ceph-csi/vendor/k8s.io/kubernetes/test/e2e/auth/audit.go

734 lines
28 KiB
Go
Raw Normal View History

2018-01-09 18:57:14 +00:00
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package auth
import (
"encoding/json"
"fmt"
"strings"
2018-07-18 14:47:22 +00:00
"time"
2018-01-09 18:57:14 +00:00
2018-07-18 14:47:22 +00:00
apps "k8s.io/api/apps/v1"
2018-01-09 18:57:14 +00:00
apiv1 "k8s.io/api/core/v1"
apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
2018-07-18 14:47:22 +00:00
apiextensionclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
2018-11-26 18:23:56 +00:00
"k8s.io/apiextensions-apiserver/test/integration/fixtures"
2018-01-09 18:57:14 +00:00
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
2018-07-18 14:47:22 +00:00
"k8s.io/apimachinery/pkg/util/wait"
2018-11-26 18:23:56 +00:00
auditinternal "k8s.io/apiserver/pkg/apis/audit"
2018-01-09 18:57:14 +00:00
"k8s.io/apiserver/pkg/apis/audit/v1beta1"
2018-07-18 14:47:22 +00:00
clientset "k8s.io/client-go/kubernetes"
restclient "k8s.io/client-go/rest"
2018-01-09 18:57:14 +00:00
"k8s.io/kubernetes/test/e2e/framework"
2018-11-26 18:23:56 +00:00
"k8s.io/kubernetes/test/utils"
2018-01-09 18:57:14 +00:00
imageutils "k8s.io/kubernetes/test/utils/image"
"github.com/evanphx/json-patch"
. "github.com/onsi/ginkgo"
)
var (
watchTestTimeout int64 = 1
auditTestUser = "kubecfg"
2018-11-26 18:23:56 +00:00
crd = fixtures.NewRandomNameCustomResourceDefinition(apiextensionsv1beta1.ClusterScoped)
2018-01-09 18:57:14 +00:00
crdName = strings.SplitN(crd.Name, ".", 2)[0]
crdNamespace = strings.SplitN(crd.Name, ".", 2)[1]
watchOptions = metav1.ListOptions{TimeoutSeconds: &watchTestTimeout}
patch, _ = json.Marshal(jsonpatch.Patch{})
)
var _ = SIGDescribe("Advanced Audit", func() {
f := framework.NewDefaultFramework("audit")
BeforeEach(func() {
framework.SkipUnlessProviderIs("gce")
})
// TODO: Get rid of [DisabledForLargeClusters] when feature request #53455 is ready.
It("should audit API calls [DisabledForLargeClusters]", func() {
namespace := f.Namespace.Name
config, err := framework.LoadConfig()
framework.ExpectNoError(err, "failed to load config")
2018-07-18 14:47:22 +00:00
apiExtensionClient, err := apiextensionclientset.NewForConfig(config)
2018-01-09 18:57:14 +00:00
framework.ExpectNoError(err, "failed to initialize apiExtensionClient")
2018-07-18 14:47:22 +00:00
By("Creating a kubernetes client that impersonates an unauthorized anonymous user")
config, err = framework.LoadConfig()
framework.ExpectNoError(err)
config.Impersonate = restclient.ImpersonationConfig{
UserName: "system:anonymous",
Groups: []string{"system:unauthenticated"},
}
anonymousClient, err := clientset.NewForConfig(config)
framework.ExpectNoError(err)
2018-01-09 18:57:14 +00:00
testCases := []struct {
action func()
2018-11-26 18:23:56 +00:00
events []utils.AuditEvent
2018-01-09 18:57:14 +00:00
}{
// Create, get, update, patch, delete, list, watch pods.
{
func() {
pod := &apiv1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "audit-pod",
},
Spec: apiv1.PodSpec{
Containers: []apiv1.Container{{
Name: "pause",
2018-07-18 14:47:22 +00:00
Image: imageutils.GetPauseImageName(),
2018-01-09 18:57:14 +00:00
}},
},
}
updatePod := func(pod *apiv1.Pod) {}
f.PodClient().CreateSync(pod)
_, err := f.PodClient().Get(pod.Name, metav1.GetOptions{})
framework.ExpectNoError(err, "failed to get audit-pod")
podChan, err := f.PodClient().Watch(watchOptions)
framework.ExpectNoError(err, "failed to create watch for pods")
2018-11-26 18:23:56 +00:00
podChan.Stop()
2018-01-09 18:57:14 +00:00
f.PodClient().Update(pod.Name, updatePod)
_, err = f.PodClient().List(metav1.ListOptions{})
framework.ExpectNoError(err, "failed to list pods")
_, err = f.PodClient().Patch(pod.Name, types.JSONPatchType, patch)
framework.ExpectNoError(err, "failed to patch pod")
f.PodClient().DeleteSync(pod.Name, &metav1.DeleteOptions{}, framework.DefaultPodDeletionTimeout)
},
2018-11-26 18:23:56 +00:00
[]utils.AuditEvent{
2018-01-09 18:57:14 +00:00
{
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequestResponse,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods", namespace),
Verb: "create",
Code: 201,
User: auditTestUser,
Resource: "pods",
Namespace: namespace,
RequestObject: true,
ResponseObject: true,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/audit-pod", namespace),
Verb: "get",
Code: 200,
User: auditTestUser,
Resource: "pods",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods", namespace),
Verb: "list",
Code: 200,
User: auditTestUser,
Resource: "pods",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseStarted,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
Verb: "watch",
Code: 200,
User: auditTestUser,
Resource: "pods",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
Verb: "watch",
Code: 200,
User: auditTestUser,
Resource: "pods",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequestResponse,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/audit-pod", namespace),
Verb: "update",
Code: 200,
User: auditTestUser,
Resource: "pods",
Namespace: namespace,
RequestObject: true,
ResponseObject: true,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequestResponse,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/audit-pod", namespace),
Verb: "patch",
Code: 200,
User: auditTestUser,
Resource: "pods",
Namespace: namespace,
RequestObject: true,
ResponseObject: true,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequestResponse,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/audit-pod", namespace),
Verb: "delete",
Code: 200,
User: auditTestUser,
Resource: "pods",
Namespace: namespace,
RequestObject: true,
ResponseObject: true,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
},
},
},
// Create, get, update, patch, delete, list, watch deployments.
{
func() {
podLabels := map[string]string{"name": "audit-deployment-pod"}
2018-07-18 14:47:22 +00:00
d := framework.NewDeployment("audit-deployment", int32(1), podLabels, "redis", imageutils.GetE2EImage(imageutils.Redis), apps.RecreateDeploymentStrategyType)
2018-01-09 18:57:14 +00:00
2018-07-18 14:47:22 +00:00
_, err := f.ClientSet.AppsV1().Deployments(namespace).Create(d)
2018-01-09 18:57:14 +00:00
framework.ExpectNoError(err, "failed to create audit-deployment")
2018-07-18 14:47:22 +00:00
_, err = f.ClientSet.AppsV1().Deployments(namespace).Get(d.Name, metav1.GetOptions{})
2018-01-09 18:57:14 +00:00
framework.ExpectNoError(err, "failed to get audit-deployment")
2018-07-18 14:47:22 +00:00
deploymentChan, err := f.ClientSet.AppsV1().Deployments(namespace).Watch(watchOptions)
2018-01-09 18:57:14 +00:00
framework.ExpectNoError(err, "failed to create watch for deployments")
2018-11-26 18:23:56 +00:00
deploymentChan.Stop()
2018-01-09 18:57:14 +00:00
2018-07-18 14:47:22 +00:00
_, err = f.ClientSet.AppsV1().Deployments(namespace).Update(d)
2018-01-09 18:57:14 +00:00
framework.ExpectNoError(err, "failed to update audit-deployment")
2018-07-18 14:47:22 +00:00
_, err = f.ClientSet.AppsV1().Deployments(namespace).Patch(d.Name, types.JSONPatchType, patch)
2018-01-09 18:57:14 +00:00
framework.ExpectNoError(err, "failed to patch deployment")
2018-07-18 14:47:22 +00:00
_, err = f.ClientSet.AppsV1().Deployments(namespace).List(metav1.ListOptions{})
2018-01-09 18:57:14 +00:00
framework.ExpectNoError(err, "failed to create list deployments")
2018-07-18 14:47:22 +00:00
err = f.ClientSet.AppsV1().Deployments(namespace).Delete("audit-deployment", &metav1.DeleteOptions{})
2018-01-09 18:57:14 +00:00
framework.ExpectNoError(err, "failed to delete deployments")
},
2018-11-26 18:23:56 +00:00
[]utils.AuditEvent{
2018-01-09 18:57:14 +00:00
{
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequestResponse,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments", namespace),
Verb: "create",
Code: 201,
User: auditTestUser,
Resource: "deployments",
Namespace: namespace,
RequestObject: true,
ResponseObject: true,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
Verb: "get",
Code: 200,
User: auditTestUser,
Resource: "deployments",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments", namespace),
Verb: "list",
Code: 200,
User: auditTestUser,
Resource: "deployments",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseStarted,
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
Verb: "watch",
Code: 200,
User: auditTestUser,
Resource: "deployments",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
Verb: "watch",
Code: 200,
User: auditTestUser,
Resource: "deployments",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequestResponse,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
Verb: "update",
Code: 200,
User: auditTestUser,
Resource: "deployments",
Namespace: namespace,
RequestObject: true,
ResponseObject: true,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequestResponse,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
Verb: "patch",
Code: 200,
User: auditTestUser,
Resource: "deployments",
Namespace: namespace,
RequestObject: true,
ResponseObject: true,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequestResponse,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
Verb: "delete",
Code: 200,
User: auditTestUser,
Resource: "deployments",
Namespace: namespace,
RequestObject: true,
ResponseObject: true,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
},
},
},
// Create, get, update, patch, delete, list, watch configmaps.
{
func() {
configMap := &apiv1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: "audit-configmap",
},
Data: map[string]string{
"map-key": "map-value",
},
}
_, err := f.ClientSet.CoreV1().ConfigMaps(namespace).Create(configMap)
framework.ExpectNoError(err, "failed to create audit-configmap")
_, err = f.ClientSet.CoreV1().ConfigMaps(namespace).Get(configMap.Name, metav1.GetOptions{})
framework.ExpectNoError(err, "failed to get audit-configmap")
configMapChan, err := f.ClientSet.CoreV1().ConfigMaps(namespace).Watch(watchOptions)
framework.ExpectNoError(err, "failed to create watch for config maps")
2018-11-26 18:23:56 +00:00
configMapChan.Stop()
2018-01-09 18:57:14 +00:00
_, err = f.ClientSet.CoreV1().ConfigMaps(namespace).Update(configMap)
framework.ExpectNoError(err, "failed to update audit-configmap")
_, err = f.ClientSet.CoreV1().ConfigMaps(namespace).Patch(configMap.Name, types.JSONPatchType, patch)
framework.ExpectNoError(err, "failed to patch configmap")
_, err = f.ClientSet.CoreV1().ConfigMaps(namespace).List(metav1.ListOptions{})
framework.ExpectNoError(err, "failed to list config maps")
err = f.ClientSet.CoreV1().ConfigMaps(namespace).Delete(configMap.Name, &metav1.DeleteOptions{})
framework.ExpectNoError(err, "failed to delete audit-configmap")
},
2018-11-26 18:23:56 +00:00
[]utils.AuditEvent{
2018-01-09 18:57:14 +00:00
{
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps", namespace),
Verb: "create",
Code: 201,
User: auditTestUser,
Resource: "configmaps",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/audit-configmap", namespace),
Verb: "get",
Code: 200,
User: auditTestUser,
Resource: "configmaps",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps", namespace),
Verb: "list",
Code: 200,
User: auditTestUser,
Resource: "configmaps",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseStarted,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
Verb: "watch",
Code: 200,
User: auditTestUser,
Resource: "configmaps",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
Verb: "watch",
Code: 200,
User: auditTestUser,
Resource: "configmaps",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/audit-configmap", namespace),
Verb: "update",
Code: 200,
User: auditTestUser,
Resource: "configmaps",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/audit-configmap", namespace),
Verb: "patch",
Code: 200,
User: auditTestUser,
Resource: "configmaps",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/audit-configmap", namespace),
Verb: "delete",
Code: 200,
User: auditTestUser,
Resource: "configmaps",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
},
},
},
// Create, get, update, patch, delete, list, watch secrets.
{
func() {
secret := &apiv1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "audit-secret",
},
Data: map[string][]byte{
"top-secret": []byte("foo-bar"),
},
}
_, err := f.ClientSet.CoreV1().Secrets(namespace).Create(secret)
framework.ExpectNoError(err, "failed to create audit-secret")
_, err = f.ClientSet.CoreV1().Secrets(namespace).Get(secret.Name, metav1.GetOptions{})
framework.ExpectNoError(err, "failed to get audit-secret")
secretChan, err := f.ClientSet.CoreV1().Secrets(namespace).Watch(watchOptions)
framework.ExpectNoError(err, "failed to create watch for secrets")
2018-11-26 18:23:56 +00:00
secretChan.Stop()
2018-01-09 18:57:14 +00:00
_, err = f.ClientSet.CoreV1().Secrets(namespace).Update(secret)
framework.ExpectNoError(err, "failed to update audit-secret")
_, err = f.ClientSet.CoreV1().Secrets(namespace).Patch(secret.Name, types.JSONPatchType, patch)
framework.ExpectNoError(err, "failed to patch secret")
_, err = f.ClientSet.CoreV1().Secrets(namespace).List(metav1.ListOptions{})
framework.ExpectNoError(err, "failed to list secrets")
err = f.ClientSet.CoreV1().Secrets(namespace).Delete(secret.Name, &metav1.DeleteOptions{})
framework.ExpectNoError(err, "failed to delete audit-secret")
},
2018-11-26 18:23:56 +00:00
[]utils.AuditEvent{
2018-01-09 18:57:14 +00:00
{
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets", namespace),
Verb: "create",
Code: 201,
User: auditTestUser,
Resource: "secrets",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets/audit-secret", namespace),
Verb: "get",
Code: 200,
User: auditTestUser,
Resource: "secrets",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets", namespace),
Verb: "list",
Code: 200,
User: auditTestUser,
Resource: "secrets",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseStarted,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
Verb: "watch",
Code: 200,
User: auditTestUser,
Resource: "secrets",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
Verb: "watch",
Code: 200,
User: auditTestUser,
Resource: "secrets",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets/audit-secret", namespace),
Verb: "update",
Code: 200,
User: auditTestUser,
Resource: "secrets",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets/audit-secret", namespace),
Verb: "patch",
Code: 200,
User: auditTestUser,
Resource: "secrets",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets/audit-secret", namespace),
Verb: "delete",
Code: 200,
User: auditTestUser,
Resource: "secrets",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
},
},
},
// Create and delete custom resource definition.
{
func() {
2018-11-26 18:23:56 +00:00
crd, err = fixtures.CreateNewCustomResourceDefinition(crd, apiExtensionClient, f.DynamicClient)
2018-01-09 18:57:14 +00:00
framework.ExpectNoError(err, "failed to create custom resource definition")
2018-11-26 18:23:56 +00:00
fixtures.DeleteCustomResourceDefinition(crd, apiExtensionClient)
2018-01-09 18:57:14 +00:00
},
2018-11-26 18:23:56 +00:00
[]utils.AuditEvent{
2018-01-09 18:57:14 +00:00
{
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequestResponse,
Stage: auditinternal.StageResponseComplete,
RequestURI: "/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions",
Verb: "create",
Code: 201,
User: auditTestUser,
Resource: "customresourcedefinitions",
RequestObject: true,
ResponseObject: true,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/apis/%s/v1beta1/%s", crdNamespace, crdName),
Verb: "create",
Code: 201,
User: auditTestUser,
Resource: crdName,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequestResponse,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/%s", crd.Name),
Verb: "delete",
Code: 200,
User: auditTestUser,
Resource: "customresourcedefinitions",
RequestObject: false,
ResponseObject: true,
AuthorizeDecision: "allow",
2018-01-09 18:57:14 +00:00
}, {
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelMetadata,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/apis/%s/v1beta1/%s/setup-instance", crdNamespace, crdName),
Verb: "delete",
Code: 200,
User: auditTestUser,
Resource: crdName,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
2018-07-18 14:47:22 +00:00
},
},
},
}
// test authorizer annotations, RBAC is required.
annotationTestCases := []struct {
action func()
2018-11-26 18:23:56 +00:00
events []utils.AuditEvent
2018-07-18 14:47:22 +00:00
}{
// get a pod with unauthorized user
{
func() {
_, err := anonymousClient.CoreV1().Pods(namespace).Get("another-audit-pod", metav1.GetOptions{})
expectForbidden(err)
},
2018-11-26 18:23:56 +00:00
[]utils.AuditEvent{
2018-07-18 14:47:22 +00:00
{
2018-11-26 18:23:56 +00:00
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/another-audit-pod", namespace),
Verb: "get",
Code: 403,
User: auditTestUser,
Resource: "pods",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "forbid",
2018-01-09 18:57:14 +00:00
},
},
},
}
2018-07-18 14:47:22 +00:00
if framework.IsRBACEnabled(f) {
testCases = append(testCases, annotationTestCases...)
}
2018-11-26 18:23:56 +00:00
expectedEvents := []utils.AuditEvent{}
2018-01-09 18:57:14 +00:00
for _, t := range testCases {
t.action()
expectedEvents = append(expectedEvents, t.events...)
}
2018-07-18 14:47:22 +00:00
// The default flush timeout is 30 seconds, therefore it should be enough to retry once
// to find all expected events. However, we're waiting for 5 minutes to avoid flakes.
pollingInterval := 30 * time.Second
pollingTimeout := 5 * time.Minute
err = wait.Poll(pollingInterval, pollingTimeout, func() (bool, error) {
2018-11-26 18:23:56 +00:00
// Fetch the log stream.
stream, err := f.ClientSet.CoreV1().RESTClient().Get().AbsPath("/logs/kube-apiserver-audit.log").Stream()
if err != nil {
return false, err
}
defer stream.Close()
missing, err := utils.CheckAuditLines(stream, expectedEvents, v1beta1.SchemeGroupVersion)
2018-07-18 14:47:22 +00:00
if err != nil {
framework.Logf("Failed to observe audit events: %v", err)
2018-11-26 18:23:56 +00:00
} else if len(missing) > 0 {
framework.Logf("Events %#v not found!", missing)
2018-07-18 14:47:22 +00:00
}
2018-11-26 18:23:56 +00:00
return len(missing) == 0, nil
2018-07-18 14:47:22 +00:00
})
framework.ExpectNoError(err, "after %v failed to observe audit events", pollingTimeout)
2018-01-09 18:57:14 +00:00
})
})