Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

audit policy: a policy with 0 rules should return an error, kind and apiVersion now required #51565

Closed
ericchiang opened this issue Aug 29, 2017 · 6 comments
Closed

audit policy: a policy with 0 rules should return an error, kind and apiVersion now required #51565

ericchiang opened this issue Aug 29, 2017 · 6 comments
Assignees
@CaoShuFeng
Labels
area/audit kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Milestone
v1.8

Comments

@ericchiang
Copy link
Contributor

/sig auth
/kind bug

If an audit policies is supplied and there are no rules detected, the API server should error.

Over the last release, a change was made so audit policies now require kind and apiVersion fields to be parsed. So the following policy doesn't work:

# Log all requests at the Metadata level.
rules:
- level: Metadata

However this doesn't error, it just spits out:

I0829 15:03:48.359580   14374 reader.go:52] Loaded 0 audit policy rules from file /tmp/audit-policy.yaml

This should result in an error. Parsing a file with 0 rules should indicate there's some configuration failure.

BTW, the correct audit policy is:

kind: Policy
apiVersion: audit.k8s.io/v1beta1
rules:
  - level: Metadata

We also need to update docs to reflect this new requirement, since kubernetes.io doesn't use "kind" or "apiVersion" for the policy docs.

/cc @sttts @soltysh @CaoShuFeng @tallclair @crassirostris
@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. kind/bug Categorizes issue or PR as related to a bug. labels Aug 29, 2017
@CaoShuFeng
Copy link
Contributor

/assign

@sttts sttts added this to the v1.8 milestone Aug 31, 2017
@soltysh
Copy link
Contributor

soltysh commented Aug 31, 2017

@CaoShuFeng when you'll planning to fix it? We'd like to see this in for 1.8, but can be done post-codefreeze, since this is a bug fix.

@CaoShuFeng
Copy link
Contributor

I will try to fix this before next Monday(Sep 4).

@ChiuWang ChiuWang mentioned this issue Sep 1, 2017
Closed
@sttts
Copy link
Contributor

sttts commented Sep 1, 2017

I will try to fix this before next Monday(Sep 4).

Should be fine.

@ChiuWang ChiuWang mentioned this issue Sep 1, 2017
Merged
@sttts sttts added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed milestone-labels-incomplete labels Sep 1, 2017
@k8s-github-robot
Copy link

[MILESTONENOTIFIER] Milestone Labels Complete

@CaoShuFeng @ericchiang

Issue label settings:

  • sig/auth: Issue will be escalated to these SIGs if needed.
  • priority/important-soon: Escalate to the issue owners and SIG owner; move out of milestone after several unsuccessful escalation attempts.
  • kind/bug: Fixes a bug discovered during the current release.
Additional instructions available here The commands available for adding these labels are documented here

k8s-github-robot pushed a commit that referenced this issue Sep 8, 2017
Merge pull request #51782 from charrywanganthony/audit-1
4a72b32 
Automatic merge from submit-queue (batch tested with PRs 51900, 51782, 52030)

A policy with 0 rules should return an error

**Which issue this PR fixes** 
[isuue#51565](#51565)

**Release note**: 
``` 
An audit policy file with 0 rule returns an error.
```
@ericchiang
Copy link
Contributor Author

Closing since #51782 merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@CaoShuFeng CaoShuFeng

Labels
area/audit kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
None yet
Milestone
v1.8
Development

No branches or pull requests
6 participants
@soltysh @sttts @ericchiang @k8s-github-robot @k8s-ci-robot @CaoShuFeng