audit: no RequestReceived events for read-only requests #46592
Conversation
sttts
added
area/apiserver
release-note-none
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sttts Assign the PR to them by writing
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
size/L
|
@soltysh @timstclair @cheftako @ericchiang do we want this? |
sttts
force-pushed
the
sttts-audit-stages-read-only-less-events
branch
from
9647872 to
5b1f3a5
Compare
| @@ -82,8 +82,8 @@ func (b *backend) logEvent(ev *auditinternal.Event) { | |||
| ip = ev.SourceIPs[0] | |||
| } | |||
|
|
|||
| line := fmt.Sprintf("%s AUDIT: id=%q ip=%q method=%q user=%q groups=%q as=%q asgroups=%q namespace=%q uri=%q response=\"%s\"\n", | |||
| ev.Timestamp.Format(time.RFC3339Nano), ev.AuditID, ip, ev.Verb, username, groups, asuser, asgroups, namespace, ev.RequestURI, response) | |||
| line := fmt.Sprintf("%s AUDIT: id=%q stage=%q ip=%q method=%q user=%q groups=%q as=%q asgroups=%q namespace=%q uri=%q response=\"%s\"\n", | |||
There was a problem hiding this comment.
I think we should think a little about what the goal of this log format is before adding stage to it. Originally, I think it was trying to be consistent with basic auditing, but now that code was forked. Now, it's still missing a bunch of information from the audit event. Just thinking "out loud"...
There was a problem hiding this comment.
BTW - I think we should add an option to write the log in JSON format, where each line is just a json-formatted audit event. (Not for this PR, just FYI)
There was a problem hiding this comment.
--audit-log-format legacy/json/template:"{{foo}} {{bar}}"
There was a problem hiding this comment.
This should be part of the proposal.
| @@ -61,6 +61,8 @@ const ( | |||
| // The stage for events generated once the response body has been completed, and no more bytes | |||
| // will be sent. | |||
| StageResponseComplete = "ResponseComplete" | |||
| // The stage for events generated when a panic occured. | |||
| StagePanic = "Panic" | |||
There was a problem hiding this comment.
done in the other PR. this one has to be rebased.
| @@ -87,12 +87,18 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext | |||
| return | |||
| } | |||
|
|
|||
| // send first event for non-read-only requests | |||
| ri, _ := request.RequestInfoFrom(ctx) | |||
| if !(ri != nil && ri.ReadOnly) { | |||
There was a problem hiding this comment.
My feeling is that we should make this decision in a single place, and I'd like an option to disable this stage. We talked about putting the option in the audit backend, but if we're already deciding whether to create a RequestReceived event here, perhaps this would be a good place to check that option as well?
There was a problem hiding this comment.
if this is supposed to be configurable, I would make it a backend independent option: --audit-sparse-readonly-events.
There was a problem hiding this comment.
For the option, I meant something for all requests, not just read-only requests. But in either case, we can discuss in a follow up.
There was a problem hiding this comment.
This sound like the policy then. But I agree to discuss that as follow-up. Also this PR was meant as a base of discussion. We don't have to decide here.
| ev.ResponseStatus = &metav1.Status{ | ||
| Code: 200, | ||
| Code: http.StatusOK, | ||
| Reason: metav1.StatusSuccess, |
There was a problem hiding this comment.
This should be on the Status.Status field.
| if ev.ResponseStatus == nil { | ||
| ev.ResponseStatus = &metav1.Status{ | ||
| Code: http.StatusOK, | ||
| Reason: metav1.StatusSuccess, |
| Code: 200, | ||
| Code: http.StatusOK, | ||
| Reason: metav1.StatusSuccess, | ||
| Message: "connection closed early", |
There was a problem hiding this comment.
nit: I think user-facing Messages usually start with a capital letter (same below)
| } | ||
|
|
||
| ev.Stage = auditinternal.StageResponseComplete | ||
| if ev.ResponseStatus == nil { |
There was a problem hiding this comment.
Move this above the previous if block, and you only need to build the fake status once.
|
Please rebase (&squash while you're at it) |
k8s-github-robot
added
the
needs-rebase
|
#46592 (comment) is still open. |
sttts
force-pushed
the
sttts-audit-stages-read-only-less-events
branch
from
5b1f3a5 to
56148e5
Compare
k8s-github-robot
added
size/M
|
@sttts: The following test(s) failed:
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Yeah, I don't see that being resolved by code freeze. I guess we don't want both an option in the policy and to drop them on read-only events... should we just leave this for now? |
|
Let's leave it for now. |
|
@sttts PR needs rebase |
k8s-github-robot
added
the
needs-rebase
|
@timstclair @ericchiang this PR is still pending. Is anything of this still relevant? Or do we have the same with the policy now? |
|
I think this needs more discussion... One option is to incorporate the stage into the policy some how (which is documented in the beta changes cover bug: #48561) My priority is just to reduce the number of events that are sent by the webhook, so an alternative would be to do some deduplication in the webhook. One way of doing so would be to put the early stages in a sort of "TTL Cache" which holds the latest stage of the event. If the ResponseComplete stage is logged, then that event is removed from the cache and added to the queue as with today. If an event is evicted from the cache (either due to size or TTL expiration), then the latest stage is added to the queue. The end result should be that most requests just send a ResponseComplete event, but requests that take an unusually long time to complete are guaranteed to be sent within X seconds (60?) of the request start time. (Obviously this would only be for the batching mode). WDYT? |
|
This PR hasn't been active in 30 days. It will be closed in 59 days (Oct 17, 2017). cc @sttts @tallclair You can add 'keep-open' label to prevent this from happening, or add a comment to keep it open another 90 days |
|
Closing as this is superseeded by a more powerful policy which can express this. |
Follow-up of #46335