Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return Audit-Id http response header for trouble shooting #49377

Merged
merged 1 commit into from
Aug 7, 2017
Merged

Return Audit-Id http response header for trouble shooting #49377

merged 1 commit into from
Aug 7, 2017

Conversation

CaoShuFeng
Copy link
Contributor

@CaoShuFeng CaoShuFeng commented Jul 21, 2017
edited
Loading

Users can use Audit-Id http response header to grep the audit events in log.
This provides a fast way to find the events in audit.
Release note:

Audit-Id HTTP header is included in the apiserver responses for audited requests, except some cases when it's not possible, e.g. pods/exec.

@sttts @tallclair

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 21, 2017
@k8s-ci-robot
Copy link
Contributor

Hi @CaoShuFeng. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 21, 2017
@k8s-github-robot k8s-github-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Jul 21, 2017
CaoShuFeng
CaoShuFeng commented Jul 21, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit_test.go
auditID string
handler func(http.ResponseWriter, *http.Request)
expected []auditv1alpha1.Event
respHeader bool
Copy link
Contributor Author

@CaoShuFeng CaoShuFeng Jul 21, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because some test cases don't call http.ResponseWriter.WriteHeader() function. So we can't check the response http header for them.

@deads2k deads2k removed their assignment Jul 24, 2017
@CaoShuFeng CaoShuFeng mentioned this pull request Aug 1, 2017
Closed
7 tasks
@crassirostris
Copy link

/ok-to-test
/assign

@k8s-ci-robot k8s-ci-robot removed the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Aug 1, 2017
@CaoShuFeng
Copy link
Contributor Author

@crassirostris
I thinks this pr does make sense for trouble shooting.
But there is a problem which I haven't solved yet.
I can't return http header for hijacked request.
That't means there is no audit-id http header for requests like:
"kubectl logs -f" "kubectl exec" "kubectl attach"

@crassirostris
Copy link

@CaoShuFeng Is it possible to set a header before hijacking?

sttts
sttts reviewed Aug 3, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go Outdated

func (a *auditResponseWriter) setHttpHeader() {
a.headerOnce.Do(func() {
a.ResponseWriter.Header().Set(auditinternal.HeaderAuditID, string(a.event.AuditID))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't there a way to override the header if it already exists? a sync.Once seems to be overkill.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Set has this behavior already, but it's not thread-safe, if it's applicable here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the handler code we assume that only one thread/go-routine accesses the writer. So thread-safety should not matter here.

@CaoShuFeng CaoShuFeng force-pushed the audit_id_http_response_header branch from 87d7d72 to b62aa09 Compare August 3, 2017 10:51
crassirostris
crassirostris reviewed Aug 3, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go Outdated
@@ -204,6 +213,10 @@ func (f *fancyResponseWriterDelegator) Flush() {
func (f *fancyResponseWriterDelegator) Hijack() (net.Conn, *bufio.ReadWriter, error) {
// fake a response status before protocol switch happens
f.processCode(http.StatusSwitchingProtocols)

// TODO(caoshufeng): we can't call WriteHeader before Hijack(), because WriteHeader may be called later:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sttts What do you think about that? Should it be a TODO or is it working as intended and we shouldn't send audit-id for hijack'd requests?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to call WriteHeader (which is writing the code) or do we want only to add a header? The later is possible as long as WriteHeader was not called.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The latter, but @CaoShuFeng says it doesn't work, b/c in case of proxying request the headers are sent by the kubelet and not the apiserver

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But then we don't have a chance in that case. But setting the header won't harm, it's just ignored. @CaoShuFeng is that correct?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, a header should be set and then a comment should be added that it's ignored in certain cases

Also, I think it's worth mentioning in the release notes that Audit-Id http header is not set for some requests (and describe in short for which)

Copy link
Contributor Author

@CaoShuFeng CaoShuFeng Aug 3, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But setting the header won't harm, it's just ignored. @CaoShuFeng is that correct?

Yes I tested that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, a header should be set and then a comment should be added that it's ignored in certain cases
Also, I think it's worth mentioning in the release notes that Audit-Id http header is not set for some requests (and describe in short for which)

+1

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@CaoShuFeng CaoShuFeng force-pushed the audit_id_http_response_header branch from b62aa09 to 0e2aca0 Compare August 3, 2017 13:10
@ericchiang
Copy link
Contributor

This is great.

Probably want to update the HeaderAuditID docstring too.

const (
	// Header to hold the audit ID as the request is propagated through the serving hierarchy. The
	// Audit-ID header should be set by the first server to receive the request (e.g. the federation
	// server or kube-aggregator).
	HeaderAuditID = "Audit-ID"
)

@CaoShuFeng CaoShuFeng force-pushed the audit_id_http_response_header branch from 0e2aca0 to 4a1e7dd Compare August 4, 2017 02:47
@CaoShuFeng
Copy link
Contributor Author

Probably want to update the HeaderAuditID docstring too.

Done

@crassirostris
Copy link

@CaoShuFeng Thanks! Though I think it's better to keep the release notes short + one line. Usually separate lines in the release notes mean several independent changes

I suggest smth like

Audit-Id HTTP header is included in the apiserver responses for audited requests, except some cases when it's not possible, e.g. pods/exec.

@CaoShuFeng
Copy link
Contributor Author

I suggest smth like

Done

@crassirostris
Copy link

crassirostris commented Aug 4, 2017
edited
Loading

SGTM, thanks!

@sttts Needs your approval now

@sttts
Copy link
Contributor

sttts commented Aug 7, 2017

/approve no-issue

@sttts
Copy link
Contributor

sttts commented Aug 7, 2017

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 7, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CaoShuFeng, sttts

Associated issue requirement bypassed by: sttts

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 7, 2017
@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 49868, 50143, 49377, 50141, 50145)

@k8s-github-robot k8s-github-robot merged commit a0826e1 into kubernetes:master Aug 7, 2017
@CaoShuFeng CaoShuFeng deleted the audit_id_http_response_header branch November 6, 2017 05:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crassirostris crassirostris crassirostris left review comments

@sttts sttts sttts left review comments

Assignees

@soltysh soltysh

@sttts sttts

@crassirostris crassirostris

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@CaoShuFeng @k8s-ci-robot @crassirostris @ericchiang @sttts @k8s-github-robot @soltysh @deads2k