Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide a way to omit Event stages in audit policy #49280

Merged
merged 2 commits into from
Sep 4, 2017
Merged

Provide a way to omit Event stages in audit policy #49280

merged 2 commits into from
Sep 4, 2017

Conversation

CaoShuFeng
Copy link
Contributor

@CaoShuFeng CaoShuFeng commented Jul 20, 2017
edited
Loading

This provide a way to omit some stages for each audit policy rule.

For example:

```
  apiVersion: audit.k8s.io/v1beta1
  kind: Policy
  - level: Metadata
    resources:
       - group: "rbac.authorization.k8s.io"
         resources: ["roles"]
    omitStages:
      - "RequestReceived"
```

RequestReceived stage will not be emitted to audit backends with previous config.

Release note:

None

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 20, 2017
@k8s-ci-robot
Copy link
Contributor

Hi @CaoShuFeng. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-github-robot k8s-github-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Jul 20, 2017
@CaoShuFeng
Copy link
Contributor Author

CaoShuFeng commented Jul 20, 2017
edited
Loading

We want to omit the RequestReceived stage in GKE. The policy may be the right place to specify that.

@sttts @tallclair
I will add unit test for this change soon if my idea is "right".

@tallclair
Copy link
Member

@CaoShuFeng - What is your motivation for omitting stages? Would the solution proposed in #46592 (comment) work for you? I'd like to explore that option before expanding the audit profile API.

@CaoShuFeng
Copy link
Contributor Author

@tallclair Thanks for your review.

I write this pr because of this expression:

We want to omit the RequestReceived stage in GKE. The policy may be the right place to specify that.

It looks like I got it wrong.
What's the meaning behind The policy may be the right place to specify that. ?

@tallclair
Copy link
Member

This isn't wrong, per say. I just wanted to discuss alternatives before putting the burden on the user (i.e. adding it to the policy). If we can accomplish the same goals automatically (the batching proposal) then I think that would be preferable.

@CaoShuFeng
Copy link
Contributor Author

CaoShuFeng commented Jul 22, 2017
edited
Loading

. I just wanted to discuss alternatives before putting the burden on the user (i.e. adding it to the policy)

Agree.

Thanks for teaching me.
I will leave this pr open for a while. Maybe this is useful.

@caesarxuchao
Copy link
Member

/assign @tallclair
/unassign @caesarxuchao

@CaoShuFeng
Copy link
Contributor Author

Closed according to commants from @tallclair and @ericchiang .
Ref:
#48561 (comment)
#48561 (comment)

@CaoShuFeng CaoShuFeng closed this Jul 27, 2017
@CaoShuFeng
Copy link
Contributor Author

Repopened according to @crassirostris 's commants.
Ref:
#48561 (comment)

This is still WIP, Unit tests will come soon.

@CaoShuFeng CaoShuFeng reopened this Jul 28, 2017
@crassirostris
Copy link

@tallclair suggested earlier that it might be useful to have omitStages field in the Policy object that will be "ored" with the omitStages field in the PolicyRule. That's a syntax sugar for cases where a stage has to be excluded in every rule

@sttts @CaoShuFeng WDYT?

@crassirostris
Copy link

Btw, it should probably should be rebased once #49115 is merged and the changes should go to the beta API

sttts
sttts reviewed Aug 3, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.pb.go
@@ -528,6 +528,21 @@ func (m *PolicyRule) MarshalTo(dAtA []byte) (int, error) {
i += copy(dAtA[i:], s)
}
}
if len(m.OmitStages) > 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no need for the if.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oops, that's generated proto :)

sttts
sttts reviewed Aug 3, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.pb.go
@@ -723,6 +738,12 @@ func (m *PolicyRule) Size() (n int) {
n += 1 + l + sovGenerated(uint64(l))
}
}
if len(m.OmitStages) > 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no need for the if

sttts
sttts reviewed Aug 3, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go Outdated
}

type policyChecker struct {
audit.Policy
}

func (p *policyChecker) Level(attrs authorizer.Attributes) audit.Level {
func (p *policyChecker) Level(attrs authorizer.Attributes) (audit.Level, []audit.Stage) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't the level and stages overlap?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed to LevelAndStages

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LevelAndOmitStaged

sttts
sttts reviewed Aug 3, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/apis/audit/types.go Outdated

// OmitStages specify events generated in which stages will not be emitted to backend
// Allowed stages are RequestReceived,ResponseStarted,ResponseComplete,Panic
// empty list means every events will be emitted.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: An empty....

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

sttts
sttts reviewed Aug 3, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/apis/audit/types.go Outdated
@@ -200,6 +200,11 @@ type PolicyRule struct {
// "/healthz*" - Log all health checks
// +optional
NonResourceURLs []string

// OmitStages specify events generated in which stages will not be emitted to backend
// Allowed stages are RequestReceived,ResponseStarted,ResponseComplete,Panic
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: fullstop and spaces after ,

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it common to relist the constants in those comments?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it common to relist the constants in those comments?

+1, I don't think it's a great idea

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

sttts
sttts reviewed Aug 3, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go
event *auditinternal.Event
once sync.Once
sink audit.Sink
omitStages []auditinternal.Stage
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add a comment: omitStages are skipped, i.e. not sent to the backend. But their information is still recorded in the context Event for later stages.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@sttts
Copy link
Contributor

sttts commented Aug 3, 2017

Some nit. Overall lgtm.

@sttts
Copy link
Contributor

sttts commented Aug 3, 2017

@tallclair suggested earlier that it might be useful to have omitStages field in the Policy object that will be "ored" with the omitStages

Sounds good.

@sttts sttts changed the title [Do not merge]Provide a way to omit Event stages in audit policy Provide a way to omit Event stages in audit policy Sep 3, 2017
@sttts
Copy link
Contributor

sttts commented Sep 3, 2017

Needs rebase.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Sep 3, 2017
@k8s-github-robot k8s-github-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 3, 2017
@CaoShuFeng
Copy link
Contributor Author

Needs rebase.

Partially done. This will need another rebase after #51797.
#51797 has gone into the submit queue.

@CaoShuFeng
Copy link
Contributor Author

/test pull-kubernetes-e2e-gce-bazel

@sttts
Copy link
Contributor

sttts commented Sep 4, 2017

/retest

@sttts sttts added this to the v1.8 milestone Sep 4, 2017
@sttts sttts added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 4, 2017
sttts
sttts reviewed Sep 4, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go
@@ -42,19 +42,43 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
return handler
}
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
ctx, ev, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't we return omitStages from createAuditEventAndAttachToContext? Am not a fan of this code duplication.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure why this function is removed at all. omitStages are later obtained from the policy and not used until the code that was previously outside of createAuditEventAndAttachToContext. @CaoShuFeng Could you please elaborate more?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have took createAuditEventAndAttachToContext back.
And the codes look cleaner for me, thanks.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

much better now

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. @crassirostris can you take another look and /lgtm if it is ok?

crassirostris
crassirostris reviewed Sep 4, 2017
View reviewed changes
Copy link

@crassirostris crassirostris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some nits regarding the comments, otherwise LGTM

staging/src/k8s.io/apiserver/pkg/apis/audit/types.go Outdated
@@ -207,6 +207,10 @@ type PolicyRule struct {
// "/healthz*" - Log all health checks
// +optional
NonResourceURLs []string

// OmitStages specify events generated in which stages will not be emitted to backend.
// An empty list means every events will be emitted.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that might be confusing. What about An empty list means no restrictions will apply.?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go Outdated
@@ -173,6 +179,8 @@ type auditResponseWriter struct {
event *auditinternal.Event
once sync.Once
sink audit.Sink
// omitStages are skipped, i.e. not sent to the backend. But their information is still recorded in the context Event for later stages.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

omitStages are skipped

Is this comment necessary? once and sink are not set to the backend also :) Basically, the only explanation why omitStages field is there is b/c it's used later and this description is not very informative. Maybe remove the comment altogether?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good for me.
Deleted.

crassirostris
crassirostris approved these changes Sep 4, 2017
View reviewed changes
Copy link

@crassirostris crassirostris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@CaoShuFeng
Provide a way to omit Event stages in audit policy
47ba914 
Updates kubernetes#48561
This provide a way to omit some stages for each audit policy rule.

For example:
  apiVersion: audit.k8s.io/v1beta1
  kind: Policy
  - level: Metadata
    resources:
       - group: "rbac.authorization.k8s.io"
         resources: ["roles"]
    omitStages:
      - "RequestReceived"

RequestReceived stage will not be emitted to audit backends with
previous config.
@CaoShuFeng
generated: update API resources
b50acbd 
./hack/update-codegen.sh
./hack/update-generated-protobuf.sh
@crassirostris
Copy link

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 4, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CaoShuFeng, crassirostris, sttts

Associated issue requirement bypassed by: sttts

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit 9d29ce1 into kubernetes:master Sep 4, 2017
@k8s-ci-robot
Copy link
Contributor

@CaoShuFeng: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-e2e-kops-aws b50acbd link /test pull-kubernetes-e2e-kops-aws

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@CaoShuFeng CaoShuFeng mentioned this pull request Oct 25, 2017
Closed
14 tasks
tengqm
tengqm reviewed Nov 6, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/apis/audit/types.go
@@ -207,6 +207,10 @@ type PolicyRule struct {
// "/healthz*" - Log all health checks
// +optional
NonResourceURLs []string

// OmitStages specify events generated in which stages will not be emitted to backend.
// An empty list means no restrictions will apply.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we mark this as optional?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we should.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added here together:
#54634

@CaoShuFeng CaoShuFeng deleted the RequestReceived branch November 6, 2017 05:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tengqm tengqm tengqm left review comments

@sttts sttts sttts left review comments

@soltysh soltysh soltysh left review comments

@crassirostris crassirostris crassirostris approved these changes

Assignees

@sttts sttts

@liggitt liggitt

@crassirostris crassirostris

@tallclair tallclair

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/audit cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.8
Development

Successfully merging this pull request may close these issues.