rebase: update kubernetes to 1.28.0 in main

updating kubernetes to 1.28.0 in the main repo. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2025-06-13 10:33:35 +00:00 · 2023-08-17 07:15:28 +02:00
parent b2fdc269c3
commit ff3e84ad67
706 changed files with 45252 additions and 16346 deletions
--- a/vendor/k8s.io/apiserver/pkg/audit/context.go
+++ b/vendor/k8s.io/apiserver/pkg/audit/context.go
@ -39,21 +39,18 @@ type AuditContext struct {
 	RequestAuditConfig RequestAuditConfig

 	// Event is the audit Event object that is being captured to be written in
-	// the API audit log. It is set to nil when the request is not being audited.
-	Event *auditinternal.Event
+	// the API audit log.
+	Event auditinternal.Event

-	// annotations holds audit annotations that are recorded before the event has been initialized.
-	// This is represented as a slice rather than a map to preserve order.
-	annotations []annotation
-	// annotationMutex guards annotations AND event.Annotations
+	// annotationMutex guards event.Annotations
 	annotationMutex sync.Mutex
-
-	// auditID is the Audit ID associated with this request.
-	auditID types.UID
 }

-type annotation struct {
-	key, value string
+// Enabled checks whether auditing is enabled for this audit context.
+func (ac *AuditContext) Enabled() bool {
+	// Note: An unset Level should be considered Enabled, so that request data (e.g. annotations)
+	// can still be captured before the audit policy is evaluated.
+	return ac != nil && ac.RequestAuditConfig.Level != auditinternal.LevelNone
 }

 // AddAuditAnnotation sets the audit annotation for the given key, value pair.
@ -65,8 +62,7 @@ type annotation struct {
 // prefer AddAuditAnnotation over LogAnnotation to avoid dropping annotations.
 func AddAuditAnnotation(ctx context.Context, key, value string) {
 	ac := AuditContextFrom(ctx)
-	if ac == nil {
-		// auditing is not enabled
+	if !ac.Enabled() {
 		return
 	}

@ -81,8 +77,7 @@ func AddAuditAnnotation(ctx context.Context, key, value string) {
 // keysAndValues are the key-value pairs to add, and must have an even number of items.
 func AddAuditAnnotations(ctx context.Context, keysAndValues ...string) {
 	ac := AuditContextFrom(ctx)
-	if ac == nil {
-		// auditing is not enabled
+	if !ac.Enabled() {
 		return
 	}

@ -101,8 +96,7 @@ func AddAuditAnnotations(ctx context.Context, keysAndValues ...string) {
 // restrictions on when this can be called.
 func AddAuditAnnotationsMap(ctx context.Context, annotations map[string]string) {
 	ac := AuditContextFrom(ctx)
-	if ac == nil {
-		// auditing is not enabled
+	if !ac.Enabled() {
 		return
 	}

@ -114,38 +108,10 @@ func AddAuditAnnotationsMap(ctx context.Context, annotations map[string]string)
 	}
 }

-// addAuditAnnotationLocked is the shared code for recording an audit annotation. This method should
-// only be called while the auditAnnotationsMutex is locked.
+// addAuditAnnotationLocked records the audit annotation on the event.
 func addAuditAnnotationLocked(ac *AuditContext, key, value string) {
-	if ac.Event != nil {
-		logAnnotation(ac.Event, key, value)
-	} else {
-		ac.annotations = append(ac.annotations, annotation{key: key, value: value})
-	}
-}
+	ae := &ac.Event

-// This is private to prevent reads/write to the slice from outside of this package.
-// The audit event should be directly read to get access to the annotations.
-func addAuditAnnotationsFrom(ctx context.Context, ev *auditinternal.Event) {
-	ac := AuditContextFrom(ctx)
-	if ac == nil {
-		// auditing is not enabled
-		return
-	}
-
-	ac.annotationMutex.Lock()
-	defer ac.annotationMutex.Unlock()
-
-	for _, kv := range ac.annotations {
-		logAnnotation(ev, kv.key, kv.value)
-	}
-}
-
-// LogAnnotation fills in the Annotations according to the key value pair.
-func logAnnotation(ae *auditinternal.Event, key, value string) {
-	if ae == nil || ae.Level.Less(auditinternal.LevelMetadata) {
-		return
-	}
 	if ae.Annotations == nil {
 		ae.Annotations = make(map[string]string)
 	}
@ -167,8 +133,8 @@ func WithAuditContext(parent context.Context) context.Context {

 // AuditEventFrom returns the audit event struct on the ctx
 func AuditEventFrom(ctx context.Context) *auditinternal.Event {
-	if o := AuditContextFrom(ctx); o != nil {
-		return o.Event
+	if ac := AuditContextFrom(ctx); ac.Enabled() {
+		return &ac.Event
 	}
 	return nil
 }
@ -187,20 +153,16 @@ func WithAuditID(ctx context.Context, auditID types.UID) {
 	if auditID == "" {
 		return
 	}
-	ac := AuditContextFrom(ctx)
-	if ac == nil {
-		return
-	}
-	ac.auditID = auditID
-	if ac.Event != nil {
+	if ac := AuditContextFrom(ctx); ac != nil {
 		ac.Event.AuditID = auditID
 	}
 }

-// AuditIDFrom returns the value of the audit ID from the request context.
+// AuditIDFrom returns the value of the audit ID from the request context, along with whether
+// auditing is enabled.
 func AuditIDFrom(ctx context.Context) (types.UID, bool) {
 	if ac := AuditContextFrom(ctx); ac != nil {
-		return ac.auditID, ac.auditID != ""
+		return ac.Event.AuditID, true
 	}
 	return "", false
 }
--- a/vendor/k8s.io/apiserver/pkg/audit/request.go
+++ b/vendor/k8s.io/apiserver/pkg/audit/request.go
@ -28,14 +28,11 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/apimachinery/pkg/types"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/klog/v2"
-
-	"github.com/google/uuid"
 )

 const (
@ -43,20 +40,18 @@ const (
 	userAgentTruncateSuffix = "...TRUNCATED"
 )

-func NewEventFromRequest(req *http.Request, requestReceivedTimestamp time.Time, level auditinternal.Level, attribs authorizer.Attributes) (*auditinternal.Event, error) {
-	ev := &auditinternal.Event{
-		RequestReceivedTimestamp: metav1.NewMicroTime(requestReceivedTimestamp),
-		Verb:                     attribs.GetVerb(),
-		RequestURI:               req.URL.RequestURI(),
-		UserAgent:                maybeTruncateUserAgent(req),
-		Level:                    level,
+func LogRequestMetadata(ctx context.Context, req *http.Request, requestReceivedTimestamp time.Time, level auditinternal.Level, attribs authorizer.Attributes) {
+	ac := AuditContextFrom(ctx)
+	if !ac.Enabled() {
+		return
 	}
+	ev := &ac.Event

-	auditID, found := AuditIDFrom(req.Context())
-	if !found {
-		auditID = types.UID(uuid.New().String())
-	}
-	ev.AuditID = auditID
+	ev.RequestReceivedTimestamp = metav1.NewMicroTime(requestReceivedTimestamp)
+	ev.Verb = attribs.GetVerb()
+	ev.RequestURI = req.URL.RequestURI()
+	ev.UserAgent = maybeTruncateUserAgent(req)
+	ev.Level = level

 	ips := utilnet.SourceIPs(req)
 	ev.SourceIPs = make([]string, len(ips))
@ -84,10 +79,6 @@ func NewEventFromRequest(req *http.Request, requestReceivedTimestamp time.Time,
 			APIVersion:  attribs.GetAPIVersion(),
 		}
 	}
-
-	addAuditAnnotationsFrom(req.Context(), ev)
-
-	return ev, nil
 }

 // LogImpersonatedUser fills in the impersonated user attributes into an audit event.