[advanced audit]add a policy wide omitStage #54634
Conversation
k8s-ci-robot
added
release-note
|
/assign @crassirostris |
|
Wow, cool! I'll take a look later this week |
CaoShuFeng
force-pushed
the
omit_stage
branch
from
67fe2bc to
960b068
Compare
| @@ -213,3 +228,19 @@ func TestChecker(t *testing.T) { | |||
| test("subresource", audit.LevelRequest, nil, "getPodLogs", "getPods") | |||
| test("subresource", audit.LevelRequest, nil, "getPods", "getPodLogs") | |||
| } | |||
|
|
|||
| func stageEqual(s1 []audit.Stage, s2 []audit.Stage) bool { | |||
There was a problem hiding this comment.
The following call returns true:
stageEqual([]audit.Stage{"foo", "bar", "baz"}, []audit.Stage{"foo", "foo", "foo"})
| return &policyChecker{*policy} | ||
| } | ||
|
|
||
| func unionStages(s1 []audit.Stage, s2 []audit.Stage) []audit.Stage { |
There was a problem hiding this comment.
Add fast path?
if len(s1) == 0 {
return s2
}
if len(s2) == 0 {
return s1
}
There was a problem hiding this comment.
This will be helpful if we have duplicated elements in s1 or s2.
For example:
s1 = nil
s2 = []audit.Stage{"foo", "foo", "bar"}
| return &policyChecker{*policy} | ||
| } | ||
|
|
||
| func unionStages(s1 []audit.Stage, s2 []audit.Stage) []audit.Stage { | ||
| m := make(map[audit.Stage]struct{}) |
There was a problem hiding this comment.
why not reuse "k8s.io/apimachinery/pkg/util/sets"
There was a problem hiding this comment.
I tried, but "k8s.io/apimachinery/pkg/util/sets" only supports int64, string, int, string, etc.
It doesn't work well with our audit.Stage.
Do I miss something?
If we can, I will be happy to use it.
There was a problem hiding this comment.
package main
import (
"fmt"
)
type Stage string
func main() {
a := Stage("aaaaa")
b := string(a)
fmt.Printf(b)
/*
s := make([]Stage, 3)
ss := []string(s)
fmt.Print(s)
*/
}Doesn't work as expected.
There was a problem hiding this comment.
can not convert slice, one element by one
There was a problem hiding this comment.
Yeah, I don't want to convert them one by one.
So I wrote this function.
CaoShuFeng
force-pushed
the
omit_stage
branch
from
960b068 to
ed4dc23
Compare
k8s-ci-robot
added
size/L
CaoShuFeng
force-pushed
the
omit_stage
branch
from
ed4dc23 to
f5b26a7
Compare
k8s-ci-robot
added
size/M
|
/test pull-kubernetes-unit |
| @@ -156,6 +156,11 @@ type Policy struct { | |||
| // The default audit level is None, but can be overridden by a catch-all rule at the end of the list. | |||
| // PolicyRules are strictly ordered. | |||
| Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"` | |||
|
|
|||
| // OmitStages specify events generated in which stages will not be emitted to backend. | |||
There was a problem hiding this comment.
Having difficulties to parse this sentence (same for the one in the rules). Isn't this simpler:
OmitStages are a list of stages for which no events are created. Note that this can also
be specified per rule in which case the union of stages is skipped.
| result := make([]audit.Stage, len(m)) | ||
| i := 0 | ||
| for key := range m { | ||
| result[i] = key |
There was a problem hiding this comment.
append, no index i, and make([]audit.Stage, 0, len(m))
CaoShuFeng
force-pushed
the
omit_stage
branch
from
f5b26a7 to
d70015f
Compare
k8s-ci-robot
added
size/L
| @@ -153,6 +153,10 @@ type Policy struct { | |||
| // The default audit level is None, but can be overridden by a catch-all rule at the end of the list. | |||
| // PolicyRules are strictly ordered. | |||
| Rules []PolicyRule | |||
|
|
|||
| // OmitStages are a list of stages for which no events are created. Note that this can also | |||
| // be specified per rule in which case the union of stages is skipped. | |||
| @@ -131,4 +134,20 @@ func TestValidatePolicy(t *testing.T) { | |||
| t.Errorf("[%d] Expected policy %#v to be invalid!", i, policy) | |||
| } | |||
| } | |||
|
|
|||
| // test invalid omitStages in policy | |||
There was a problem hiding this comment.
Why not just add to the list of errorCases?
| return &policyChecker{*policy} | ||
| } | ||
|
|
||
| func unionStages(s1 []audit.Stage, s2 []audit.Stage) []audit.Stage { | ||
| m := make(map[audit.Stage]struct{}) |
There was a problem hiding this comment.
Why not map[T]bool? I think bool looks little bit cleaner than struct{}{}
There was a problem hiding this comment.
This is copied from here:
| return &policyChecker{*policy} | ||
| } | ||
|
|
||
| func unionStages(s1 []audit.Stage, s2 []audit.Stage) []audit.Stage { | ||
| m := make(map[audit.Stage]struct{}) | ||
| for _, s := range s1 { |
There was a problem hiding this comment.
for _, s := range append(s1, s2...)?
Or you can make one parameter of type ...[]audit.Stage, still looks cleaner IMO
There was a problem hiding this comment.
for _, s := range append(s1, s2...)?
append will cause an extra memory copy, I guess.
Or you can make one parameter of type ...[]audit.Stage, still looks cleaner IMO
Done.
| assert.True(t, stageEqual(expOmitStages, actualOmitStages), "request:%s rules:%s, expected stages: %v, actual stages: %v", | ||
| req, strings.Join(ruleNames, ","), expOmitStages, actualOmitStages) | ||
|
|
||
| // test policy.OmitStages |
There was a problem hiding this comment.
Please don't do this (hacking around existing code structure and adding a comment)
Change the test signature and move test cases out of the method
| return &policyChecker{*policy} | ||
| } | ||
|
|
||
| func unionStages(s1 []audit.Stage, s2 []audit.Stage) []audit.Stage { |
There was a problem hiding this comment.
Please test this method separately
CaoShuFeng
force-pushed
the
omit_stage
branch
from
d70015f to
e99e283
Compare
|
/test pull-kubernetes-unit |
1 similar comment
|
/test pull-kubernetes-unit |
| return &policyChecker{*policy} | ||
| } | ||
|
|
||
| func unionStages(s1, s2 []audit.Stage) []audit.Stage { |
There was a problem hiding this comment.
Why not
func unionStages(stageLists ...[]audit.Stage) []audit.Stage {
m := make(map[audit.Stage]bool)
for _, sl := range stageLists {
for _, s := range sl {
m[s] = true
}
}
result := make([]audit.Stage, 0, len(m))
for key := range m {
result = append(result, key)
}
return result
}- Why do you need exactly two parameters in this case?
- map[T]bool is more frequently used approach than map[T]struct{}
| Path: "/api/v1/namespaces/default/pods/busybox", | ||
| }, | ||
| } | ||
| var tim = &user.DefaultInfo{ |
There was a problem hiding this comment.
Replace with one var ( ... ) block
|
|
||
| // stageEqual returns true if s1 and s2 are super set of each other | ||
| func stageEqual(s1, s2 []audit.Stage) bool { | ||
| s1 = unionStages(s1, nil) |
There was a problem hiding this comment.
If you convert them both to map[T]bool and then compare maps, this it not needed
| req, strings.Join(ruleNames, ","), expOmitStages, actualOmitStages) | ||
| } | ||
|
|
||
| test("namespaced", audit.LevelMetadata, globalStages, "default") |
There was a problem hiding this comment.
You can extract the method signature to a named type and then extract this copypasta to a separate method that takes the test function
Then you don't even need the separate method, just call this new method twice with a different set of global stages
CaoShuFeng
force-pushed
the
omit_stage
branch
2 times, most recently
from
668a071 to
3864e41
Compare
CaoShuFeng
force-pushed
the
omit_stage
branch
2 times, most recently
from
46e4d37 to
c0b5b43
Compare
|
/test pull-kubernetes-node-e2e |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
| } | ||
|
|
||
| func TestChecker(t *testing.T) { | ||
| // test audit level |
| func TestChecker(t *testing.T) { | ||
| // test audit level | ||
| testAuditLevel(t, nil) | ||
| // test omitStages pre rule |
There was a problem hiding this comment.
Nit: make consistent with the next test function by adding an extra line and changing the comment description
CaoShuFeng
force-pushed
the
omit_stage
branch
from
c0b5b43 to
4a20d72
Compare
k8s-github-robot
removed
the
lgtm
|
/approve no-issue |
k8s-github-robot
added
the
approved
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CaoShuFeng, crassirostris, sttts, tallclair Associated issue: 54551 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
This needs a milestone. |
|
[MILESTONENOTIFIER] Milestone Pull Request Labels Incomplete @CaoShuFeng @crassirostris @sttts @tallclair Action required: This pull request requires label changes. If the required changes are not made within 2 days, the pull request will be moved out of the v1.9 milestone. kind: Must specify exactly one of |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue (batch tested with PRs 52322, 54634). If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
@CaoShuFeng: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Related to: #54551
For example:
Release note: