(s) |  | ||||||
| 		return nil |  | ||||||
| 	}) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	// TODO: need a way of injecting authentication before beta |  | ||||||
| 	authInfoResolver, err := webhook.NewDefaultAuthenticationInfoResolver("") |  | ||||||
| 	if err != nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
| 	cm.SetAuthenticationInfoResolver(authInfoResolver) |  | ||||||
| 	cm.SetServiceResolver(c.WebhookConfig.ServiceResolver) |  | ||||||
| 	cm.SetAuthenticationInfoResolverWrapper(c.WebhookConfig.AuthInfoResolverWrapper) |  | ||||||
|  |  | ||||||
| 	manager := &backend{ |  | ||||||
| 		config:               c, |  | ||||||
| 		delegates:            atomic.Value{}, |  | ||||||
| 		delegateUpdateMutex:  sync.Mutex{}, |  | ||||||
| 		stopped:              false, |  | ||||||
| 		webhookClientManager: cm, |  | ||||||
| 		recorder:             recorder, |  | ||||||
| 	} |  | ||||||
| 	manager.delegates.Store(syncedDelegates{}) |  | ||||||
|  |  | ||||||
| 	c.Informer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ |  | ||||||
| 		AddFunc: func(obj interface{}) { |  | ||||||
| 			manager.addSink(obj.(*auditregv1alpha1.AuditSink)) |  | ||||||
| 		}, |  | ||||||
| 		UpdateFunc: func(oldObj, newObj interface{}) { |  | ||||||
| 			manager.updateSink(oldObj.(*auditregv1alpha1.AuditSink), newObj.(*auditregv1alpha1.AuditSink)) |  | ||||||
| 		}, |  | ||||||
| 		DeleteFunc: func(obj interface{}) { |  | ||||||
| 			sink, ok := obj.(*auditregv1alpha1.AuditSink) |  | ||||||
| 			if !ok { |  | ||||||
| 				tombstone, ok := obj.(cache.DeletedFinalStateUnknown) |  | ||||||
| 				if !ok { |  | ||||||
| 					klog.V(2).Infof("Couldn't get object from tombstone %#v", obj) |  | ||||||
| 					return |  | ||||||
| 				} |  | ||||||
| 				sink, ok = tombstone.Obj.(*auditregv1alpha1.AuditSink) |  | ||||||
| 				if !ok { |  | ||||||
| 					klog.V(2).Infof("Tombstone contained object that is not an AuditSink: %#v", obj) |  | ||||||
| 					return |  | ||||||
| 				} |  | ||||||
| 			} |  | ||||||
| 			manager.deleteSink(sink) |  | ||||||
| 		}, |  | ||||||
| 	}) |  | ||||||
|  |  | ||||||
| 	return manager, nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| type backend struct { |  | ||||||
| 	// delegateUpdateMutex holds an update lock on the delegates |  | ||||||
| 	delegateUpdateMutex  sync.Mutex |  | ||||||
| 	stopped              bool |  | ||||||
| 	config               *Config |  | ||||||
| 	delegates            atomic.Value |  | ||||||
| 	webhookClientManager webhook.ClientManager |  | ||||||
| 	recorder             record.EventRecorder |  | ||||||
| } |  | ||||||
|  |  | ||||||
| type syncedDelegates map[types.UID]*delegate |  | ||||||
|  |  | ||||||
| // Names returns the names of the delegate configurations |  | ||||||
| func (s syncedDelegates) Names() []string { |  | ||||||
| 	names := []string{} |  | ||||||
| 	for _, delegate := range s { |  | ||||||
| 		names = append(names, delegate.configuration.Name) |  | ||||||
| 	} |  | ||||||
| 	return names |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // ProcessEvents proccesses the given events per current delegate map |  | ||||||
| func (b *backend) ProcessEvents(events ...*auditinternal.Event) bool { |  | ||||||
| 	for _, d := range b.GetDelegates() { |  | ||||||
| 		d.ProcessEvents(events...) |  | ||||||
| 	} |  | ||||||
| 	// Returning true regardless of results, since dynamic audit backends |  | ||||||
| 	// can never cause apiserver request to fail. |  | ||||||
| 	return true |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Run starts a goroutine that propagates the shutdown signal, |  | ||||||
| // individual delegates are ran as they are created. |  | ||||||
| func (b *backend) Run(stopCh <-chan struct{}) error { |  | ||||||
| 	go func() { |  | ||||||
| 		<-stopCh |  | ||||||
| 		b.stopAllDelegates() |  | ||||||
| 	}() |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // stopAllDelegates closes the stopChan for every delegate to enable |  | ||||||
| // goroutines to terminate gracefully. This is a helper method to propagate |  | ||||||
| // the primary stopChan to the current delegate map. |  | ||||||
| func (b *backend) stopAllDelegates() { |  | ||||||
| 	b.delegateUpdateMutex.Lock() |  | ||||||
| 	defer b.delegateUpdateMutex.Unlock() |  | ||||||
| 	if b.stopped { |  | ||||||
| 		return |  | ||||||
| 	} |  | ||||||
| 	b.stopped = true |  | ||||||
| 	for _, d := range b.GetDelegates() { |  | ||||||
| 		close(d.stopChan) |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Shutdown calls the shutdown method on all delegates. The stopChan should |  | ||||||
| // be closed before this is called. |  | ||||||
| func (b *backend) Shutdown() { |  | ||||||
| 	for _, d := range b.GetDelegates() { |  | ||||||
| 		d.Shutdown() |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // GetDelegates retrieves current delegates in a safe manner |  | ||||||
| func (b *backend) GetDelegates() syncedDelegates { |  | ||||||
| 	return b.delegates.Load().(syncedDelegates) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // copyDelegates returns a copied delegate map |  | ||||||
| func (b *backend) copyDelegates() syncedDelegates { |  | ||||||
| 	c := make(syncedDelegates) |  | ||||||
| 	for u, s := range b.GetDelegates() { |  | ||||||
| 		c[u] = s |  | ||||||
| 	} |  | ||||||
| 	return c |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // setDelegates sets the current delegates in a safe manner |  | ||||||
| func (b *backend) setDelegates(delegates syncedDelegates) { |  | ||||||
| 	b.delegates.Store(delegates) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // addSink is called by the shared informer when a sink is added |  | ||||||
| func (b *backend) addSink(sink *auditregv1alpha1.AuditSink) { |  | ||||||
| 	b.delegateUpdateMutex.Lock() |  | ||||||
| 	defer b.delegateUpdateMutex.Unlock() |  | ||||||
| 	if b.stopped { |  | ||||||
| 		msg := fmt.Sprintf("Could not add audit sink %q uid: %s. Update to all delegates is stopped.", sink.Name, sink.UID) |  | ||||||
| 		klog.Error(msg) |  | ||||||
| 		return |  | ||||||
| 	} |  | ||||||
| 	delegates := b.copyDelegates() |  | ||||||
| 	if _, ok := delegates[sink.UID]; ok { |  | ||||||
| 		klog.Errorf("Audit sink %q uid: %s already exists, could not readd", sink.Name, sink.UID) |  | ||||||
| 		return |  | ||||||
| 	} |  | ||||||
| 	d, err := b.createAndStartDelegate(sink) |  | ||||||
| 	if err != nil { |  | ||||||
| 		msg := fmt.Sprintf("Could not add audit sink %q: %v", sink.Name, err) |  | ||||||
| 		klog.Error(msg) |  | ||||||
| 		b.recorder.Event(sink, corev1.EventTypeWarning, "CreateFailed", msg) |  | ||||||
| 		return |  | ||||||
| 	} |  | ||||||
| 	delegates[sink.UID] = d |  | ||||||
| 	b.setDelegates(delegates) |  | ||||||
| 	klog.V(2).Infof("Added audit sink: %s", sink.Name) |  | ||||||
| 	klog.V(2).Infof("Current audit sinks: %v", delegates.Names()) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // updateSink is called by the shared informer when a sink is updated. |  | ||||||
| // The new sink is only rebuilt on spec changes. The new sink must not have |  | ||||||
| // the same uid as the previous. The new sink will be started before the old |  | ||||||
| // one is shutdown so no events will be lost |  | ||||||
| func (b *backend) updateSink(oldSink, newSink *auditregv1alpha1.AuditSink) { |  | ||||||
| 	b.delegateUpdateMutex.Lock() |  | ||||||
| 	defer b.delegateUpdateMutex.Unlock() |  | ||||||
| 	if b.stopped { |  | ||||||
| 		msg := fmt.Sprintf("Could not update old audit sink %q to new audit sink %q. Update to all delegates is stopped.", oldSink.Name, newSink.Name) |  | ||||||
| 		klog.Error(msg) |  | ||||||
| 		return |  | ||||||
| 	} |  | ||||||
| 	delegates := b.copyDelegates() |  | ||||||
| 	oldDelegate, ok := delegates[oldSink.UID] |  | ||||||
| 	if !ok { |  | ||||||
| 		klog.Errorf("Could not update audit sink %q uid: %s, old sink does not exist", |  | ||||||
| 			oldSink.Name, oldSink.UID) |  | ||||||
| 		return |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	// check if spec has changed |  | ||||||
| 	eq := reflect.DeepEqual(oldSink.Spec, newSink.Spec) |  | ||||||
| 	if eq { |  | ||||||
| 		delete(delegates, oldSink.UID) |  | ||||||
| 		delegates[newSink.UID] = oldDelegate |  | ||||||
| 		b.setDelegates(delegates) |  | ||||||
| 	} else { |  | ||||||
| 		d, err := b.createAndStartDelegate(newSink) |  | ||||||
| 		if err != nil { |  | ||||||
| 			msg := fmt.Sprintf("Could not update audit sink %q: %v", oldSink.Name, err) |  | ||||||
| 			klog.Error(msg) |  | ||||||
| 			b.recorder.Event(newSink, corev1.EventTypeWarning, "UpdateFailed", msg) |  | ||||||
| 			return |  | ||||||
| 		} |  | ||||||
| 		delete(delegates, oldSink.UID) |  | ||||||
| 		delegates[newSink.UID] = d |  | ||||||
| 		b.setDelegates(delegates) |  | ||||||
|  |  | ||||||
| 		// graceful shutdown in goroutine as to not block |  | ||||||
| 		go oldDelegate.gracefulShutdown() |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	klog.V(2).Infof("Updated audit sink: %s", newSink.Name) |  | ||||||
| 	klog.V(2).Infof("Current audit sinks: %v", delegates.Names()) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // deleteSink is called by the shared informer when a sink is deleted |  | ||||||
| func (b *backend) deleteSink(sink *auditregv1alpha1.AuditSink) { |  | ||||||
| 	b.delegateUpdateMutex.Lock() |  | ||||||
| 	defer b.delegateUpdateMutex.Unlock() |  | ||||||
| 	if b.stopped { |  | ||||||
| 		msg := fmt.Sprintf("Could not delete audit sink %q uid: %s. Update to all delegates is stopped.", sink.Name, sink.UID) |  | ||||||
| 		klog.Warning(msg) |  | ||||||
| 		return |  | ||||||
| 	} |  | ||||||
| 	delegates := b.copyDelegates() |  | ||||||
| 	delegate, ok := delegates[sink.UID] |  | ||||||
| 	if !ok { |  | ||||||
| 		klog.Errorf("Could not delete audit sink %q uid: %s, does not exist", sink.Name, sink.UID) |  | ||||||
| 		return |  | ||||||
| 	} |  | ||||||
| 	delete(delegates, sink.UID) |  | ||||||
| 	b.setDelegates(delegates) |  | ||||||
|  |  | ||||||
| 	// graceful shutdown in goroutine as to not block |  | ||||||
| 	go delegate.gracefulShutdown() |  | ||||||
| 	klog.V(2).Infof("Deleted audit sink: %s", sink.Name) |  | ||||||
| 	klog.V(2).Infof("Current audit sinks: %v", delegates.Names()) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // createAndStartDelegate will build a delegate from an audit sink configuration and run it |  | ||||||
| func (b *backend) createAndStartDelegate(sink *auditregv1alpha1.AuditSink) (*delegate, error) { |  | ||||||
| 	f := factory{ |  | ||||||
| 		config:               b.config, |  | ||||||
| 		webhookClientManager: b.webhookClientManager, |  | ||||||
| 		sink:                 sink, |  | ||||||
| 	} |  | ||||||
| 	delegate, err := f.BuildDelegate() |  | ||||||
| 	if err != nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
| 	err = delegate.Run(delegate.stopChan) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
| 	return delegate, nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // String returns a string representation of the backend |  | ||||||
| func (b *backend) String() string { |  | ||||||
| 	var delegateStrings []string |  | ||||||
| 	for _, delegate := range b.GetDelegates() { |  | ||||||
| 		delegateStrings = append(delegateStrings, fmt.Sprintf("%s", delegate)) |  | ||||||
| 	} |  | ||||||
| 	return fmt.Sprintf("%s[%s]", PluginName, strings.Join(delegateStrings, ",")) |  | ||||||
| } |  | ||||||
| @@ -1,319 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package dynamic |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"fmt" |  | ||||||
| 	"io/ioutil" |  | ||||||
| 	"net/http" |  | ||||||
| 	"net/http/httptest" |  | ||||||
| 	"reflect" |  | ||||||
| 	"sync/atomic" |  | ||||||
| 	"testing" |  | ||||||
| 	"time" |  | ||||||
|  |  | ||||||
| 	"github.com/stretchr/testify/require" |  | ||||||
|  |  | ||||||
| 	auditregv1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |  | ||||||
| 	"k8s.io/apimachinery/pkg/runtime" |  | ||||||
| 	"k8s.io/apimachinery/pkg/types" |  | ||||||
| 	"k8s.io/apimachinery/pkg/util/wait" |  | ||||||
| 	auditinternal "k8s.io/apiserver/pkg/apis/audit" |  | ||||||
| 	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1" |  | ||||||
| 	"k8s.io/apiserver/pkg/audit" |  | ||||||
| 	webhook "k8s.io/apiserver/pkg/util/webhook" |  | ||||||
| 	informers "k8s.io/client-go/informers" |  | ||||||
| 	"k8s.io/client-go/kubernetes/fake" |  | ||||||
| 	v1core "k8s.io/client-go/kubernetes/typed/core/v1" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func TestDynamic(t *testing.T) { |  | ||||||
| 	eventList1 := &atomic.Value{} |  | ||||||
| 	eventList1.Store(auditinternal.EventList{}) |  | ||||||
| 	eventList2 := &atomic.Value{} |  | ||||||
| 	eventList2.Store(auditinternal.EventList{}) |  | ||||||
|  |  | ||||||
| 	// start test servers |  | ||||||
| 	server1 := httptest.NewServer(buildTestHandler(t, eventList1)) |  | ||||||
| 	defer server1.Close() |  | ||||||
| 	server2 := httptest.NewServer(buildTestHandler(t, eventList2)) |  | ||||||
| 	defer server2.Close() |  | ||||||
|  |  | ||||||
| 	testPolicy := auditregv1alpha1.Policy{ |  | ||||||
| 		Level: auditregv1alpha1.LevelMetadata, |  | ||||||
| 		Stages: []auditregv1alpha1.Stage{ |  | ||||||
| 			auditregv1alpha1.StageResponseStarted, |  | ||||||
| 		}, |  | ||||||
| 	} |  | ||||||
| 	testEvent := auditinternal.Event{ |  | ||||||
| 		Level:      auditinternal.LevelMetadata, |  | ||||||
| 		Stage:      auditinternal.StageResponseStarted, |  | ||||||
| 		Verb:       "get", |  | ||||||
| 		RequestURI: "/test/path", |  | ||||||
| 	} |  | ||||||
| 	testConfig1 := &auditregv1alpha1.AuditSink{ |  | ||||||
| 		ObjectMeta: metav1.ObjectMeta{ |  | ||||||
| 			Name: "test1", |  | ||||||
| 			UID:  types.UID("test1"), |  | ||||||
| 		}, |  | ||||||
| 		Spec: auditregv1alpha1.AuditSinkSpec{ |  | ||||||
| 			Policy: testPolicy, |  | ||||||
| 			Webhook: auditregv1alpha1.Webhook{ |  | ||||||
| 				ClientConfig: auditregv1alpha1.WebhookClientConfig{ |  | ||||||
| 					URL: &server1.URL, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 		}, |  | ||||||
| 	} |  | ||||||
| 	testConfig2 := &auditregv1alpha1.AuditSink{ |  | ||||||
| 		ObjectMeta: metav1.ObjectMeta{ |  | ||||||
| 			Name: "test2", |  | ||||||
| 			UID:  types.UID("test2"), |  | ||||||
| 		}, |  | ||||||
| 		Spec: auditregv1alpha1.AuditSinkSpec{ |  | ||||||
| 			Policy: testPolicy, |  | ||||||
| 			Webhook: auditregv1alpha1.Webhook{ |  | ||||||
| 				ClientConfig: auditregv1alpha1.WebhookClientConfig{ |  | ||||||
| 					URL: &server2.URL, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 		}, |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	badURL := "http://badtest" |  | ||||||
| 	badConfig := &auditregv1alpha1.AuditSink{ |  | ||||||
| 		ObjectMeta: metav1.ObjectMeta{ |  | ||||||
| 			Name: "bad", |  | ||||||
| 			UID:  types.UID("bad"), |  | ||||||
| 		}, |  | ||||||
| 		Spec: auditregv1alpha1.AuditSinkSpec{ |  | ||||||
| 			Policy: testPolicy, |  | ||||||
| 			Webhook: auditregv1alpha1.Webhook{ |  | ||||||
| 				ClientConfig: auditregv1alpha1.WebhookClientConfig{ |  | ||||||
| 					URL: &badURL, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 		}, |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	config, stopChan := defaultTestConfig() |  | ||||||
| 	config.BufferedConfig.MaxBatchSize = 1 |  | ||||||
|  |  | ||||||
| 	b, err := NewBackend(config) |  | ||||||
| 	require.NoError(t, err) |  | ||||||
| 	d := b.(*backend) |  | ||||||
| 	err = b.Run(stopChan) |  | ||||||
| 	require.NoError(t, err) |  | ||||||
|  |  | ||||||
| 	t.Run("find none", func(t *testing.T) { |  | ||||||
| 		require.Len(t, d.GetDelegates(), 0) |  | ||||||
| 	}) |  | ||||||
|  |  | ||||||
| 	success := t.Run("find one", func(t *testing.T) { |  | ||||||
| 		d.addSink(testConfig1) |  | ||||||
| 		delegates := d.GetDelegates() |  | ||||||
| 		require.Len(t, delegates, 1) |  | ||||||
| 		require.Contains(t, delegates, types.UID("test1")) |  | ||||||
| 		require.Equal(t, testConfig1, delegates["test1"].configuration) |  | ||||||
|  |  | ||||||
| 		// send event and check that it arrives |  | ||||||
| 		b.ProcessEvents(&testEvent) |  | ||||||
| 		err := checkForEvent(eventList1, testEvent) |  | ||||||
| 		require.NoError(t, err, "unable to find events sent to sink") |  | ||||||
| 	}) |  | ||||||
| 	require.True(t, success) // propagate failure |  | ||||||
|  |  | ||||||
| 	// test that a bad webhook configuration can be recovered from |  | ||||||
| 	success = t.Run("bad config", func(t *testing.T) { |  | ||||||
| 		d.addSink(badConfig) |  | ||||||
| 		delegates := d.GetDelegates() |  | ||||||
| 		require.Len(t, delegates, 2) |  | ||||||
| 		require.Contains(t, delegates, types.UID("bad")) |  | ||||||
| 		require.Equal(t, badConfig, delegates["bad"].configuration) |  | ||||||
|  |  | ||||||
| 		// send events to the buffer |  | ||||||
| 		b.ProcessEvents(&testEvent, &testEvent) |  | ||||||
|  |  | ||||||
| 		// event is in the buffer see if the sink can be deleted |  | ||||||
| 		// this will hang and fail if not handled properly |  | ||||||
| 		d.deleteSink(badConfig) |  | ||||||
|  |  | ||||||
| 		delegates = d.GetDelegates() |  | ||||||
| 		require.Len(t, delegates, 1) |  | ||||||
| 		require.Contains(t, delegates, types.UID("test1")) |  | ||||||
| 		require.Equal(t, testConfig1, delegates["test1"].configuration) |  | ||||||
| 	}) |  | ||||||
| 	require.True(t, success) // propagate failure |  | ||||||
|  |  | ||||||
| 	success = t.Run("find two", func(t *testing.T) { |  | ||||||
| 		eventList1.Store(auditinternal.EventList{}) |  | ||||||
| 		d.addSink(testConfig2) |  | ||||||
| 		delegates := d.GetDelegates() |  | ||||||
| 		require.Len(t, delegates, 2) |  | ||||||
| 		require.Contains(t, delegates, types.UID("test1")) |  | ||||||
| 		require.Contains(t, delegates, types.UID("test2")) |  | ||||||
| 		require.Equal(t, testConfig1, delegates["test1"].configuration) |  | ||||||
| 		require.Equal(t, testConfig2, delegates["test2"].configuration) |  | ||||||
|  |  | ||||||
| 		// send event to both delegates and check that it arrives in both places |  | ||||||
| 		b.ProcessEvents(&testEvent) |  | ||||||
| 		err := checkForEvent(eventList1, testEvent) |  | ||||||
| 		require.NoError(t, err, "unable to find events sent to sink 1") |  | ||||||
| 		err = checkForEvent(eventList2, testEvent) |  | ||||||
| 		require.NoError(t, err, "unable to find events sent to sink 2") |  | ||||||
| 	}) |  | ||||||
| 	require.True(t, success) // propagate failure |  | ||||||
|  |  | ||||||
| 	success = t.Run("delete one", func(t *testing.T) { |  | ||||||
| 		eventList2.Store(auditinternal.EventList{}) |  | ||||||
| 		d.deleteSink(testConfig1) |  | ||||||
| 		delegates := d.GetDelegates() |  | ||||||
| 		require.Len(t, delegates, 1) |  | ||||||
| 		require.Contains(t, delegates, types.UID("test2")) |  | ||||||
| 		require.Equal(t, testConfig2, delegates["test2"].configuration) |  | ||||||
|  |  | ||||||
| 		// send event and check that it arrives to remaining sink |  | ||||||
| 		b.ProcessEvents(&testEvent) |  | ||||||
| 		err := checkForEvent(eventList2, testEvent) |  | ||||||
| 		require.NoError(t, err, "unable to find events sent to sink") |  | ||||||
| 	}) |  | ||||||
| 	require.True(t, success) // propagate failure |  | ||||||
|  |  | ||||||
| 	success = t.Run("update one", func(t *testing.T) { |  | ||||||
| 		eventList1.Store(auditinternal.EventList{}) |  | ||||||
| 		oldConfig := *testConfig2 |  | ||||||
| 		testConfig2.Spec.Webhook.ClientConfig.URL = &server1.URL |  | ||||||
| 		testConfig2.UID = types.UID("test2.1") |  | ||||||
| 		d.updateSink(&oldConfig, testConfig2) |  | ||||||
| 		delegates := d.GetDelegates() |  | ||||||
| 		require.Len(t, delegates, 1) |  | ||||||
| 		require.Contains(t, delegates, types.UID("test2.1")) |  | ||||||
| 		require.Equal(t, testConfig2, delegates["test2.1"].configuration) |  | ||||||
|  |  | ||||||
| 		// send event and check that it arrives to updated sink |  | ||||||
| 		b.ProcessEvents(&testEvent) |  | ||||||
| 		err := checkForEvent(eventList1, testEvent) |  | ||||||
| 		require.NoError(t, err, "unable to find events sent to sink") |  | ||||||
| 	}) |  | ||||||
| 	require.True(t, success) // propagate failure |  | ||||||
|  |  | ||||||
| 	success = t.Run("update meta only", func(t *testing.T) { |  | ||||||
| 		eventList1.Store(auditinternal.EventList{}) |  | ||||||
| 		oldConfig := *testConfig2 |  | ||||||
| 		testConfig2.UID = types.UID("test2.2") |  | ||||||
| 		testConfig2.Labels = map[string]string{"my": "label"} |  | ||||||
| 		d.updateSink(&oldConfig, testConfig2) |  | ||||||
| 		delegates := d.GetDelegates() |  | ||||||
| 		require.Len(t, delegates, 1) |  | ||||||
| 		require.Contains(t, delegates, types.UID("test2.2")) |  | ||||||
|  |  | ||||||
| 		// send event and check that it arrives to same sink |  | ||||||
| 		b.ProcessEvents(&testEvent) |  | ||||||
| 		err := checkForEvent(eventList1, testEvent) |  | ||||||
| 		require.NoError(t, err, "unable to find events sent to sink") |  | ||||||
| 	}) |  | ||||||
| 	require.True(t, success) // propagate failure |  | ||||||
|  |  | ||||||
| 	success = t.Run("shutdown", func(t *testing.T) { |  | ||||||
| 		// if the stop signal is not propagated correctly the buffers will not |  | ||||||
| 		// close down gracefully, and the shutdown method will hang causing |  | ||||||
| 		// the test will timeout. |  | ||||||
| 		timeoutChan := make(chan struct{}) |  | ||||||
| 		successChan := make(chan struct{}) |  | ||||||
| 		go func() { |  | ||||||
| 			time.Sleep(1 * time.Second) |  | ||||||
| 			timeoutChan <- struct{}{} |  | ||||||
| 		}() |  | ||||||
| 		go func() { |  | ||||||
| 			close(stopChan) |  | ||||||
| 			d.Shutdown() |  | ||||||
| 			successChan <- struct{}{} |  | ||||||
| 		}() |  | ||||||
| 		for { |  | ||||||
| 			select { |  | ||||||
| 			case <-timeoutChan: |  | ||||||
| 				t.Error("shutdown timed out") |  | ||||||
| 				return |  | ||||||
| 			case <-successChan: |  | ||||||
| 				return |  | ||||||
| 			} |  | ||||||
| 		} |  | ||||||
| 	}) |  | ||||||
| 	require.True(t, success) // propagate failure |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // checkForEvent will poll to check for an audit event in an atomic event list |  | ||||||
| func checkForEvent(a *atomic.Value, evSent auditinternal.Event) error { |  | ||||||
| 	return wait.Poll(100*time.Millisecond, 1*time.Second, func() (bool, error) { |  | ||||||
| 		el := a.Load().(auditinternal.EventList) |  | ||||||
| 		if len(el.Items) != 1 { |  | ||||||
| 			return false, nil |  | ||||||
| 		} |  | ||||||
| 		evFound := el.Items[0] |  | ||||||
| 		eq := reflect.DeepEqual(evSent, evFound) |  | ||||||
| 		if !eq { |  | ||||||
| 			return false, fmt.Errorf("event mismatch -- sent: %+v found: %+v", evSent, evFound) |  | ||||||
| 		} |  | ||||||
| 		return true, nil |  | ||||||
| 	}) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // buildTestHandler returns a handler that will update the atomic value passed in |  | ||||||
| // with the event list it receives |  | ||||||
| func buildTestHandler(t *testing.T, a *atomic.Value) http.HandlerFunc { |  | ||||||
| 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |  | ||||||
| 		body, err := ioutil.ReadAll(r.Body) |  | ||||||
| 		if err != nil { |  | ||||||
| 			t.Fatalf("could not read request body: %v", err) |  | ||||||
| 		} |  | ||||||
| 		el := auditinternal.EventList{} |  | ||||||
| 		decoder := audit.Codecs.UniversalDecoder(auditv1.SchemeGroupVersion) |  | ||||||
| 		if err := runtime.DecodeInto(decoder, body, &el); err != nil { |  | ||||||
| 			t.Fatalf("failed decoding buf: %b, apiVersion: %s", body, auditv1.SchemeGroupVersion) |  | ||||||
| 		} |  | ||||||
| 		defer r.Body.Close() |  | ||||||
| 		a.Store(el) |  | ||||||
| 		w.WriteHeader(200) |  | ||||||
| 	}) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // defaultTestConfig returns a Config object suitable for testing along with its |  | ||||||
| // associated stopChan |  | ||||||
| func defaultTestConfig() (*Config, chan struct{}) { |  | ||||||
| 	authWrapper := webhook.AuthenticationInfoResolverWrapper( |  | ||||||
| 		func(a webhook.AuthenticationInfoResolver) webhook.AuthenticationInfoResolver { return a }, |  | ||||||
| 	) |  | ||||||
| 	client := fake.NewSimpleClientset() |  | ||||||
| 	informerFactory := informers.NewSharedInformerFactory(client, 0) |  | ||||||
| 	stop := make(chan struct{}) |  | ||||||
|  |  | ||||||
| 	eventSink := &v1core.EventSinkImpl{Interface: client.CoreV1().Events("")} |  | ||||||
|  |  | ||||||
| 	informerFactory.Start(stop) |  | ||||||
| 	informerFactory.WaitForCacheSync(stop) |  | ||||||
| 	informer := informerFactory.Auditregistration().V1alpha1().AuditSinks() |  | ||||||
| 	return &Config{ |  | ||||||
| 		Informer:       informer, |  | ||||||
| 		EventConfig:    EventConfig{Sink: eventSink}, |  | ||||||
| 		BufferedConfig: NewDefaultWebhookBatchConfig(), |  | ||||||
| 		WebhookConfig: WebhookConfig{ |  | ||||||
| 			AuthInfoResolverWrapper: authWrapper, |  | ||||||
| 			ServiceResolver:         webhook.NewDefaultServiceResolver(), |  | ||||||
| 		}, |  | ||||||
| 	}, stop |  | ||||||
| } |  | ||||||
| @@ -1,45 +0,0 @@ | |||||||
| load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") |  | ||||||
|  |  | ||||||
| go_library( |  | ||||||
|     name = "go_default_library", |  | ||||||
|     srcs = ["enforced.go"], |  | ||||||
|     importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/plugin/pkg/audit/dynamic/enforced", |  | ||||||
|     importpath = "k8s.io/apiserver/plugin/pkg/audit/dynamic/enforced", |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
|     deps = [ |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/apis/audit:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/audit:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/audit/event:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/audit/policy:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| go_test( |  | ||||||
|     name = "go_default_test", |  | ||||||
|     srcs = ["enforced_test.go"], |  | ||||||
|     embed = [":go_default_library"], |  | ||||||
|     deps = [ |  | ||||||
|         "//staging/src/k8s.io/api/authentication/v1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/apis/audit:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/audit/policy:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apiserver/plugin/pkg/audit/fake:go_default_library", |  | ||||||
|         "//vendor/github.com/stretchr/testify/require:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "package-srcs", |  | ||||||
|     srcs = glob(["**"]), |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:private"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "all-srcs", |  | ||||||
|     srcs = [":package-srcs"], |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
| ) |  | ||||||
| @@ -1,93 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package enforced |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"fmt" |  | ||||||
|  |  | ||||||
| 	auditinternal "k8s.io/apiserver/pkg/apis/audit" |  | ||||||
| 	"k8s.io/apiserver/pkg/audit" |  | ||||||
| 	ev "k8s.io/apiserver/pkg/audit/event" |  | ||||||
| 	"k8s.io/apiserver/pkg/audit/policy" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // PluginName is the name reported in error metrics. |  | ||||||
| const PluginName = "enforced" |  | ||||||
|  |  | ||||||
| // Backend filters audit events according to the policy |  | ||||||
| // trimming them as necessary to match the level |  | ||||||
| type Backend struct { |  | ||||||
| 	policyChecker   policy.Checker |  | ||||||
| 	delegateBackend audit.Backend |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // NewBackend returns an enforced audit backend that wraps delegate backend. |  | ||||||
| // Enforced backend automatically runs and shuts down the delegate backend. |  | ||||||
| func NewBackend(delegate audit.Backend, p policy.Checker) audit.Backend { |  | ||||||
| 	return &Backend{ |  | ||||||
| 		policyChecker:   p, |  | ||||||
| 		delegateBackend: delegate, |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Run the delegate backend |  | ||||||
| func (b Backend) Run(stopCh <-chan struct{}) error { |  | ||||||
| 	return b.delegateBackend.Run(stopCh) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Shutdown the delegate backend |  | ||||||
| func (b Backend) Shutdown() { |  | ||||||
| 	b.delegateBackend.Shutdown() |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // ProcessEvents enforces policy on a shallow copy of the given event |  | ||||||
| // dropping any sections that don't conform |  | ||||||
| func (b Backend) ProcessEvents(events ...*auditinternal.Event) bool { |  | ||||||
| 	for _, event := range events { |  | ||||||
| 		if event == nil { |  | ||||||
| 			continue |  | ||||||
| 		} |  | ||||||
| 		attr, err := ev.NewAttributes(event) |  | ||||||
| 		if err != nil { |  | ||||||
| 			audit.HandlePluginError(PluginName, err, event) |  | ||||||
| 			continue |  | ||||||
| 		} |  | ||||||
| 		level, stages := b.policyChecker.LevelAndStages(attr) |  | ||||||
| 		if level == auditinternal.LevelNone { |  | ||||||
| 			continue |  | ||||||
| 		} |  | ||||||
| 		// make shallow copy before modifying to satisfy interface definition |  | ||||||
| 		ev := *event |  | ||||||
| 		e, err := policy.EnforcePolicy(&ev, level, stages) |  | ||||||
| 		if err != nil { |  | ||||||
| 			audit.HandlePluginError(PluginName, err, event) |  | ||||||
| 			continue |  | ||||||
| 		} |  | ||||||
| 		if e == nil { |  | ||||||
| 			continue |  | ||||||
| 		} |  | ||||||
| 		b.delegateBackend.ProcessEvents(e) |  | ||||||
| 	} |  | ||||||
| 	// Returning true regardless of results, since dynamic audit backends |  | ||||||
| 	// can never cause apiserver request to fail. |  | ||||||
| 	return true |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // String returns a string representation of the backend |  | ||||||
| func (b Backend) String() string { |  | ||||||
| 	return fmt.Sprintf("%s<%s>", PluginName, b.delegateBackend) |  | ||||||
| } |  | ||||||
| @@ -1,118 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package enforced |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"testing" |  | ||||||
|  |  | ||||||
| 	"github.com/stretchr/testify/require" |  | ||||||
|  |  | ||||||
| 	authnv1 "k8s.io/api/authentication/v1" |  | ||||||
| 	"k8s.io/apimachinery/pkg/runtime" |  | ||||||
| 	auditinternal "k8s.io/apiserver/pkg/apis/audit" |  | ||||||
| 	"k8s.io/apiserver/pkg/audit/policy" |  | ||||||
| 	"k8s.io/apiserver/pkg/authentication/user" |  | ||||||
| 	"k8s.io/apiserver/pkg/authorization/authorizer" |  | ||||||
| 	fakeplugin "k8s.io/apiserver/plugin/pkg/audit/fake" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func TestEnforced(t *testing.T) { |  | ||||||
| 	testCases := []struct { |  | ||||||
| 		name     string |  | ||||||
| 		event    *auditinternal.Event |  | ||||||
| 		policy   auditinternal.Policy |  | ||||||
| 		attribs  authorizer.Attributes |  | ||||||
| 		expected []*auditinternal.Event |  | ||||||
| 	}{ |  | ||||||
| 		{ |  | ||||||
| 			name: "enforce level", |  | ||||||
| 			event: &auditinternal.Event{ |  | ||||||
| 				Level:          auditinternal.LevelRequestResponse, |  | ||||||
| 				Stage:          auditinternal.StageResponseComplete, |  | ||||||
| 				RequestURI:     "/apis/extensions/v1beta1", |  | ||||||
| 				RequestObject:  &runtime.Unknown{Raw: []byte(`test`)}, |  | ||||||
| 				ResponseObject: &runtime.Unknown{Raw: []byte(`test`)}, |  | ||||||
| 			}, |  | ||||||
| 			policy: auditinternal.Policy{ |  | ||||||
| 				Rules: []auditinternal.PolicyRule{ |  | ||||||
| 					{ |  | ||||||
| 						Level: auditinternal.LevelMetadata, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expected: []*auditinternal.Event{ |  | ||||||
| 				{ |  | ||||||
| 					Level:      auditinternal.LevelMetadata, |  | ||||||
| 					Stage:      auditinternal.StageResponseComplete, |  | ||||||
| 					RequestURI: "/apis/extensions/v1beta1", |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "enforce policy rule", |  | ||||||
| 			event: &auditinternal.Event{ |  | ||||||
| 				Level:      auditinternal.LevelRequestResponse, |  | ||||||
| 				Stage:      auditinternal.StageResponseComplete, |  | ||||||
| 				RequestURI: "/apis/extensions/v1beta1", |  | ||||||
| 				User: authnv1.UserInfo{ |  | ||||||
| 					Username: user.Anonymous, |  | ||||||
| 				}, |  | ||||||
| 				RequestObject:  &runtime.Unknown{Raw: []byte(`test`)}, |  | ||||||
| 				ResponseObject: &runtime.Unknown{Raw: []byte(`test`)}, |  | ||||||
| 			}, |  | ||||||
| 			policy: auditinternal.Policy{ |  | ||||||
| 				Rules: []auditinternal.PolicyRule{ |  | ||||||
| 					{ |  | ||||||
| 						Level: auditinternal.LevelNone, |  | ||||||
| 						Users: []string{user.Anonymous}, |  | ||||||
| 					}, |  | ||||||
| 					{ |  | ||||||
| 						Level: auditinternal.LevelMetadata, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expected: []*auditinternal.Event{}, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name:  "nil event", |  | ||||||
| 			event: nil, |  | ||||||
| 			policy: auditinternal.Policy{ |  | ||||||
| 				Rules: []auditinternal.PolicyRule{ |  | ||||||
| 					{ |  | ||||||
| 						Level: auditinternal.LevelMetadata, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expected: []*auditinternal.Event{}, |  | ||||||
| 		}, |  | ||||||
| 	} |  | ||||||
| 	for _, tc := range testCases { |  | ||||||
| 		t.Run(tc.name, func(t *testing.T) { |  | ||||||
| 			ev := []*auditinternal.Event{} |  | ||||||
| 			fakeBackend := fakeplugin.Backend{ |  | ||||||
| 				OnRequest: func(events []*auditinternal.Event) { |  | ||||||
| 					ev = events |  | ||||||
| 				}, |  | ||||||
| 			} |  | ||||||
| 			b := NewBackend(&fakeBackend, policy.NewChecker(&tc.policy)) |  | ||||||
| 			defer b.Shutdown() |  | ||||||
|  |  | ||||||
| 			b.ProcessEvents(tc.event) |  | ||||||
| 			require.Equal(t, tc.expected, ev) |  | ||||||
| 		}) |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
| @@ -1,91 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package dynamic |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"fmt" |  | ||||||
| 	"time" |  | ||||||
|  |  | ||||||
| 	auditregv1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	"k8s.io/apiserver/pkg/audit" |  | ||||||
| 	"k8s.io/apiserver/pkg/audit/policy" |  | ||||||
| 	auditutil "k8s.io/apiserver/pkg/audit/util" |  | ||||||
| 	"k8s.io/apiserver/pkg/util/webhook" |  | ||||||
| 	bufferedplugin "k8s.io/apiserver/plugin/pkg/audit/buffered" |  | ||||||
| 	enforcedplugin "k8s.io/apiserver/plugin/pkg/audit/dynamic/enforced" |  | ||||||
| 	webhookplugin "k8s.io/apiserver/plugin/pkg/audit/webhook" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // TODO: find a common place for all the default retry backoffs |  | ||||||
| const retryBackoff = 500 * time.Millisecond |  | ||||||
|  |  | ||||||
| // factory builds a delegate from an AuditSink |  | ||||||
| type factory struct { |  | ||||||
| 	config               *Config |  | ||||||
| 	webhookClientManager webhook.ClientManager |  | ||||||
| 	sink                 *auditregv1alpha1.AuditSink |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // BuildDelegate creates a delegate from the AuditSink object |  | ||||||
| func (f *factory) BuildDelegate() (*delegate, error) { |  | ||||||
| 	backend, err := f.buildWebhookBackend() |  | ||||||
| 	if err != nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
| 	backend = f.applyEnforcedOpts(backend) |  | ||||||
| 	backend = f.applyBufferedOpts(backend) |  | ||||||
| 	ch := make(chan struct{}) |  | ||||||
| 	return &delegate{ |  | ||||||
| 		Backend:       backend, |  | ||||||
| 		configuration: f.sink, |  | ||||||
| 		stopChan:      ch, |  | ||||||
| 	}, nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (f *factory) buildWebhookBackend() (audit.Backend, error) { |  | ||||||
| 	hookClient := auditutil.HookClientConfigForSink(f.sink) |  | ||||||
| 	client, err := f.webhookClientManager.HookClient(hookClient) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return nil, fmt.Errorf("could not create webhook client: %v", err) |  | ||||||
| 	} |  | ||||||
| 	backend := webhookplugin.NewDynamicBackend(client, retryBackoff) |  | ||||||
| 	return backend, nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (f *factory) applyEnforcedOpts(delegate audit.Backend) audit.Backend { |  | ||||||
| 	pol := policy.ConvertDynamicPolicyToInternal(&f.sink.Spec.Policy) |  | ||||||
| 	checker := policy.NewChecker(pol) |  | ||||||
| 	eb := enforcedplugin.NewBackend(delegate, checker) |  | ||||||
| 	return eb |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (f *factory) applyBufferedOpts(delegate audit.Backend) audit.Backend { |  | ||||||
| 	bc := f.config.BufferedConfig |  | ||||||
| 	tc := f.sink.Spec.Webhook.Throttle |  | ||||||
| 	if tc != nil { |  | ||||||
| 		bc.ThrottleEnable = true |  | ||||||
| 		if tc.Burst != nil { |  | ||||||
| 			bc.ThrottleBurst = int(*tc.Burst) |  | ||||||
| 		} |  | ||||||
| 		if tc.QPS != nil { |  | ||||||
| 			bc.ThrottleQPS = float32(*tc.QPS) |  | ||||||
| 		} |  | ||||||
| 	} else { |  | ||||||
| 		bc.ThrottleEnable = false |  | ||||||
| 	} |  | ||||||
| 	return bufferedplugin.NewBackend(delegate, *bc) |  | ||||||
| } |  | ||||||
| @@ -1,146 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2018 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package dynamic |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"testing" |  | ||||||
|  |  | ||||||
| 	"github.com/stretchr/testify/require" |  | ||||||
|  |  | ||||||
| 	auditregv1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	utilpointer "k8s.io/utils/pointer" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func TestToDelegate(t *testing.T) { |  | ||||||
| 	config, _ := defaultTestConfig() |  | ||||||
| 	defaultPolicy := auditregv1alpha1.Policy{ |  | ||||||
| 		Level: auditregv1alpha1.LevelMetadata, |  | ||||||
| 	} |  | ||||||
| 	u := "http://localhost:4444" |  | ||||||
| 	for _, tc := range []struct { |  | ||||||
| 		name            string |  | ||||||
| 		auditConfig     *auditregv1alpha1.AuditSink |  | ||||||
| 		throttleConfig  *auditregv1alpha1.WebhookThrottleConfig |  | ||||||
| 		expectedBackend string |  | ||||||
| 	}{ |  | ||||||
| 		{ |  | ||||||
| 			name: "build full", |  | ||||||
| 			auditConfig: &auditregv1alpha1.AuditSink{ |  | ||||||
| 				Spec: auditregv1alpha1.AuditSinkSpec{ |  | ||||||
| 					Policy: defaultPolicy, |  | ||||||
| 					Webhook: auditregv1alpha1.Webhook{ |  | ||||||
| 						Throttle: &auditregv1alpha1.WebhookThrottleConfig{ |  | ||||||
| 							QPS:   utilpointer.Int64Ptr(10), |  | ||||||
| 							Burst: utilpointer.Int64Ptr(5), |  | ||||||
| 						}, |  | ||||||
| 						ClientConfig: auditregv1alpha1.WebhookClientConfig{ |  | ||||||
| 							URL: &u, |  | ||||||
| 						}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedBackend: "buffered<enforced<dynamic_webhook>>", |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "build no throttle", |  | ||||||
| 			auditConfig: &auditregv1alpha1.AuditSink{ |  | ||||||
| 				Spec: auditregv1alpha1.AuditSinkSpec{ |  | ||||||
| 					Policy: defaultPolicy, |  | ||||||
| 					Webhook: auditregv1alpha1.Webhook{ |  | ||||||
| 						ClientConfig: auditregv1alpha1.WebhookClientConfig{ |  | ||||||
| 							URL: &u, |  | ||||||
| 						}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedBackend: "buffered<enforced<dynamic_webhook>>", |  | ||||||
| 		}, |  | ||||||
| 	} { |  | ||||||
| 		t.Run(tc.name, func(t *testing.T) { |  | ||||||
| 			b, err := NewBackend(config) |  | ||||||
| 			require.NoError(t, err) |  | ||||||
| 			c := factory{ |  | ||||||
| 				config:               b.(*backend).config, |  | ||||||
| 				webhookClientManager: b.(*backend).webhookClientManager, |  | ||||||
| 				sink:                 tc.auditConfig, |  | ||||||
| 			} |  | ||||||
| 			d, err := c.BuildDelegate() |  | ||||||
| 			require.NoError(t, err) |  | ||||||
| 			require.Equal(t, tc.expectedBackend, d.String()) |  | ||||||
| 		}) |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func TestBuildWebhookBackend(t *testing.T) { |  | ||||||
| 	defaultPolicy := auditregv1alpha1.Policy{ |  | ||||||
| 		Level: auditregv1alpha1.LevelMetadata, |  | ||||||
| 	} |  | ||||||
| 	config, _ := defaultTestConfig() |  | ||||||
| 	b, err := NewBackend(config) |  | ||||||
| 	require.NoError(t, err) |  | ||||||
| 	d := b.(*backend) |  | ||||||
| 	u := "http://localhost:4444" |  | ||||||
| 	for _, tc := range []struct { |  | ||||||
| 		name            string |  | ||||||
| 		auditConfig     *auditregv1alpha1.AuditSink |  | ||||||
| 		shouldErr       bool |  | ||||||
| 		expectedBackend string |  | ||||||
| 	}{ |  | ||||||
| 		{ |  | ||||||
| 			name: "build full", |  | ||||||
| 			auditConfig: &auditregv1alpha1.AuditSink{ |  | ||||||
| 				Spec: auditregv1alpha1.AuditSinkSpec{ |  | ||||||
| 					Policy: defaultPolicy, |  | ||||||
| 					Webhook: auditregv1alpha1.Webhook{ |  | ||||||
| 						ClientConfig: auditregv1alpha1.WebhookClientConfig{ |  | ||||||
| 							URL: &u, |  | ||||||
| 						}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			expectedBackend: "dynamic_webhook", |  | ||||||
| 			shouldErr:       false, |  | ||||||
| 		}, |  | ||||||
| 		{ |  | ||||||
| 			name: "fail missing url", |  | ||||||
| 			auditConfig: &auditregv1alpha1.AuditSink{ |  | ||||||
| 				Spec: auditregv1alpha1.AuditSinkSpec{ |  | ||||||
| 					Policy: defaultPolicy, |  | ||||||
| 					Webhook: auditregv1alpha1.Webhook{ |  | ||||||
| 						ClientConfig: auditregv1alpha1.WebhookClientConfig{}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 			shouldErr: true, |  | ||||||
| 		}, |  | ||||||
| 	} { |  | ||||||
| 		t.Run(tc.name, func(t *testing.T) { |  | ||||||
| 			c := &factory{ |  | ||||||
| 				config:               config, |  | ||||||
| 				webhookClientManager: d.webhookClientManager, |  | ||||||
| 				sink:                 tc.auditConfig, |  | ||||||
| 			} |  | ||||||
| 			ab, err := c.buildWebhookBackend() |  | ||||||
| 			if tc.shouldErr { |  | ||||||
| 				require.Error(t, err) |  | ||||||
| 				return |  | ||||||
| 			} |  | ||||||
| 			require.NoError(t, err) |  | ||||||
| 			require.Equal(t, tc.expectedBackend, ab.String()) |  | ||||||
| 		}) |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
| @@ -27,7 +27,6 @@ filegroup( | |||||||
|         "//staging/src/k8s.io/client-go/listers/apps/v1:all-srcs", |         "//staging/src/k8s.io/client-go/listers/apps/v1:all-srcs", | ||||||
|         "//staging/src/k8s.io/client-go/listers/apps/v1beta1:all-srcs", |         "//staging/src/k8s.io/client-go/listers/apps/v1beta1:all-srcs", | ||||||
|         "//staging/src/k8s.io/client-go/listers/apps/v1beta2:all-srcs", |         "//staging/src/k8s.io/client-go/listers/apps/v1beta2:all-srcs", | ||||||
|         "//staging/src/k8s.io/client-go/listers/auditregistration/v1alpha1:all-srcs", |  | ||||||
|         "//staging/src/k8s.io/client-go/listers/authentication/v1:all-srcs", |         "//staging/src/k8s.io/client-go/listers/authentication/v1:all-srcs", | ||||||
|         "//staging/src/k8s.io/client-go/listers/authentication/v1beta1:all-srcs", |         "//staging/src/k8s.io/client-go/listers/authentication/v1beta1:all-srcs", | ||||||
|         "//staging/src/k8s.io/client-go/listers/authorization/v1:all-srcs", |         "//staging/src/k8s.io/client-go/listers/authorization/v1:all-srcs", | ||||||
|   | |||||||
| @@ -16,7 +16,6 @@ go_library( | |||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1:go_default_library", |         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1beta1:go_default_library", |         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1beta1:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1beta2:go_default_library", |         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1beta2:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/authentication/v1:go_default_library", |         "//staging/src/k8s.io/client-go/deprecated/typed/authentication/v1:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/authentication/v1beta1:go_default_library", |         "//staging/src/k8s.io/client-go/deprecated/typed/authentication/v1beta1:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/authorization/v1:go_default_library", |         "//staging/src/k8s.io/client-go/deprecated/typed/authorization/v1:go_default_library", | ||||||
| @@ -75,7 +74,6 @@ filegroup( | |||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1:all-srcs", |         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1:all-srcs", | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1beta1:all-srcs", |         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1beta1:all-srcs", | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1beta2:all-srcs", |         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1beta2:all-srcs", | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/auditregistration/v1alpha1:all-srcs", |  | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/authentication/v1:all-srcs", |         "//staging/src/k8s.io/client-go/deprecated/typed/authentication/v1:all-srcs", | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/authentication/v1beta1:all-srcs", |         "//staging/src/k8s.io/client-go/deprecated/typed/authentication/v1beta1:all-srcs", | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/authorization/v1:all-srcs", |         "//staging/src/k8s.io/client-go/deprecated/typed/authorization/v1:all-srcs", | ||||||
|   | |||||||
| @@ -26,7 +26,6 @@ import ( | |||||||
| 	appsv1 "k8s.io/client-go/deprecated/typed/apps/v1" | 	appsv1 "k8s.io/client-go/deprecated/typed/apps/v1" | ||||||
| 	appsv1beta1 "k8s.io/client-go/deprecated/typed/apps/v1beta1" | 	appsv1beta1 "k8s.io/client-go/deprecated/typed/apps/v1beta1" | ||||||
| 	appsv1beta2 "k8s.io/client-go/deprecated/typed/apps/v1beta2" | 	appsv1beta2 "k8s.io/client-go/deprecated/typed/apps/v1beta2" | ||||||
| 	auditregistrationv1alpha1 "k8s.io/client-go/deprecated/typed/auditregistration/v1alpha1" |  | ||||||
| 	authenticationv1 "k8s.io/client-go/deprecated/typed/authentication/v1" | 	authenticationv1 "k8s.io/client-go/deprecated/typed/authentication/v1" | ||||||
| 	authenticationv1beta1 "k8s.io/client-go/deprecated/typed/authentication/v1beta1" | 	authenticationv1beta1 "k8s.io/client-go/deprecated/typed/authentication/v1beta1" | ||||||
| 	authorizationv1 "k8s.io/client-go/deprecated/typed/authorization/v1" | 	authorizationv1 "k8s.io/client-go/deprecated/typed/authorization/v1" | ||||||
| @@ -73,7 +72,6 @@ type Interface interface { | |||||||
| 	AppsV1() appsv1.AppsV1Interface | 	AppsV1() appsv1.AppsV1Interface | ||||||
| 	AppsV1beta1() appsv1beta1.AppsV1beta1Interface | 	AppsV1beta1() appsv1beta1.AppsV1beta1Interface | ||||||
| 	AppsV1beta2() appsv1beta2.AppsV1beta2Interface | 	AppsV1beta2() appsv1beta2.AppsV1beta2Interface | ||||||
| 	AuditregistrationV1alpha1() auditregistrationv1alpha1.AuditregistrationV1alpha1Interface |  | ||||||
| 	AuthenticationV1() authenticationv1.AuthenticationV1Interface | 	AuthenticationV1() authenticationv1.AuthenticationV1Interface | ||||||
| 	AuthenticationV1beta1() authenticationv1beta1.AuthenticationV1beta1Interface | 	AuthenticationV1beta1() authenticationv1beta1.AuthenticationV1beta1Interface | ||||||
| 	AuthorizationV1() authorizationv1.AuthorizationV1Interface | 	AuthorizationV1() authorizationv1.AuthorizationV1Interface | ||||||
| @@ -119,7 +117,6 @@ type Clientset struct { | |||||||
| 	appsV1                       *appsv1.AppsV1Client | 	appsV1                       *appsv1.AppsV1Client | ||||||
| 	appsV1beta1                  *appsv1beta1.AppsV1beta1Client | 	appsV1beta1                  *appsv1beta1.AppsV1beta1Client | ||||||
| 	appsV1beta2                  *appsv1beta2.AppsV1beta2Client | 	appsV1beta2                  *appsv1beta2.AppsV1beta2Client | ||||||
| 	auditregistrationV1alpha1    *auditregistrationv1alpha1.AuditregistrationV1alpha1Client |  | ||||||
| 	authenticationV1             *authenticationv1.AuthenticationV1Client | 	authenticationV1             *authenticationv1.AuthenticationV1Client | ||||||
| 	authenticationV1beta1        *authenticationv1beta1.AuthenticationV1beta1Client | 	authenticationV1beta1        *authenticationv1beta1.AuthenticationV1beta1Client | ||||||
| 	authorizationV1              *authorizationv1.AuthorizationV1Client | 	authorizationV1              *authorizationv1.AuthorizationV1Client | ||||||
| @@ -181,11 +178,6 @@ func (c *Clientset) AppsV1beta2() appsv1beta2.AppsV1beta2Interface { | |||||||
| 	return c.appsV1beta2 | 	return c.appsV1beta2 | ||||||
| } | } | ||||||
|  |  | ||||||
| // AuditregistrationV1alpha1 retrieves the AuditregistrationV1alpha1Client |  | ||||||
| func (c *Clientset) AuditregistrationV1alpha1() auditregistrationv1alpha1.AuditregistrationV1alpha1Interface { |  | ||||||
| 	return c.auditregistrationV1alpha1 |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // AuthenticationV1 retrieves the AuthenticationV1Client | // AuthenticationV1 retrieves the AuthenticationV1Client | ||||||
| func (c *Clientset) AuthenticationV1() authenticationv1.AuthenticationV1Interface { | func (c *Clientset) AuthenticationV1() authenticationv1.AuthenticationV1Interface { | ||||||
| 	return c.authenticationV1 | 	return c.authenticationV1 | ||||||
| @@ -397,10 +389,6 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { | |||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return nil, err | 		return nil, err | ||||||
| 	} | 	} | ||||||
| 	cs.auditregistrationV1alpha1, err = auditregistrationv1alpha1.NewForConfig(&configShallowCopy) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
| 	cs.authenticationV1, err = authenticationv1.NewForConfig(&configShallowCopy) | 	cs.authenticationV1, err = authenticationv1.NewForConfig(&configShallowCopy) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return nil, err | 		return nil, err | ||||||
| @@ -554,7 +542,6 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { | |||||||
| 	cs.appsV1 = appsv1.NewForConfigOrDie(c) | 	cs.appsV1 = appsv1.NewForConfigOrDie(c) | ||||||
| 	cs.appsV1beta1 = appsv1beta1.NewForConfigOrDie(c) | 	cs.appsV1beta1 = appsv1beta1.NewForConfigOrDie(c) | ||||||
| 	cs.appsV1beta2 = appsv1beta2.NewForConfigOrDie(c) | 	cs.appsV1beta2 = appsv1beta2.NewForConfigOrDie(c) | ||||||
| 	cs.auditregistrationV1alpha1 = auditregistrationv1alpha1.NewForConfigOrDie(c) |  | ||||||
| 	cs.authenticationV1 = authenticationv1.NewForConfigOrDie(c) | 	cs.authenticationV1 = authenticationv1.NewForConfigOrDie(c) | ||||||
| 	cs.authenticationV1beta1 = authenticationv1beta1.NewForConfigOrDie(c) | 	cs.authenticationV1beta1 = authenticationv1beta1.NewForConfigOrDie(c) | ||||||
| 	cs.authorizationV1 = authorizationv1.NewForConfigOrDie(c) | 	cs.authorizationV1 = authorizationv1.NewForConfigOrDie(c) | ||||||
| @@ -602,7 +589,6 @@ func New(c rest.Interface) *Clientset { | |||||||
| 	cs.appsV1 = appsv1.New(c) | 	cs.appsV1 = appsv1.New(c) | ||||||
| 	cs.appsV1beta1 = appsv1beta1.New(c) | 	cs.appsV1beta1 = appsv1beta1.New(c) | ||||||
| 	cs.appsV1beta2 = appsv1beta2.New(c) | 	cs.appsV1beta2 = appsv1beta2.New(c) | ||||||
| 	cs.auditregistrationV1alpha1 = auditregistrationv1alpha1.New(c) |  | ||||||
| 	cs.authenticationV1 = authenticationv1.New(c) | 	cs.authenticationV1 = authenticationv1.New(c) | ||||||
| 	cs.authenticationV1beta1 = authenticationv1beta1.New(c) | 	cs.authenticationV1beta1 = authenticationv1beta1.New(c) | ||||||
| 	cs.authorizationV1 = authorizationv1.New(c) | 	cs.authorizationV1 = authorizationv1.New(c) | ||||||
|   | |||||||
| @@ -16,7 +16,6 @@ go_library( | |||||||
|         "//staging/src/k8s.io/api/apps/v1:go_default_library", |         "//staging/src/k8s.io/api/apps/v1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/apps/v1beta1:go_default_library", |         "//staging/src/k8s.io/api/apps/v1beta1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/apps/v1beta2:go_default_library", |         "//staging/src/k8s.io/api/apps/v1beta2:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/api/authentication/v1:go_default_library", |         "//staging/src/k8s.io/api/authentication/v1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/authentication/v1beta1:go_default_library", |         "//staging/src/k8s.io/api/authentication/v1beta1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/authorization/v1:go_default_library", |         "//staging/src/k8s.io/api/authorization/v1:go_default_library", | ||||||
| @@ -68,8 +67,6 @@ go_library( | |||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1beta1/fake:go_default_library", |         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1beta1/fake:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1beta2:go_default_library", |         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1beta2:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1beta2/fake:go_default_library", |         "//staging/src/k8s.io/client-go/deprecated/typed/apps/v1beta2/fake:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/auditregistration/v1alpha1/fake:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/authentication/v1:go_default_library", |         "//staging/src/k8s.io/client-go/deprecated/typed/authentication/v1:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/authentication/v1/fake:go_default_library", |         "//staging/src/k8s.io/client-go/deprecated/typed/authentication/v1/fake:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/authentication/v1beta1:go_default_library", |         "//staging/src/k8s.io/client-go/deprecated/typed/authentication/v1beta1:go_default_library", | ||||||
|   | |||||||
| @@ -32,8 +32,6 @@ import ( | |||||||
| 	fakeappsv1beta1 "k8s.io/client-go/deprecated/typed/apps/v1beta1/fake" | 	fakeappsv1beta1 "k8s.io/client-go/deprecated/typed/apps/v1beta1/fake" | ||||||
| 	appsv1beta2 "k8s.io/client-go/deprecated/typed/apps/v1beta2" | 	appsv1beta2 "k8s.io/client-go/deprecated/typed/apps/v1beta2" | ||||||
| 	fakeappsv1beta2 "k8s.io/client-go/deprecated/typed/apps/v1beta2/fake" | 	fakeappsv1beta2 "k8s.io/client-go/deprecated/typed/apps/v1beta2/fake" | ||||||
| 	auditregistrationv1alpha1 "k8s.io/client-go/deprecated/typed/auditregistration/v1alpha1" |  | ||||||
| 	fakeauditregistrationv1alpha1 "k8s.io/client-go/deprecated/typed/auditregistration/v1alpha1/fake" |  | ||||||
| 	authenticationv1 "k8s.io/client-go/deprecated/typed/authentication/v1" | 	authenticationv1 "k8s.io/client-go/deprecated/typed/authentication/v1" | ||||||
| 	fakeauthenticationv1 "k8s.io/client-go/deprecated/typed/authentication/v1/fake" | 	fakeauthenticationv1 "k8s.io/client-go/deprecated/typed/authentication/v1/fake" | ||||||
| 	authenticationv1beta1 "k8s.io/client-go/deprecated/typed/authentication/v1beta1" | 	authenticationv1beta1 "k8s.io/client-go/deprecated/typed/authentication/v1beta1" | ||||||
| @@ -179,11 +177,6 @@ func (c *Clientset) AppsV1beta2() appsv1beta2.AppsV1beta2Interface { | |||||||
| 	return &fakeappsv1beta2.FakeAppsV1beta2{Fake: &c.Fake} | 	return &fakeappsv1beta2.FakeAppsV1beta2{Fake: &c.Fake} | ||||||
| } | } | ||||||
|  |  | ||||||
| // AuditregistrationV1alpha1 retrieves the AuditregistrationV1alpha1Client |  | ||||||
| func (c *Clientset) AuditregistrationV1alpha1() auditregistrationv1alpha1.AuditregistrationV1alpha1Interface { |  | ||||||
| 	return &fakeauditregistrationv1alpha1.FakeAuditregistrationV1alpha1{Fake: &c.Fake} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // AuthenticationV1 retrieves the AuthenticationV1Client | // AuthenticationV1 retrieves the AuthenticationV1Client | ||||||
| func (c *Clientset) AuthenticationV1() authenticationv1.AuthenticationV1Interface { | func (c *Clientset) AuthenticationV1() authenticationv1.AuthenticationV1Interface { | ||||||
| 	return &fakeauthenticationv1.FakeAuthenticationV1{Fake: &c.Fake} | 	return &fakeauthenticationv1.FakeAuthenticationV1{Fake: &c.Fake} | ||||||
|   | |||||||
| @@ -24,7 +24,6 @@ import ( | |||||||
| 	appsv1 "k8s.io/api/apps/v1" | 	appsv1 "k8s.io/api/apps/v1" | ||||||
| 	appsv1beta1 "k8s.io/api/apps/v1beta1" | 	appsv1beta1 "k8s.io/api/apps/v1beta1" | ||||||
| 	appsv1beta2 "k8s.io/api/apps/v1beta2" | 	appsv1beta2 "k8s.io/api/apps/v1beta2" | ||||||
| 	auditregistrationv1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	authenticationv1 "k8s.io/api/authentication/v1" | 	authenticationv1 "k8s.io/api/authentication/v1" | ||||||
| 	authenticationv1beta1 "k8s.io/api/authentication/v1beta1" | 	authenticationv1beta1 "k8s.io/api/authentication/v1beta1" | ||||||
| 	authorizationv1 "k8s.io/api/authorization/v1" | 	authorizationv1 "k8s.io/api/authorization/v1" | ||||||
| @@ -75,7 +74,6 @@ var localSchemeBuilder = runtime.SchemeBuilder{ | |||||||
| 	appsv1.AddToScheme, | 	appsv1.AddToScheme, | ||||||
| 	appsv1beta1.AddToScheme, | 	appsv1beta1.AddToScheme, | ||||||
| 	appsv1beta2.AddToScheme, | 	appsv1beta2.AddToScheme, | ||||||
| 	auditregistrationv1alpha1.AddToScheme, |  | ||||||
| 	authenticationv1.AddToScheme, | 	authenticationv1.AddToScheme, | ||||||
| 	authenticationv1beta1.AddToScheme, | 	authenticationv1beta1.AddToScheme, | ||||||
| 	authorizationv1.AddToScheme, | 	authorizationv1.AddToScheme, | ||||||
|   | |||||||
| @@ -15,7 +15,6 @@ go_library( | |||||||
|         "//staging/src/k8s.io/api/apps/v1:go_default_library", |         "//staging/src/k8s.io/api/apps/v1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/apps/v1beta1:go_default_library", |         "//staging/src/k8s.io/api/apps/v1beta1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/apps/v1beta2:go_default_library", |         "//staging/src/k8s.io/api/apps/v1beta2:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/api/authentication/v1:go_default_library", |         "//staging/src/k8s.io/api/authentication/v1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/authentication/v1beta1:go_default_library", |         "//staging/src/k8s.io/api/authentication/v1beta1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/authorization/v1:go_default_library", |         "//staging/src/k8s.io/api/authorization/v1:go_default_library", | ||||||
|   | |||||||
| @@ -24,7 +24,6 @@ import ( | |||||||
| 	appsv1 "k8s.io/api/apps/v1" | 	appsv1 "k8s.io/api/apps/v1" | ||||||
| 	appsv1beta1 "k8s.io/api/apps/v1beta1" | 	appsv1beta1 "k8s.io/api/apps/v1beta1" | ||||||
| 	appsv1beta2 "k8s.io/api/apps/v1beta2" | 	appsv1beta2 "k8s.io/api/apps/v1beta2" | ||||||
| 	auditregistrationv1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	authenticationv1 "k8s.io/api/authentication/v1" | 	authenticationv1 "k8s.io/api/authentication/v1" | ||||||
| 	authenticationv1beta1 "k8s.io/api/authentication/v1beta1" | 	authenticationv1beta1 "k8s.io/api/authentication/v1beta1" | ||||||
| 	authorizationv1 "k8s.io/api/authorization/v1" | 	authorizationv1 "k8s.io/api/authorization/v1" | ||||||
| @@ -75,7 +74,6 @@ var localSchemeBuilder = runtime.SchemeBuilder{ | |||||||
| 	appsv1.AddToScheme, | 	appsv1.AddToScheme, | ||||||
| 	appsv1beta1.AddToScheme, | 	appsv1beta1.AddToScheme, | ||||||
| 	appsv1beta2.AddToScheme, | 	appsv1beta2.AddToScheme, | ||||||
| 	auditregistrationv1alpha1.AddToScheme, |  | ||||||
| 	authenticationv1.AddToScheme, | 	authenticationv1.AddToScheme, | ||||||
| 	authenticationv1beta1.AddToScheme, | 	authenticationv1beta1.AddToScheme, | ||||||
| 	authorizationv1.AddToScheme, | 	authorizationv1.AddToScheme, | ||||||
|   | |||||||
| @@ -1,39 +0,0 @@ | |||||||
| load("@io_bazel_rules_go//go:def.bzl", "go_library") |  | ||||||
|  |  | ||||||
| go_library( |  | ||||||
|     name = "go_default_library", |  | ||||||
|     srcs = [ |  | ||||||
|         "auditregistration_client.go", |  | ||||||
|         "auditsink.go", |  | ||||||
|         "doc.go", |  | ||||||
|         "generated_expansion.go", |  | ||||||
|     ], |  | ||||||
|     importmap = "k8s.io/kubernetes/vendor/k8s.io/client-go/deprecated/typed/auditregistration/v1alpha1", |  | ||||||
|     importpath = "k8s.io/client-go/deprecated/typed/auditregistration/v1alpha1", |  | ||||||
|     visibility = ["//staging/src/k8s.io/client-go/deprecated:__subpackages__"], |  | ||||||
|     deps = [ |  | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/scheme:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/rest:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "package-srcs", |  | ||||||
|     srcs = glob(["**"]), |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:private"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "all-srcs", |  | ||||||
|     srcs = [ |  | ||||||
|         ":package-srcs", |  | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/auditregistration/v1alpha1/fake:all-srcs", |  | ||||||
|     ], |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
| ) |  | ||||||
| @@ -1,89 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // Code generated by client-gen. DO NOT EDIT. |  | ||||||
|  |  | ||||||
| package v1alpha1 |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	v1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	"k8s.io/client-go/deprecated/scheme" |  | ||||||
| 	rest "k8s.io/client-go/rest" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| type AuditregistrationV1alpha1Interface interface { |  | ||||||
| 	RESTClient() rest.Interface |  | ||||||
| 	AuditSinksGetter |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // AuditregistrationV1alpha1Client is used to interact with features provided by the auditregistration.k8s.io group. |  | ||||||
| type AuditregistrationV1alpha1Client struct { |  | ||||||
| 	restClient rest.Interface |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (c *AuditregistrationV1alpha1Client) AuditSinks() AuditSinkInterface { |  | ||||||
| 	return newAuditSinks(c) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // NewForConfig creates a new AuditregistrationV1alpha1Client for the given config. |  | ||||||
| func NewForConfig(c *rest.Config) (*AuditregistrationV1alpha1Client, error) { |  | ||||||
| 	config := *c |  | ||||||
| 	if err := setConfigDefaults(&config); err != nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
| 	client, err := rest.RESTClientFor(&config) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
| 	return &AuditregistrationV1alpha1Client{client}, nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // NewForConfigOrDie creates a new AuditregistrationV1alpha1Client for the given config and |  | ||||||
| // panics if there is an error in the config. |  | ||||||
| func NewForConfigOrDie(c *rest.Config) *AuditregistrationV1alpha1Client { |  | ||||||
| 	client, err := NewForConfig(c) |  | ||||||
| 	if err != nil { |  | ||||||
| 		panic(err) |  | ||||||
| 	} |  | ||||||
| 	return client |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // New creates a new AuditregistrationV1alpha1Client for the given RESTClient. |  | ||||||
| func New(c rest.Interface) *AuditregistrationV1alpha1Client { |  | ||||||
| 	return &AuditregistrationV1alpha1Client{c} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func setConfigDefaults(config *rest.Config) error { |  | ||||||
| 	gv := v1alpha1.SchemeGroupVersion |  | ||||||
| 	config.GroupVersion = &gv |  | ||||||
| 	config.APIPath = "/apis" |  | ||||||
| 	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() |  | ||||||
|  |  | ||||||
| 	if config.UserAgent == "" { |  | ||||||
| 		config.UserAgent = rest.DefaultKubernetesUserAgent() |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // RESTClient returns a RESTClient that is used to communicate |  | ||||||
| // with API server by this client implementation. |  | ||||||
| func (c *AuditregistrationV1alpha1Client) RESTClient() rest.Interface { |  | ||||||
| 	if c == nil { |  | ||||||
| 		return nil |  | ||||||
| 	} |  | ||||||
| 	return c.restClient |  | ||||||
| } |  | ||||||
| @@ -1,165 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // Code generated by client-gen. DO NOT EDIT. |  | ||||||
|  |  | ||||||
| package v1alpha1 |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"context" |  | ||||||
| 	"time" |  | ||||||
|  |  | ||||||
| 	v1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1" |  | ||||||
| 	types "k8s.io/apimachinery/pkg/types" |  | ||||||
| 	watch "k8s.io/apimachinery/pkg/watch" |  | ||||||
| 	scheme "k8s.io/client-go/deprecated/scheme" |  | ||||||
| 	rest "k8s.io/client-go/rest" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // AuditSinksGetter has a method to return a AuditSinkInterface. |  | ||||||
| // A group's client should implement this interface. |  | ||||||
| type AuditSinksGetter interface { |  | ||||||
| 	AuditSinks() AuditSinkInterface |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // AuditSinkInterface has methods to work with AuditSink resources. |  | ||||||
| type AuditSinkInterface interface { |  | ||||||
| 	Create(*v1alpha1.AuditSink) (*v1alpha1.AuditSink, error) |  | ||||||
| 	Update(*v1alpha1.AuditSink) (*v1alpha1.AuditSink, error) |  | ||||||
| 	Delete(name string, options *v1.DeleteOptions) error |  | ||||||
| 	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error |  | ||||||
| 	Get(name string, options v1.GetOptions) (*v1alpha1.AuditSink, error) |  | ||||||
| 	List(opts v1.ListOptions) (*v1alpha1.AuditSinkList, error) |  | ||||||
| 	Watch(opts v1.ListOptions) (watch.Interface, error) |  | ||||||
| 	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.AuditSink, err error) |  | ||||||
| 	AuditSinkExpansion |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // auditSinks implements AuditSinkInterface |  | ||||||
| type auditSinks struct { |  | ||||||
| 	client rest.Interface |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // newAuditSinks returns a AuditSinks |  | ||||||
| func newAuditSinks(c *AuditregistrationV1alpha1Client) *auditSinks { |  | ||||||
| 	return &auditSinks{ |  | ||||||
| 		client: c.RESTClient(), |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Get takes name of the auditSink, and returns the corresponding auditSink object, and an error if there is any. |  | ||||||
| func (c *auditSinks) Get(name string, options v1.GetOptions) (result *v1alpha1.AuditSink, err error) { |  | ||||||
| 	result = &v1alpha1.AuditSink{} |  | ||||||
| 	err = c.client.Get(). |  | ||||||
| 		Resource("auditsinks"). |  | ||||||
| 		Name(name). |  | ||||||
| 		VersionedParams(&options, scheme.ParameterCodec). |  | ||||||
| 		Do(context.TODO()). |  | ||||||
| 		Into(result) |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // List takes label and field selectors, and returns the list of AuditSinks that match those selectors. |  | ||||||
| func (c *auditSinks) List(opts v1.ListOptions) (result *v1alpha1.AuditSinkList, err error) { |  | ||||||
| 	var timeout time.Duration |  | ||||||
| 	if opts.TimeoutSeconds != nil { |  | ||||||
| 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second |  | ||||||
| 	} |  | ||||||
| 	result = &v1alpha1.AuditSinkList{} |  | ||||||
| 	err = c.client.Get(). |  | ||||||
| 		Resource("auditsinks"). |  | ||||||
| 		VersionedParams(&opts, scheme.ParameterCodec). |  | ||||||
| 		Timeout(timeout). |  | ||||||
| 		Do(context.TODO()). |  | ||||||
| 		Into(result) |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Watch returns a watch.Interface that watches the requested auditSinks. |  | ||||||
| func (c *auditSinks) Watch(opts v1.ListOptions) (watch.Interface, error) { |  | ||||||
| 	var timeout time.Duration |  | ||||||
| 	if opts.TimeoutSeconds != nil { |  | ||||||
| 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second |  | ||||||
| 	} |  | ||||||
| 	opts.Watch = true |  | ||||||
| 	return c.client.Get(). |  | ||||||
| 		Resource("auditsinks"). |  | ||||||
| 		VersionedParams(&opts, scheme.ParameterCodec). |  | ||||||
| 		Timeout(timeout). |  | ||||||
| 		Watch(context.TODO()) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Create takes the representation of a auditSink and creates it.  Returns the server's representation of the auditSink, and an error, if there is any. |  | ||||||
| func (c *auditSinks) Create(auditSink *v1alpha1.AuditSink) (result *v1alpha1.AuditSink, err error) { |  | ||||||
| 	result = &v1alpha1.AuditSink{} |  | ||||||
| 	err = c.client.Post(). |  | ||||||
| 		Resource("auditsinks"). |  | ||||||
| 		Body(auditSink). |  | ||||||
| 		Do(context.TODO()). |  | ||||||
| 		Into(result) |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Update takes the representation of a auditSink and updates it. Returns the server's representation of the auditSink, and an error, if there is any. |  | ||||||
| func (c *auditSinks) Update(auditSink *v1alpha1.AuditSink) (result *v1alpha1.AuditSink, err error) { |  | ||||||
| 	result = &v1alpha1.AuditSink{} |  | ||||||
| 	err = c.client.Put(). |  | ||||||
| 		Resource("auditsinks"). |  | ||||||
| 		Name(auditSink.Name). |  | ||||||
| 		Body(auditSink). |  | ||||||
| 		Do(context.TODO()). |  | ||||||
| 		Into(result) |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Delete takes name of the auditSink and deletes it. Returns an error if one occurs. |  | ||||||
| func (c *auditSinks) Delete(name string, options *v1.DeleteOptions) error { |  | ||||||
| 	return c.client.Delete(). |  | ||||||
| 		Resource("auditsinks"). |  | ||||||
| 		Name(name). |  | ||||||
| 		Body(options). |  | ||||||
| 		Do(context.TODO()). |  | ||||||
| 		Error() |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeleteCollection deletes a collection of objects. |  | ||||||
| func (c *auditSinks) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error { |  | ||||||
| 	var timeout time.Duration |  | ||||||
| 	if listOptions.TimeoutSeconds != nil { |  | ||||||
| 		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second |  | ||||||
| 	} |  | ||||||
| 	return c.client.Delete(). |  | ||||||
| 		Resource("auditsinks"). |  | ||||||
| 		VersionedParams(&listOptions, scheme.ParameterCodec). |  | ||||||
| 		Timeout(timeout). |  | ||||||
| 		Body(options). |  | ||||||
| 		Do(context.TODO()). |  | ||||||
| 		Error() |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Patch applies the patch and returns the patched auditSink. |  | ||||||
| func (c *auditSinks) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.AuditSink, err error) { |  | ||||||
| 	result = &v1alpha1.AuditSink{} |  | ||||||
| 	err = c.client.Patch(pt). |  | ||||||
| 		Resource("auditsinks"). |  | ||||||
| 		SubResource(subresources...). |  | ||||||
| 		Name(name). |  | ||||||
| 		Body(data). |  | ||||||
| 		Do(context.TODO()). |  | ||||||
| 		Into(result) |  | ||||||
| 	return |  | ||||||
| } |  | ||||||
| @@ -1,20 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // Code generated by client-gen. DO NOT EDIT. |  | ||||||
|  |  | ||||||
| // This package has the automatically generated typed clients. |  | ||||||
| package v1alpha1 |  | ||||||
| @@ -1,38 +0,0 @@ | |||||||
| load("@io_bazel_rules_go//go:def.bzl", "go_library") |  | ||||||
|  |  | ||||||
| go_library( |  | ||||||
|     name = "go_default_library", |  | ||||||
|     srcs = [ |  | ||||||
|         "doc.go", |  | ||||||
|         "fake_auditregistration_client.go", |  | ||||||
|         "fake_auditsink.go", |  | ||||||
|     ], |  | ||||||
|     importmap = "k8s.io/kubernetes/vendor/k8s.io/client-go/deprecated/typed/auditregistration/v1alpha1/fake", |  | ||||||
|     importpath = "k8s.io/client-go/deprecated/typed/auditregistration/v1alpha1/fake", |  | ||||||
|     visibility = ["//staging/src/k8s.io/client-go/deprecated:__subpackages__"], |  | ||||||
|     deps = [ |  | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/deprecated/typed/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/rest:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/testing:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "package-srcs", |  | ||||||
|     srcs = glob(["**"]), |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:private"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "all-srcs", |  | ||||||
|     srcs = [":package-srcs"], |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
| ) |  | ||||||
| @@ -1,20 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // Code generated by client-gen. DO NOT EDIT. |  | ||||||
|  |  | ||||||
| // Package fake has the automatically generated clients. |  | ||||||
| package fake |  | ||||||
| @@ -1,40 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // Code generated by client-gen. DO NOT EDIT. |  | ||||||
|  |  | ||||||
| package fake |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	v1alpha1 "k8s.io/client-go/deprecated/typed/auditregistration/v1alpha1" |  | ||||||
| 	rest "k8s.io/client-go/rest" |  | ||||||
| 	testing "k8s.io/client-go/testing" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| type FakeAuditregistrationV1alpha1 struct { |  | ||||||
| 	*testing.Fake |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (c *FakeAuditregistrationV1alpha1) AuditSinks() v1alpha1.AuditSinkInterface { |  | ||||||
| 	return &FakeAuditSinks{c} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // RESTClient returns a RESTClient that is used to communicate |  | ||||||
| // with API server by this client implementation. |  | ||||||
| func (c *FakeAuditregistrationV1alpha1) RESTClient() rest.Interface { |  | ||||||
| 	var ret *rest.RESTClient |  | ||||||
| 	return ret |  | ||||||
| } |  | ||||||
| @@ -1,120 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // Code generated by client-gen. DO NOT EDIT. |  | ||||||
|  |  | ||||||
| package fake |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	v1alpha1 "k8s.io/api/auditregistration/v1alpha1" |  | ||||||
| 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1" |  | ||||||
| 	labels "k8s.io/apimachinery/pkg/labels" |  | ||||||
| 	schema "k8s.io/apimachinery/pkg/runtime/schema" |  | ||||||
| 	types "k8s.io/apimachinery/pkg/types" |  | ||||||
| 	watch "k8s.io/apimachinery/pkg/watch" |  | ||||||
| 	testing "k8s.io/client-go/testing" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| // FakeAuditSinks implements AuditSinkInterface |  | ||||||
| type FakeAuditSinks struct { |  | ||||||
| 	Fake *FakeAuditregistrationV1alpha1 |  | ||||||
| } |  | ||||||
|  |  | ||||||
| var auditsinksResource = schema.GroupVersionResource{Group: "auditregistration.k8s.io", Version: "v1alpha1", Resource: "auditsinks"} |  | ||||||
|  |  | ||||||
| var auditsinksKind = schema.GroupVersionKind{Group: "auditregistration.k8s.io", Version: "v1alpha1", Kind: "AuditSink"} |  | ||||||
|  |  | ||||||
| // Get takes name of the auditSink, and returns the corresponding auditSink object, and an error if there is any. |  | ||||||
| func (c *FakeAuditSinks) Get(name string, options v1.GetOptions) (result *v1alpha1.AuditSink, err error) { |  | ||||||
| 	obj, err := c.Fake. |  | ||||||
| 		Invokes(testing.NewRootGetAction(auditsinksResource, name), &v1alpha1.AuditSink{}) |  | ||||||
| 	if obj == nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
| 	return obj.(*v1alpha1.AuditSink), err |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // List takes label and field selectors, and returns the list of AuditSinks that match those selectors. |  | ||||||
| func (c *FakeAuditSinks) List(opts v1.ListOptions) (result *v1alpha1.AuditSinkList, err error) { |  | ||||||
| 	obj, err := c.Fake. |  | ||||||
| 		Invokes(testing.NewRootListAction(auditsinksResource, auditsinksKind, opts), &v1alpha1.AuditSinkList{}) |  | ||||||
| 	if obj == nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	label, _, _ := testing.ExtractFromListOptions(opts) |  | ||||||
| 	if label == nil { |  | ||||||
| 		label = labels.Everything() |  | ||||||
| 	} |  | ||||||
| 	list := &v1alpha1.AuditSinkList{ListMeta: obj.(*v1alpha1.AuditSinkList).ListMeta} |  | ||||||
| 	for _, item := range obj.(*v1alpha1.AuditSinkList).Items { |  | ||||||
| 		if label.Matches(labels.Set(item.Labels)) { |  | ||||||
| 			list.Items = append(list.Items, item) |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
| 	return list, err |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Watch returns a watch.Interface that watches the requested auditSinks. |  | ||||||
| func (c *FakeAuditSinks) Watch(opts v1.ListOptions) (watch.Interface, error) { |  | ||||||
| 	return c.Fake. |  | ||||||
| 		InvokesWatch(testing.NewRootWatchAction(auditsinksResource, opts)) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Create takes the representation of a auditSink and creates it.  Returns the server's representation of the auditSink, and an error, if there is any. |  | ||||||
| func (c *FakeAuditSinks) Create(auditSink *v1alpha1.AuditSink) (result *v1alpha1.AuditSink, err error) { |  | ||||||
| 	obj, err := c.Fake. |  | ||||||
| 		Invokes(testing.NewRootCreateAction(auditsinksResource, auditSink), &v1alpha1.AuditSink{}) |  | ||||||
| 	if obj == nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
| 	return obj.(*v1alpha1.AuditSink), err |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Update takes the representation of a auditSink and updates it. Returns the server's representation of the auditSink, and an error, if there is any. |  | ||||||
| func (c *FakeAuditSinks) Update(auditSink *v1alpha1.AuditSink) (result *v1alpha1.AuditSink, err error) { |  | ||||||
| 	obj, err := c.Fake. |  | ||||||
| 		Invokes(testing.NewRootUpdateAction(auditsinksResource, auditSink), &v1alpha1.AuditSink{}) |  | ||||||
| 	if obj == nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
| 	return obj.(*v1alpha1.AuditSink), err |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Delete takes name of the auditSink and deletes it. Returns an error if one occurs. |  | ||||||
| func (c *FakeAuditSinks) Delete(name string, options *v1.DeleteOptions) error { |  | ||||||
| 	_, err := c.Fake. |  | ||||||
| 		Invokes(testing.NewRootDeleteAction(auditsinksResource, name), &v1alpha1.AuditSink{}) |  | ||||||
| 	return err |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // DeleteCollection deletes a collection of objects. |  | ||||||
| func (c *FakeAuditSinks) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error { |  | ||||||
| 	action := testing.NewRootDeleteCollectionAction(auditsinksResource, listOptions) |  | ||||||
|  |  | ||||||
| 	_, err := c.Fake.Invokes(action, &v1alpha1.AuditSinkList{}) |  | ||||||
| 	return err |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Patch applies the patch and returns the patched auditSink. |  | ||||||
| func (c *FakeAuditSinks) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.AuditSink, err error) { |  | ||||||
| 	obj, err := c.Fake. |  | ||||||
| 		Invokes(testing.NewRootPatchSubresourceAction(auditsinksResource, name, pt, data, subresources...), &v1alpha1.AuditSink{}) |  | ||||||
| 	if obj == nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
| 	return obj.(*v1alpha1.AuditSink), err |  | ||||||
| } |  | ||||||
| @@ -1,21 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| // Code generated by client-gen. DO NOT EDIT. |  | ||||||
|  |  | ||||||
| package v1alpha1 |  | ||||||
|  |  | ||||||
| type AuditSinkExpansion interface{} |  | ||||||
| @@ -15,7 +15,6 @@ go_library( | |||||||
|         "//staging/src/k8s.io/api/apps/v1:go_default_library", |         "//staging/src/k8s.io/api/apps/v1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/apps/v1beta1:go_default_library", |         "//staging/src/k8s.io/api/apps/v1beta1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/apps/v1beta2:go_default_library", |         "//staging/src/k8s.io/api/apps/v1beta2:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/api/autoscaling/v1:go_default_library", |         "//staging/src/k8s.io/api/autoscaling/v1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/autoscaling/v2beta1:go_default_library", |         "//staging/src/k8s.io/api/autoscaling/v2beta1:go_default_library", | ||||||
|         "//staging/src/k8s.io/api/autoscaling/v2beta2:go_default_library", |         "//staging/src/k8s.io/api/autoscaling/v2beta2:go_default_library", | ||||||
| @@ -51,7 +50,6 @@ go_library( | |||||||
|         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", |         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/informers/admissionregistration:go_default_library", |         "//staging/src/k8s.io/client-go/informers/admissionregistration:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/informers/apps:go_default_library", |         "//staging/src/k8s.io/client-go/informers/apps:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/informers/auditregistration:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/informers/autoscaling:go_default_library", |         "//staging/src/k8s.io/client-go/informers/autoscaling:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/informers/batch:go_default_library", |         "//staging/src/k8s.io/client-go/informers/batch:go_default_library", | ||||||
|         "//staging/src/k8s.io/client-go/informers/certificates:go_default_library", |         "//staging/src/k8s.io/client-go/informers/certificates:go_default_library", | ||||||
| @@ -87,7 +85,6 @@ filegroup( | |||||||
|         ":package-srcs", |         ":package-srcs", | ||||||
|         "//staging/src/k8s.io/client-go/informers/admissionregistration:all-srcs", |         "//staging/src/k8s.io/client-go/informers/admissionregistration:all-srcs", | ||||||
|         "//staging/src/k8s.io/client-go/informers/apps:all-srcs", |         "//staging/src/k8s.io/client-go/informers/apps:all-srcs", | ||||||
|         "//staging/src/k8s.io/client-go/informers/auditregistration:all-srcs", |  | ||||||
|         "//staging/src/k8s.io/client-go/informers/autoscaling:all-srcs", |         "//staging/src/k8s.io/client-go/informers/autoscaling:all-srcs", | ||||||
|         "//staging/src/k8s.io/client-go/informers/batch:all-srcs", |         "//staging/src/k8s.io/client-go/informers/batch:all-srcs", | ||||||
|         "//staging/src/k8s.io/client-go/informers/certificates:all-srcs", |         "//staging/src/k8s.io/client-go/informers/certificates:all-srcs", | ||||||
|   | |||||||
| @@ -1,30 +0,0 @@ | |||||||
| load("@io_bazel_rules_go//go:def.bzl", "go_library") |  | ||||||
|  |  | ||||||
| go_library( |  | ||||||
|     name = "go_default_library", |  | ||||||
|     srcs = ["interface.go"], |  | ||||||
|     importmap = "k8s.io/kubernetes/vendor/k8s.io/client-go/informers/auditregistration", |  | ||||||
|     importpath = "k8s.io/client-go/informers/auditregistration", |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
|     deps = [ |  | ||||||
|         "//staging/src/k8s.io/client-go/informers/auditregistration/v1alpha1:go_default_library", |  | ||||||
|         "//staging/src/k8s.io/client-go/informers/internalinterfaces:go_default_library", |  | ||||||
|     ], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "package-srcs", |  | ||||||
|     srcs = glob(["**"]), |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:private"], |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| filegroup( |  | ||||||
|     name = "all-srcs", |  | ||||||
|     srcs = [ |  | ||||||
|         ":package-srcs", |  | ||||||
|         "//staging/src/k8s.io/client-go/informers/auditregistration/v1alpha1:all-srcs", |  | ||||||
|     ], |  | ||||||
|     tags = ["automanaged"], |  | ||||||
|     visibility = ["//visibility:public"], |  | ||||||
| ) |  | ||||||
Some files were not shown because too many files have changed in this diff Show More
		Reference in New Issue
	
	Block a user
	 Kubernetes Prow Robot
					Kubernetes Prow Robot