mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-22 13:00:19 +00:00
07b05616a0
Bumps [k8s.io/kubernetes](https://github.com/kubernetes/kubernetes) from 1.26.2 to 1.27.2. - [Release notes](https://github.com/kubernetes/kubernetes/releases) - [Commits](https://github.com/kubernetes/kubernetes/compare/v1.26.2...v1.27.2) --- updated-dependencies: - dependency-name: k8s.io/kubernetes dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
102 lines
2.9 KiB
Go
102 lines
2.9 KiB
Go
/*
|
|
Copyright 2017 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package policy
|
|
|
|
import (
|
|
"fmt"
|
|
"io/ioutil"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
"k8s.io/apimachinery/pkg/runtime/serializer"
|
|
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
|
auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
|
|
"k8s.io/apiserver/pkg/apis/audit/validation"
|
|
"k8s.io/apiserver/pkg/audit"
|
|
"k8s.io/klog/v2"
|
|
)
|
|
|
|
var (
|
|
apiGroupVersions = []schema.GroupVersion{
|
|
auditv1.SchemeGroupVersion,
|
|
}
|
|
apiGroupVersionSet = map[schema.GroupVersion]bool{}
|
|
)
|
|
|
|
func init() {
|
|
for _, gv := range apiGroupVersions {
|
|
apiGroupVersionSet[gv] = true
|
|
}
|
|
}
|
|
|
|
func LoadPolicyFromFile(filePath string) (*auditinternal.Policy, error) {
|
|
if filePath == "" {
|
|
return nil, fmt.Errorf("file path not specified")
|
|
}
|
|
policyDef, err := ioutil.ReadFile(filePath)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to read file path %q: %+v", filePath, err)
|
|
}
|
|
|
|
ret, err := LoadPolicyFromBytes(policyDef)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("%v: from file %v", err.Error(), filePath)
|
|
}
|
|
|
|
return ret, nil
|
|
}
|
|
|
|
func LoadPolicyFromBytes(policyDef []byte) (*auditinternal.Policy, error) {
|
|
policy := &auditinternal.Policy{}
|
|
strictDecoder := serializer.NewCodecFactory(audit.Scheme, serializer.EnableStrict).UniversalDecoder()
|
|
|
|
// Try strict decoding first.
|
|
_, gvk, err := strictDecoder.Decode(policyDef, nil, policy)
|
|
if err != nil {
|
|
if !runtime.IsStrictDecodingError(err) {
|
|
return nil, fmt.Errorf("failed decoding: %w", err)
|
|
}
|
|
var (
|
|
lenientDecoder = audit.Codecs.UniversalDecoder(apiGroupVersions...)
|
|
lenientErr error
|
|
)
|
|
_, gvk, lenientErr = lenientDecoder.Decode(policyDef, nil, policy)
|
|
if lenientErr != nil {
|
|
return nil, fmt.Errorf("failed lenient decoding: %w", lenientErr)
|
|
}
|
|
klog.Warningf("Audit policy contains errors, falling back to lenient decoding: %v", err)
|
|
}
|
|
|
|
// Ensure the policy file contained an apiVersion and kind.
|
|
gv := schema.GroupVersion{Group: gvk.Group, Version: gvk.Version}
|
|
if !apiGroupVersionSet[gv] {
|
|
return nil, fmt.Errorf("unknown group version field %v in policy", gvk)
|
|
}
|
|
|
|
if err := validation.ValidatePolicy(policy); err != nil {
|
|
return nil, err.ToAggregate()
|
|
}
|
|
|
|
policyCnt := len(policy.Rules)
|
|
if policyCnt == 0 {
|
|
return nil, fmt.Errorf("loaded illegal policy with 0 rules")
|
|
}
|
|
|
|
klog.V(4).InfoS("Load audit policy rules success", "policyCnt", policyCnt)
|
|
return policy, nil
|
|
}
|