Merge pull request #29320 from neisw/audit-podsecurityviolation

trt-1892: check for pod security audit violations
openshift · Dec 12, 2024 · 284495b · 284495b
2 parents 4fafe4c + bbc02ec
commit 284495b
Show file tree

Hide file tree

Showing 2 changed files with 83 additions and 0 deletions.
diff --git a/pkg/monitortests/kubeapiserver/auditloganalyzer/handle_audit_violation.go b/pkg/monitortests/kubeapiserver/auditloganalyzer/handle_audit_violation.go
@@ -0,0 +1,78 @@
+package auditloganalyzer
+
+import (
+	"fmt"
+	"github.com/openshift/origin/pkg/test/ginkgo/junitapi"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
+	"strings"
+	"sync"
+)
+
+func CheckForViolations() *auditViolations {
+	return &auditViolations{}
+}
+
+type auditViolations struct {
+	lock    sync.Mutex
+	records []auditViolationRecord
+}
+
+type auditViolationRecord struct {
+	auditId   string
+	violation string
+	resource  string
+	namespace string
+	name      string
+	username  string
+}
+
+func (v *auditViolations) HandleAuditLogEvent(auditEvent *auditv1.Event, beginning, end *metav1.MicroTime) {
+	if beginning != nil && auditEvent.RequestReceivedTimestamp.Before(beginning) || end != nil && end.Before(&auditEvent.RequestReceivedTimestamp) {
+		return
+	}
+
+	v.lock.Lock()
+	defer v.lock.Unlock()
+
+	if violation, ok := auditEvent.Annotations["pod-security.kubernetes.io/audit-violations"]; ok {
+		v.records = append(v.records, auditViolationRecord{
+			auditId:   string(auditEvent.AuditID),
+			violation: violation,
+			resource:  auditEvent.ObjectRef.Resource,
+			namespace: auditEvent.ObjectRef.Namespace,
+			name:      auditEvent.ObjectRef.Namespace,
+			username:  auditEvent.User.Username,
+		})
+	}
+}
+
+func (v *auditViolations) CreateJunits() []*junitapi.JUnitTestCase {
+	ret := []*junitapi.JUnitTestCase{}
+
+	testName := " [bz-apiserver-auth][invariant] audit analysis PodSecurityViolation"
+	switch {
+	case len(v.records) > 0:
+		messages := []string{}
+		for _, v := range v.records {
+			messages = append(messages, fmt.Sprintf("%s: %s %s/%s: %s - %s", v.auditId, v.resource, v.namespace, v.name, v.username, v.violation))
+		}
+		ret = append(ret,
+			&junitapi.JUnitTestCase{
+				Name: testName,
+				FailureOutput: &junitapi.FailureOutput{
+					Message: strings.Join(messages, "\n"),
+					Output:  "details from audit log",
+				},
+			},
+		)
+	default:
+		ret = append(ret,
+			&junitapi.JUnitTestCase{
+				Name: testName,
+			},
+		)
+	}
+
+	return ret
+}
diff --git a/pkg/monitortests/kubeapiserver/auditloganalyzer/monitortest.go b/pkg/monitortests/kubeapiserver/auditloganalyzer/monitortest.go
@@ -30,6 +30,7 @@ type auditLogAnalyzer struct {
 	requestCountTracking          *countTracking
 	invalidRequestsChecker        *invalidRequests
 	requestsDuringShutdownChecker *lateRequestTracking
+	violationChecker              *auditViolations
 
 	countsForInstall *CountsForRun
 }
@@ -40,6 +41,7 @@ func NewAuditLogAnalyzer() monitortestframework.MonitorTest {
 		excessiveApplyChecker:         CheckForExcessiveApplies(),
 		invalidRequestsChecker:        CheckForInvalidMutations(),
 		requestsDuringShutdownChecker: CheckForRequestsDuringShutdown(),
+		violationChecker:              CheckForViolations(),
 	}
 }
 
@@ -82,6 +84,7 @@ func (w *auditLogAnalyzer) CollectData(ctx context.Context, storageDir string, b
 		w.excessiveApplyChecker,
 		w.invalidRequestsChecker,
 		w.requestsDuringShutdownChecker,
+		w.violationChecker,
 	}
 	if w.requestCountTracking != nil {
 		auditLogHandlers = append(auditLogHandlers, w.requestCountTracking)
@@ -362,6 +365,8 @@ func (w *auditLogAnalyzer) EvaluateTestsFromConstructedIntervals(ctx context.Con
 		)
 	}
 
+	ret = append(ret, w.violationChecker.CreateJunits()...)
+
 	return ret, nil
 }