mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-13 01:40:23 +00:00
734 lines
28 KiB
Go
734 lines
28 KiB
Go
/*
|
|
Copyright 2017 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package auth
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"strings"
|
|
"time"
|
|
|
|
apps "k8s.io/api/apps/v1"
|
|
apiv1 "k8s.io/api/core/v1"
|
|
apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
|
|
apiextensionclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
|
|
"k8s.io/apiextensions-apiserver/test/integration/fixtures"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/types"
|
|
"k8s.io/apimachinery/pkg/util/wait"
|
|
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
|
"k8s.io/apiserver/pkg/apis/audit/v1beta1"
|
|
clientset "k8s.io/client-go/kubernetes"
|
|
restclient "k8s.io/client-go/rest"
|
|
"k8s.io/kubernetes/test/e2e/framework"
|
|
"k8s.io/kubernetes/test/utils"
|
|
imageutils "k8s.io/kubernetes/test/utils/image"
|
|
|
|
"github.com/evanphx/json-patch"
|
|
. "github.com/onsi/ginkgo"
|
|
)
|
|
|
|
var (
|
|
watchTestTimeout int64 = 1
|
|
auditTestUser = "kubecfg"
|
|
|
|
crd = fixtures.NewRandomNameCustomResourceDefinition(apiextensionsv1beta1.ClusterScoped)
|
|
crdName = strings.SplitN(crd.Name, ".", 2)[0]
|
|
crdNamespace = strings.SplitN(crd.Name, ".", 2)[1]
|
|
|
|
watchOptions = metav1.ListOptions{TimeoutSeconds: &watchTestTimeout}
|
|
patch, _ = json.Marshal(jsonpatch.Patch{})
|
|
)
|
|
|
|
var _ = SIGDescribe("Advanced Audit", func() {
|
|
f := framework.NewDefaultFramework("audit")
|
|
BeforeEach(func() {
|
|
framework.SkipUnlessProviderIs("gce")
|
|
})
|
|
|
|
// TODO: Get rid of [DisabledForLargeClusters] when feature request #53455 is ready.
|
|
It("should audit API calls [DisabledForLargeClusters]", func() {
|
|
namespace := f.Namespace.Name
|
|
|
|
config, err := framework.LoadConfig()
|
|
framework.ExpectNoError(err, "failed to load config")
|
|
apiExtensionClient, err := apiextensionclientset.NewForConfig(config)
|
|
framework.ExpectNoError(err, "failed to initialize apiExtensionClient")
|
|
|
|
By("Creating a kubernetes client that impersonates an unauthorized anonymous user")
|
|
config, err = framework.LoadConfig()
|
|
framework.ExpectNoError(err)
|
|
config.Impersonate = restclient.ImpersonationConfig{
|
|
UserName: "system:anonymous",
|
|
Groups: []string{"system:unauthenticated"},
|
|
}
|
|
anonymousClient, err := clientset.NewForConfig(config)
|
|
framework.ExpectNoError(err)
|
|
|
|
testCases := []struct {
|
|
action func()
|
|
events []utils.AuditEvent
|
|
}{
|
|
// Create, get, update, patch, delete, list, watch pods.
|
|
{
|
|
func() {
|
|
pod := &apiv1.Pod{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "audit-pod",
|
|
},
|
|
Spec: apiv1.PodSpec{
|
|
Containers: []apiv1.Container{{
|
|
Name: "pause",
|
|
Image: imageutils.GetPauseImageName(),
|
|
}},
|
|
},
|
|
}
|
|
updatePod := func(pod *apiv1.Pod) {}
|
|
|
|
f.PodClient().CreateSync(pod)
|
|
|
|
_, err := f.PodClient().Get(pod.Name, metav1.GetOptions{})
|
|
framework.ExpectNoError(err, "failed to get audit-pod")
|
|
|
|
podChan, err := f.PodClient().Watch(watchOptions)
|
|
framework.ExpectNoError(err, "failed to create watch for pods")
|
|
podChan.Stop()
|
|
|
|
f.PodClient().Update(pod.Name, updatePod)
|
|
|
|
_, err = f.PodClient().List(metav1.ListOptions{})
|
|
framework.ExpectNoError(err, "failed to list pods")
|
|
|
|
_, err = f.PodClient().Patch(pod.Name, types.JSONPatchType, patch)
|
|
framework.ExpectNoError(err, "failed to patch pod")
|
|
|
|
f.PodClient().DeleteSync(pod.Name, &metav1.DeleteOptions{}, framework.DefaultPodDeletionTimeout)
|
|
},
|
|
[]utils.AuditEvent{
|
|
{
|
|
Level: auditinternal.LevelRequestResponse,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods", namespace),
|
|
Verb: "create",
|
|
Code: 201,
|
|
User: auditTestUser,
|
|
Resource: "pods",
|
|
Namespace: namespace,
|
|
RequestObject: true,
|
|
ResponseObject: true,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelRequest,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/audit-pod", namespace),
|
|
Verb: "get",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "pods",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelRequest,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods", namespace),
|
|
Verb: "list",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "pods",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelRequest,
|
|
Stage: auditinternal.StageResponseStarted,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
|
|
Verb: "watch",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "pods",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelRequest,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
|
|
Verb: "watch",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "pods",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelRequestResponse,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/audit-pod", namespace),
|
|
Verb: "update",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "pods",
|
|
Namespace: namespace,
|
|
RequestObject: true,
|
|
ResponseObject: true,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelRequestResponse,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/audit-pod", namespace),
|
|
Verb: "patch",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "pods",
|
|
Namespace: namespace,
|
|
RequestObject: true,
|
|
ResponseObject: true,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelRequestResponse,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/audit-pod", namespace),
|
|
Verb: "delete",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "pods",
|
|
Namespace: namespace,
|
|
RequestObject: true,
|
|
ResponseObject: true,
|
|
AuthorizeDecision: "allow",
|
|
},
|
|
},
|
|
},
|
|
// Create, get, update, patch, delete, list, watch deployments.
|
|
{
|
|
func() {
|
|
podLabels := map[string]string{"name": "audit-deployment-pod"}
|
|
d := framework.NewDeployment("audit-deployment", int32(1), podLabels, "redis", imageutils.GetE2EImage(imageutils.Redis), apps.RecreateDeploymentStrategyType)
|
|
|
|
_, err := f.ClientSet.AppsV1().Deployments(namespace).Create(d)
|
|
framework.ExpectNoError(err, "failed to create audit-deployment")
|
|
|
|
_, err = f.ClientSet.AppsV1().Deployments(namespace).Get(d.Name, metav1.GetOptions{})
|
|
framework.ExpectNoError(err, "failed to get audit-deployment")
|
|
|
|
deploymentChan, err := f.ClientSet.AppsV1().Deployments(namespace).Watch(watchOptions)
|
|
framework.ExpectNoError(err, "failed to create watch for deployments")
|
|
deploymentChan.Stop()
|
|
|
|
_, err = f.ClientSet.AppsV1().Deployments(namespace).Update(d)
|
|
framework.ExpectNoError(err, "failed to update audit-deployment")
|
|
|
|
_, err = f.ClientSet.AppsV1().Deployments(namespace).Patch(d.Name, types.JSONPatchType, patch)
|
|
framework.ExpectNoError(err, "failed to patch deployment")
|
|
|
|
_, err = f.ClientSet.AppsV1().Deployments(namespace).List(metav1.ListOptions{})
|
|
framework.ExpectNoError(err, "failed to create list deployments")
|
|
|
|
err = f.ClientSet.AppsV1().Deployments(namespace).Delete("audit-deployment", &metav1.DeleteOptions{})
|
|
framework.ExpectNoError(err, "failed to delete deployments")
|
|
},
|
|
[]utils.AuditEvent{
|
|
{
|
|
Level: auditinternal.LevelRequestResponse,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments", namespace),
|
|
Verb: "create",
|
|
Code: 201,
|
|
User: auditTestUser,
|
|
Resource: "deployments",
|
|
Namespace: namespace,
|
|
RequestObject: true,
|
|
ResponseObject: true,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelRequest,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
|
|
Verb: "get",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "deployments",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelRequest,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments", namespace),
|
|
Verb: "list",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "deployments",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelRequest,
|
|
Stage: auditinternal.StageResponseStarted,
|
|
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
|
|
Verb: "watch",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "deployments",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelRequest,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
|
|
Verb: "watch",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "deployments",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelRequestResponse,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
|
|
Verb: "update",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "deployments",
|
|
Namespace: namespace,
|
|
RequestObject: true,
|
|
ResponseObject: true,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelRequestResponse,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
|
|
Verb: "patch",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "deployments",
|
|
Namespace: namespace,
|
|
RequestObject: true,
|
|
ResponseObject: true,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelRequestResponse,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
|
|
Verb: "delete",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "deployments",
|
|
Namespace: namespace,
|
|
RequestObject: true,
|
|
ResponseObject: true,
|
|
AuthorizeDecision: "allow",
|
|
},
|
|
},
|
|
},
|
|
// Create, get, update, patch, delete, list, watch configmaps.
|
|
{
|
|
func() {
|
|
configMap := &apiv1.ConfigMap{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "audit-configmap",
|
|
},
|
|
Data: map[string]string{
|
|
"map-key": "map-value",
|
|
},
|
|
}
|
|
|
|
_, err := f.ClientSet.CoreV1().ConfigMaps(namespace).Create(configMap)
|
|
framework.ExpectNoError(err, "failed to create audit-configmap")
|
|
|
|
_, err = f.ClientSet.CoreV1().ConfigMaps(namespace).Get(configMap.Name, metav1.GetOptions{})
|
|
framework.ExpectNoError(err, "failed to get audit-configmap")
|
|
|
|
configMapChan, err := f.ClientSet.CoreV1().ConfigMaps(namespace).Watch(watchOptions)
|
|
framework.ExpectNoError(err, "failed to create watch for config maps")
|
|
configMapChan.Stop()
|
|
|
|
_, err = f.ClientSet.CoreV1().ConfigMaps(namespace).Update(configMap)
|
|
framework.ExpectNoError(err, "failed to update audit-configmap")
|
|
|
|
_, err = f.ClientSet.CoreV1().ConfigMaps(namespace).Patch(configMap.Name, types.JSONPatchType, patch)
|
|
framework.ExpectNoError(err, "failed to patch configmap")
|
|
|
|
_, err = f.ClientSet.CoreV1().ConfigMaps(namespace).List(metav1.ListOptions{})
|
|
framework.ExpectNoError(err, "failed to list config maps")
|
|
|
|
err = f.ClientSet.CoreV1().ConfigMaps(namespace).Delete(configMap.Name, &metav1.DeleteOptions{})
|
|
framework.ExpectNoError(err, "failed to delete audit-configmap")
|
|
},
|
|
[]utils.AuditEvent{
|
|
{
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps", namespace),
|
|
Verb: "create",
|
|
Code: 201,
|
|
User: auditTestUser,
|
|
Resource: "configmaps",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/audit-configmap", namespace),
|
|
Verb: "get",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "configmaps",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps", namespace),
|
|
Verb: "list",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "configmaps",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseStarted,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
|
|
Verb: "watch",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "configmaps",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
|
|
Verb: "watch",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "configmaps",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/audit-configmap", namespace),
|
|
Verb: "update",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "configmaps",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/audit-configmap", namespace),
|
|
Verb: "patch",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "configmaps",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/audit-configmap", namespace),
|
|
Verb: "delete",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "configmaps",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
},
|
|
},
|
|
},
|
|
// Create, get, update, patch, delete, list, watch secrets.
|
|
{
|
|
func() {
|
|
secret := &apiv1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "audit-secret",
|
|
},
|
|
Data: map[string][]byte{
|
|
"top-secret": []byte("foo-bar"),
|
|
},
|
|
}
|
|
_, err := f.ClientSet.CoreV1().Secrets(namespace).Create(secret)
|
|
framework.ExpectNoError(err, "failed to create audit-secret")
|
|
|
|
_, err = f.ClientSet.CoreV1().Secrets(namespace).Get(secret.Name, metav1.GetOptions{})
|
|
framework.ExpectNoError(err, "failed to get audit-secret")
|
|
|
|
secretChan, err := f.ClientSet.CoreV1().Secrets(namespace).Watch(watchOptions)
|
|
framework.ExpectNoError(err, "failed to create watch for secrets")
|
|
secretChan.Stop()
|
|
|
|
_, err = f.ClientSet.CoreV1().Secrets(namespace).Update(secret)
|
|
framework.ExpectNoError(err, "failed to update audit-secret")
|
|
|
|
_, err = f.ClientSet.CoreV1().Secrets(namespace).Patch(secret.Name, types.JSONPatchType, patch)
|
|
framework.ExpectNoError(err, "failed to patch secret")
|
|
|
|
_, err = f.ClientSet.CoreV1().Secrets(namespace).List(metav1.ListOptions{})
|
|
framework.ExpectNoError(err, "failed to list secrets")
|
|
|
|
err = f.ClientSet.CoreV1().Secrets(namespace).Delete(secret.Name, &metav1.DeleteOptions{})
|
|
framework.ExpectNoError(err, "failed to delete audit-secret")
|
|
},
|
|
[]utils.AuditEvent{
|
|
{
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets", namespace),
|
|
Verb: "create",
|
|
Code: 201,
|
|
User: auditTestUser,
|
|
Resource: "secrets",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets/audit-secret", namespace),
|
|
Verb: "get",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "secrets",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets", namespace),
|
|
Verb: "list",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "secrets",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseStarted,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
|
|
Verb: "watch",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "secrets",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
|
|
Verb: "watch",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "secrets",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets/audit-secret", namespace),
|
|
Verb: "update",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "secrets",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets/audit-secret", namespace),
|
|
Verb: "patch",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "secrets",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/secrets/audit-secret", namespace),
|
|
Verb: "delete",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "secrets",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
},
|
|
},
|
|
},
|
|
// Create and delete custom resource definition.
|
|
{
|
|
func() {
|
|
crd, err = fixtures.CreateNewCustomResourceDefinition(crd, apiExtensionClient, f.DynamicClient)
|
|
framework.ExpectNoError(err, "failed to create custom resource definition")
|
|
fixtures.DeleteCustomResourceDefinition(crd, apiExtensionClient)
|
|
},
|
|
[]utils.AuditEvent{
|
|
{
|
|
Level: auditinternal.LevelRequestResponse,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: "/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions",
|
|
Verb: "create",
|
|
Code: 201,
|
|
User: auditTestUser,
|
|
Resource: "customresourcedefinitions",
|
|
RequestObject: true,
|
|
ResponseObject: true,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/apis/%s/v1beta1/%s", crdNamespace, crdName),
|
|
Verb: "create",
|
|
Code: 201,
|
|
User: auditTestUser,
|
|
Resource: crdName,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelRequestResponse,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/%s", crd.Name),
|
|
Verb: "delete",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: "customresourcedefinitions",
|
|
RequestObject: false,
|
|
ResponseObject: true,
|
|
AuthorizeDecision: "allow",
|
|
}, {
|
|
Level: auditinternal.LevelMetadata,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/apis/%s/v1beta1/%s/setup-instance", crdNamespace, crdName),
|
|
Verb: "delete",
|
|
Code: 200,
|
|
User: auditTestUser,
|
|
Resource: crdName,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "allow",
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
// test authorizer annotations, RBAC is required.
|
|
annotationTestCases := []struct {
|
|
action func()
|
|
events []utils.AuditEvent
|
|
}{
|
|
|
|
// get a pod with unauthorized user
|
|
{
|
|
func() {
|
|
_, err := anonymousClient.CoreV1().Pods(namespace).Get("another-audit-pod", metav1.GetOptions{})
|
|
expectForbidden(err)
|
|
},
|
|
[]utils.AuditEvent{
|
|
{
|
|
Level: auditinternal.LevelRequest,
|
|
Stage: auditinternal.StageResponseComplete,
|
|
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/another-audit-pod", namespace),
|
|
Verb: "get",
|
|
Code: 403,
|
|
User: auditTestUser,
|
|
Resource: "pods",
|
|
Namespace: namespace,
|
|
RequestObject: false,
|
|
ResponseObject: false,
|
|
AuthorizeDecision: "forbid",
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
if framework.IsRBACEnabled(f) {
|
|
testCases = append(testCases, annotationTestCases...)
|
|
}
|
|
expectedEvents := []utils.AuditEvent{}
|
|
for _, t := range testCases {
|
|
t.action()
|
|
expectedEvents = append(expectedEvents, t.events...)
|
|
}
|
|
|
|
// The default flush timeout is 30 seconds, therefore it should be enough to retry once
|
|
// to find all expected events. However, we're waiting for 5 minutes to avoid flakes.
|
|
pollingInterval := 30 * time.Second
|
|
pollingTimeout := 5 * time.Minute
|
|
err = wait.Poll(pollingInterval, pollingTimeout, func() (bool, error) {
|
|
// Fetch the log stream.
|
|
stream, err := f.ClientSet.CoreV1().RESTClient().Get().AbsPath("/logs/kube-apiserver-audit.log").Stream()
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
defer stream.Close()
|
|
missing, err := utils.CheckAuditLines(stream, expectedEvents, v1beta1.SchemeGroupVersion)
|
|
if err != nil {
|
|
framework.Logf("Failed to observe audit events: %v", err)
|
|
} else if len(missing) > 0 {
|
|
framework.Logf("Events %#v not found!", missing)
|
|
}
|
|
return len(missing) == 0, nil
|
|
})
|
|
framework.ExpectNoError(err, "after %v failed to observe audit events", pollingTimeout)
|
|
})
|
|
})
|