diff --git a/contrib/completions/bash/openshift b/contrib/completions/bash/openshift index 02686fa81446..5e58d7f7f89a 100644 --- a/contrib/completions/bash/openshift +++ b/contrib/completions/bash/openshift @@ -32067,6 +32067,8 @@ _openshift_start_kubernetes_apiserver() local_nonpersistent_flags+=("--anonymous-auth") flags+=("--apiserver-count=") local_nonpersistent_flags+=("--apiserver-count=") + flags+=("--audit-log-format=") + local_nonpersistent_flags+=("--audit-log-format=") flags+=("--audit-log-maxage=") local_nonpersistent_flags+=("--audit-log-maxage=") flags+=("--audit-log-maxbackup=") @@ -33079,6 +33081,8 @@ _openshift_start_template-service-broker() flags_with_completion=() flags_completion=() + flags+=("--audit-log-format=") + local_nonpersistent_flags+=("--audit-log-format=") flags+=("--audit-log-maxage=") local_nonpersistent_flags+=("--audit-log-maxage=") flags+=("--audit-log-maxbackup=") diff --git a/contrib/completions/zsh/openshift b/contrib/completions/zsh/openshift index 86bbd19182e8..e8dca87665db 100644 --- a/contrib/completions/zsh/openshift +++ b/contrib/completions/zsh/openshift @@ -32216,6 +32216,8 @@ _openshift_start_kubernetes_apiserver() local_nonpersistent_flags+=("--anonymous-auth") flags+=("--apiserver-count=") local_nonpersistent_flags+=("--apiserver-count=") + flags+=("--audit-log-format=") + local_nonpersistent_flags+=("--audit-log-format=") flags+=("--audit-log-maxage=") local_nonpersistent_flags+=("--audit-log-maxage=") flags+=("--audit-log-maxbackup=") @@ -33228,6 +33230,8 @@ _openshift_start_template-service-broker() flags_with_completion=() flags_completion=() + flags+=("--audit-log-format=") + local_nonpersistent_flags+=("--audit-log-format=") flags+=("--audit-log-maxage=") local_nonpersistent_flags+=("--audit-log-maxage=") flags+=("--audit-log-maxbackup=") diff --git a/pkg/cmd/server/api/helpers.go b/pkg/cmd/server/api/helpers.go index 1bd2371e8cfe..d41bc9157e86 100644 --- a/pkg/cmd/server/api/helpers.go +++ b/pkg/cmd/server/api/helpers.go @@ -271,6 +271,7 @@ func GetMasterFileReferences(config *MasterConfig) []*string { } refs = append(refs, &config.AuditConfig.AuditFilePath) + refs = append(refs, &config.AuditConfig.PolicyFile) return refs } diff --git a/pkg/cmd/server/api/install/install.go b/pkg/cmd/server/api/install/install.go index 12cdc8c558ba..66852de2dd4f 100644 --- a/pkg/cmd/server/api/install/install.go +++ b/pkg/cmd/server/api/install/install.go @@ -3,10 +3,10 @@ package install import ( "fmt" - "github.com/golang/glog" - "k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apiserver/pkg/apis/audit" + auditv1alpha1 "k8s.io/apiserver/pkg/apis/audit/v1alpha1" configapi "github.com/openshift/origin/pkg/cmd/server/api" configapiv1 "github.com/openshift/origin/pkg/cmd/server/api/v1" @@ -27,34 +27,12 @@ var accessor = meta.NewAccessor() var availableVersions = []schema.GroupVersion{configapiv1.SchemeGroupVersion} func init() { - if err := enableVersions(availableVersions); err != nil { - panic(err) - } -} - -// TODO: enableVersions should be centralized rather than spread in each API -// group. -// We can combine registered.RegisterVersions, registered.EnableVersions and -// registered.RegisterGroup once we have moved enableVersions there. -func enableVersions(externalVersions []schema.GroupVersion) error { - addVersionsToScheme(externalVersions...) - return nil -} - -func addVersionsToScheme(externalVersions ...schema.GroupVersion) { - // add the internal version to Scheme configapi.AddToScheme(configapi.Scheme) - // add the enabled external versions to Scheme - for _, v := range externalVersions { - switch v { - case configapiv1.SchemeGroupVersion: - configapiv1.AddToScheme(configapi.Scheme) - - default: - glog.Errorf("Version %s is not known, so it will not be added to the Scheme.", v) - continue - } - } + configapiv1.AddToScheme(configapi.Scheme) + // we additionally need to enable audit versions, since we embed the audit + // policy file inside master-config.yaml + audit.AddToScheme(configapi.Scheme) + auditv1alpha1.AddToScheme(configapi.Scheme) } func interfacesFor(version schema.GroupVersion) (*meta.VersionInterfaces, error) { diff --git a/pkg/cmd/server/api/types.go b/pkg/cmd/server/api/types.go index fd0cc7481e5e..9a9f0481dee8 100644 --- a/pkg/cmd/server/api/types.go +++ b/pkg/cmd/server/api/types.go @@ -461,10 +461,29 @@ type AggregatorConfig struct { ProxyClientInfo CertInfo } +type LogFormatType string + +type WebHookModeType string + +const ( + // LogFormatLegacy saves event in 1-line text format. + LogFormatLegacy LogFormatType = "legacy" + // LogFormatJson saves event in structured json format. + LogFormatJson LogFormatType = "json" + + // WebHookModeBatch indicates that the webhook should buffer audit events + // internally, sending batch updates either once a certain number of + // events have been received or a certain amount of time has passed. + WebHookModeBatch WebHookModeType = "batch" + // WebHookModeBlocking causes the webhook to block on every attempt to process + // a set of events. This causes requests to the API server to wait for a + // round trip to the external audit service before sending a response. + WebHookModeBlocking WebHookModeType = "blocking" +) + // AuditConfig holds configuration for the audit capabilities type AuditConfig struct { // If this flag is set, audit log will be printed in the logs. - // The logs contains, method, user and a requested URL. Enabled bool // All requests coming to the apiserver will be logged to this file. AuditFilePath string @@ -474,6 +493,21 @@ type AuditConfig struct { MaximumRetainedFiles int // Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB. MaximumFileSizeMegabytes int + + // PolicyFile is a path to the file that defines the audit policy configuration. + PolicyFile string + // PolicyConfiguration is an embedded policy configuration object to be used + // as the audit policy configuration. If present, it will be used instead of + // the path to the policy file. + PolicyConfiguration runtime.Object + + // Format of saved audits (legacy or json). + LogFormat LogFormatType + + // Path to a .kubeconfig formatted file that defines the audit webhook configuration. + WebHookKubeConfig string + // Strategy for sending audit events (block or batch). + WebHookMode WebHookModeType } // JenkinsPipelineConfig holds configuration for the Jenkins pipeline strategy diff --git a/pkg/cmd/server/api/v1/conversions.go b/pkg/cmd/server/api/v1/conversions.go index 60de67ad9498..13e5323b3a48 100644 --- a/pkg/cmd/server/api/v1/conversions.go +++ b/pkg/cmd/server/api/v1/conversions.go @@ -405,6 +405,7 @@ func (c *MasterConfig) DecodeNestedObjects(d runtime.Decoder) error { apihelpers.DecodeNestedRawExtensionOrUnknown(d, &c.OAuthConfig.IdentityProviders[i].Provider) } } + apihelpers.DecodeNestedRawExtensionOrUnknown(d, &c.AuditConfig.PolicyConfiguration) return nil } @@ -434,5 +435,8 @@ func (c *MasterConfig) EncodeNestedObjects(e runtime.Encoder) error { } } } + if err := apihelpers.EncodeNestedRawExtension(e, &c.AuditConfig.PolicyConfiguration); err != nil { + return err + } return nil } diff --git a/pkg/cmd/server/api/v1/swagger_doc.go b/pkg/cmd/server/api/v1/swagger_doc.go index 12b6fdb0480d..0d2f09110ae6 100644 --- a/pkg/cmd/server/api/v1/swagger_doc.go +++ b/pkg/cmd/server/api/v1/swagger_doc.go @@ -90,6 +90,11 @@ var map_AuditConfig = map[string]string{ "maximumFileRetentionDays": "Maximum number of days to retain old log files based on the timestamp encoded in their filename.", "maximumRetainedFiles": "Maximum number of old log files to retain.", "maximumFileSizeMegabytes": "Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB.", + "policyFile": "PolicyFile is a path to the file that defines the audit policy configuration.", + "policyConfiguration": "PolicyConfiguration is an embedded policy configuration object to be used as the audit policy configuration. If present, it will be used instead of the path to the policy file.", + "logFormat": "Format of saved audits (legacy or json).", + "webHookKubeConfig": "Path to a .kubeconfig formatted file that defines the audit webhook configuration.", + "webHookMode": "Strategy for sending audit events (block or batch).", } func (AuditConfig) SwaggerDoc() map[string]string { diff --git a/pkg/cmd/server/api/v1/types.go b/pkg/cmd/server/api/v1/types.go index 7af4751475f8..b36ecc1c4e49 100644 --- a/pkg/cmd/server/api/v1/types.go +++ b/pkg/cmd/server/api/v1/types.go @@ -318,6 +318,26 @@ type AggregatorConfig struct { ProxyClientInfo CertInfo `json:"proxyClientInfo"` } +type LogFormatType string + +type WebHookModeType string + +const ( + // LogFormatLegacy saves event in 1-line text format. + LogFormatLegacy LogFormatType = "legacy" + // LogFormatJson saves event in structured json format. + LogFormatJson LogFormatType = "json" + + // WebHookModeBatch indicates that the webhook should buffer audit events + // internally, sending batch updates either once a certain number of + // events have been received or a certain amount of time has passed. + WebHookModeBatch WebHookModeType = "batch" + // WebHookModeBlocking causes the webhook to block on every attempt to process + // a set of events. This causes requests to the API server to wait for a + // round trip to the external audit service before sending a response. + WebHookModeBlocking WebHookModeType = "blocking" +) + // AuditConfig holds configuration for the audit capabilities type AuditConfig struct { // If this flag is set, audit log will be printed in the logs. @@ -331,6 +351,21 @@ type AuditConfig struct { MaximumRetainedFiles int `json:"maximumRetainedFiles"` // Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB. MaximumFileSizeMegabytes int `json:"maximumFileSizeMegabytes"` + + // PolicyFile is a path to the file that defines the audit policy configuration. + PolicyFile string `json:"policyFile"` + // PolicyConfiguration is an embedded policy configuration object to be used + // as the audit policy configuration. If present, it will be used instead of + // the path to the policy file. + PolicyConfiguration runtime.RawExtension `json:"policyConfiguration"` + + // Format of saved audits (legacy or json). + LogFormat LogFormatType `json:"logFormat"` + + // Path to a .kubeconfig formatted file that defines the audit webhook configuration. + WebHookKubeConfig string `json:"webHookKubeConfig"` + // Strategy for sending audit events (block or batch). + WebHookMode WebHookModeType `json:"webHookMode"` } // JenkinsPipelineConfig holds configuration for the Jenkins pipeline strategy diff --git a/pkg/cmd/server/api/v1/types_test.go b/pkg/cmd/server/api/v1/types_test.go index f76fb0448c7e..474b490ba1ed 100644 --- a/pkg/cmd/server/api/v1/types_test.go +++ b/pkg/cmd/server/api/v1/types_test.go @@ -117,9 +117,14 @@ assetConfig: auditConfig: auditFilePath: "" enabled: false + logFormat: "" maximumFileRetentionDays: 0 maximumFileSizeMegabytes: 0 maximumRetainedFiles: 0 + policyConfiguration: null + policyFile: "" + webHookKubeConfig: "" + webHookMode: "" authConfig: requestHeader: null controllerConfig: diff --git a/pkg/cmd/server/api/validation/master.go b/pkg/cmd/server/api/validation/master.go index ff747e3954d6..2e2d913091af 100644 --- a/pkg/cmd/server/api/validation/master.go +++ b/pkg/cmd/server/api/validation/master.go @@ -14,6 +14,10 @@ import ( "k8s.io/apimachinery/pkg/util/sets" kuval "k8s.io/apimachinery/pkg/util/validation" "k8s.io/apimachinery/pkg/util/validation/field" + auditinternal "k8s.io/apiserver/pkg/apis/audit" + auditvalidation "k8s.io/apiserver/pkg/apis/audit/validation" + auditpolicy "k8s.io/apiserver/pkg/audit/policy" + "k8s.io/client-go/tools/clientcmd" apiserveroptions "k8s.io/kubernetes/cmd/kube-apiserver/app/options" kcmoptions "k8s.io/kubernetes/cmd/kube-controller-manager/app/options" kvalidation "k8s.io/kubernetes/pkg/api/validation" @@ -238,6 +242,9 @@ func ValidateAggregatorConfig(config api.AggregatorConfig, fldPath *field.Path) func ValidateAuditConfig(config api.AuditConfig, fldPath *field.Path) ValidationResults { validationResults := ValidationResults{} + if !config.Enabled { + return validationResults + } if len(config.AuditFilePath) == 0 { // for backwards compatibility reasons we can't error this out @@ -253,6 +260,61 @@ func ValidateAuditConfig(config api.AuditConfig, fldPath *field.Path) Validation validationResults.AddErrors(field.Invalid(fldPath.Child("maximumFileSizeMegabytes"), config.MaximumFileSizeMegabytes, "must be greater than or equal to 0")) } + // setting policy file will turn the advanced auditing on + if config.PolicyConfiguration != nil && len(config.PolicyFile) > 0 { + validationResults.AddErrors(field.Forbidden(fldPath.Child("policyFile"), "both policyFile and policyConfiguration cannot be specified")) + } + if config.PolicyConfiguration != nil || len(config.PolicyFile) > 0 { + if config.PolicyConfiguration == nil { + policy, err := auditpolicy.LoadPolicyFromFile(config.PolicyFile) + if err != nil { + validationResults.AddErrors(field.Invalid(fldPath.Child("policyFile"), config.PolicyFile, err.Error())) + } + if policy == nil || len(policy.Rules) == 0 { + validationResults.AddErrors(field.Invalid(fldPath.Child("policyFile"), config.PolicyFile, "a policy file with 0 policies is not valid")) + } + } else { + policyConfiguration, ok := config.PolicyConfiguration.(*auditinternal.Policy) + if !ok { + validationResults.AddErrors(field.Invalid(fldPath.Child("policyConfiguration"), config.PolicyConfiguration, "must be of type audit/v1alpha1.Policy")) + } else { + if err := auditvalidation.ValidatePolicy(policyConfiguration); err != nil { + validationResults.AddErrors(field.Invalid(fldPath.Child("policyConfiguration"), config.PolicyConfiguration, err.ToAggregate().Error())) + } + if len(policyConfiguration.Rules) == 0 { + validationResults.AddErrors(field.Invalid(fldPath.Child("policyConfiguration"), config.PolicyFile, "a policy configuration with 0 policies is not valid")) + } + } + } + + if len(config.AuditFilePath) == 0 { + validationResults.AddErrors(field.Required(fldPath.Child("auditFilePath"), "advanced audit requires a separate log file")) + } + switch config.LogFormat { + case api.LogFormatLegacy, api.LogFormatJson: + // ok + default: + validationResults.AddErrors(field.NotSupported(fldPath.Child("logFormat"), config.LogFormat, []string{string(api.LogFormatLegacy), string(api.LogFormatJson)})) + } + + if len(config.WebHookKubeConfig) > 0 { + switch config.WebHookMode { + case api.WebHookModeBatch, api.WebHookModeBlocking: + // ok + default: + validationResults.AddErrors(field.NotSupported(fldPath.Child("webHookMode"), config.WebHookMode, []string{string(api.WebHookModeBatch), string(api.WebHookModeBlocking)})) + } + loadingRules := clientcmd.NewDefaultClientConfigLoadingRules() + loadingRules.ExplicitPath = config.WebHookKubeConfig + loader := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{}) + if _, err := loader.ClientConfig(); err != nil { + validationResults.AddErrors(field.Invalid(fldPath.Child("webHookKubeConfig"), config.WebHookKubeConfig, err.Error())) + } + } else if len(config.WebHookMode) > 0 { + validationResults.AddErrors(field.Required(fldPath.Child("webHookKubeConfig"), "must be specified when webHookMode is set")) + } + } + return validationResults } diff --git a/pkg/cmd/server/kubernetes/master/master_config.go b/pkg/cmd/server/kubernetes/master/master_config.go index 1c1555bb5c53..6f93950600f5 100644 --- a/pkg/cmd/server/kubernetes/master/master_config.go +++ b/pkg/cmd/server/kubernetes/master/master_config.go @@ -29,6 +29,7 @@ import ( "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apiserver/pkg/admission" auditinternal "k8s.io/apiserver/pkg/apis/audit" + "k8s.io/apiserver/pkg/audit" auditpolicy "k8s.io/apiserver/pkg/audit/policy" "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authorization/authorizer" @@ -45,6 +46,7 @@ import ( storagefactory "k8s.io/apiserver/pkg/storage/storagebackend/factory" utilflag "k8s.io/apiserver/pkg/util/flag" auditlog "k8s.io/apiserver/plugin/pkg/audit/log" + auditwebhook "k8s.io/apiserver/plugin/pkg/audit/webhook" kapiserveroptions "k8s.io/kubernetes/cmd/kube-apiserver/app/options" cmapp "k8s.io/kubernetes/cmd/kube-controller-manager/app/options" kapi "k8s.io/kubernetes/pkg/api" @@ -177,12 +179,11 @@ func BuildKubeAPIserverOptions(masterConfig configapi.MasterConfig) (*kapiserver args["feature-gates"] = []string{existing[0] + ",AdvancedAuditing=true"} } else { args["feature-gates"] = []string{"AdvancedAuditing=true"} - } } // TODO: this should be done in config validation (along with the above) so we can provide // proper errors - if err := cmdflags.Resolve(masterConfig.KubernetesMasterConfig.APIServerArguments, server.AddFlags); len(err) > 0 { + if err := cmdflags.Resolve(args, server.AddFlags); len(err) > 0 { return nil, kerrors.NewAggregate(err) } @@ -526,12 +527,38 @@ func buildKubeApiserverConfig( // backwards compatible writer to regular log writer = cmdutil.NewGLogWriterV(0) } - genericConfig.AuditBackend = auditlog.NewBackend(writer) + genericConfig.AuditBackend = auditlog.NewBackend(writer, auditlog.FormatLegacy) genericConfig.AuditPolicyChecker = auditpolicy.NewChecker(&auditinternal.Policy{ // This is for backwards compatibility maintaining the old visibility, ie. just // raw overview of the requests comming in. Rules: []auditinternal.PolicyRule{{Level: auditinternal.LevelMetadata}}, }) + + // when a policy file is defined we enable the advanced auditing + if masterConfig.AuditConfig.PolicyConfiguration != nil || len(masterConfig.AuditConfig.PolicyFile) > 0 { + // policy configuration + if masterConfig.AuditConfig.PolicyConfiguration == nil { + p, _ := auditpolicy.LoadPolicyFromFile(masterConfig.AuditConfig.PolicyFile) + genericConfig.AuditPolicyChecker = auditpolicy.NewChecker(p) + } else if len(masterConfig.AuditConfig.PolicyFile) > 0 { + p := masterConfig.AuditConfig.PolicyConfiguration.(*auditinternal.Policy) + genericConfig.AuditPolicyChecker = auditpolicy.NewChecker(p) + } + + // log configuration, only when file path was provided + if len(masterConfig.AuditConfig.AuditFilePath) > 0 { + genericConfig.AuditBackend = auditlog.NewBackend(writer, string(masterConfig.AuditConfig.LogFormat)) + } + + // webhook configuration, only when config file was provided + if len(masterConfig.AuditConfig.WebHookKubeConfig) > 0 { + webhook, err := auditwebhook.NewBackend(masterConfig.AuditConfig.WebHookKubeConfig, string(masterConfig.AuditConfig.WebHookMode)) + if err != nil { + glog.Fatalf("Audit webhook initialization failed: %v", err) + } + genericConfig.AuditBackend = audit.Union(genericConfig.AuditBackend, webhook) + } + } } kubeApiserverConfig := &master.Config{ diff --git a/pkg/cmd/server/kubernetes/master/master_config_test.go b/pkg/cmd/server/kubernetes/master/master_config_test.go index ac3fd8cba9cf..4f333a87d207 100644 --- a/pkg/cmd/server/kubernetes/master/master_config_test.go +++ b/pkg/cmd/server/kubernetes/master/master_config_test.go @@ -119,6 +119,9 @@ func TestAPIServerDefaults(t *testing.T) { HTTPTimeout: time.Duration(5) * time.Second, }, Audit: &apiserveroptions.AuditOptions{ + LogOptions: apiserveroptions.AuditLogOptions{ + Format: "legacy", + }, WebhookOptions: apiserveroptions.AuditWebhookOptions{ Mode: "batch", }, diff --git a/test/extended/cluster/audit.go b/test/extended/cluster/audit.go new file mode 100644 index 000000000000..c634c191ded0 --- /dev/null +++ b/test/extended/cluster/audit.go @@ -0,0 +1,150 @@ +package cluster + +import ( + "bufio" + "fmt" + "os" + "path/filepath" + "strings" + + g "github.com/onsi/ginkgo" + o "github.com/onsi/gomega" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + apiv1 "k8s.io/kubernetes/pkg/api/v1" + "k8s.io/kubernetes/test/e2e/framework" +) + +var _ = g.Describe("[Feature:Audit] Basic audit", func() { + f := framework.NewDefaultFramework("audit") + + g.It("should audit API calls", func() { + namespace := f.Namespace.Name + + // Create & Delete pod + pod := &apiv1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "audit-pod", + }, + Spec: apiv1.PodSpec{ + Containers: []apiv1.Container{{ + Name: "pause", + Image: framework.GetPauseImageName(f.ClientSet), + }}, + }, + } + f.PodClient().CreateSync(pod) + f.PodClient().DeleteSync(pod.Name, &metav1.DeleteOptions{}, framework.DefaultPodDeletionTimeout) + + // Create, Read, Delete secret + secret := &apiv1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "audit-secret", + }, + Data: map[string][]byte{ + "top-secret": []byte("foo-bar"), + }, + } + _, err := f.ClientSet.Core().Secrets(f.Namespace.Name).Create(secret) + framework.ExpectNoError(err, "failed to create audit-secret") + _, err = f.ClientSet.Core().Secrets(f.Namespace.Name).Get(secret.Name, metav1.GetOptions{}) + framework.ExpectNoError(err, "failed to get audit-secret") + err = f.ClientSet.Core().Secrets(f.Namespace.Name).Delete(secret.Name, &metav1.DeleteOptions{}) + framework.ExpectNoError(err, "failed to delete audit-secret") + + // /version should not be audited + _, err = f.ClientSet.Core().RESTClient().Get().AbsPath("/version").DoRaw() + framework.ExpectNoError(err, "failed to query version") + + expectedEvents := []auditEvent{{ + method: "create", + namespace: namespace, + uri: fmt.Sprintf("/api/v1/namespaces/%s/pods", namespace), + response: "201", + }, { + method: "delete", + namespace: namespace, + uri: fmt.Sprintf("/api/v1/namespaces/%s/pods/%s", namespace, pod.Name), + response: "200", + }, { + method: "create", + namespace: namespace, + uri: fmt.Sprintf("/api/v1/namespaces/%s/secrets", namespace), + response: "201", + }, { + method: "get", + namespace: namespace, + uri: fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s", namespace, secret.Name), + response: "200", + }, { + method: "delete", + namespace: namespace, + uri: fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s", namespace, secret.Name), + response: "200", + }} + expectAuditLines(f, expectedEvents) + }) +}) + +type auditEvent struct { + method, namespace, uri, response string +} + +// Search the audit log for the expected audit lines. +func expectAuditLines(f *framework.Framework, expected []auditEvent) { + expectations := map[auditEvent]bool{} + for _, event := range expected { + expectations[event] = false + } + + stream, err := os.Open(filepath.Join(os.Getenv("LOG_DIR"), "audit.log")) + defer stream.Close() + framework.ExpectNoError(err, "error opening audit log") + scanner := bufio.NewScanner(stream) + for scanner.Scan() { + line := scanner.Text() + event, err := parseAuditLine(line) + framework.ExpectNoError(err) + + // If the event was expected, mark it as found. + if _, found := expectations[event]; found { + expectations[event] = true + } + } + framework.ExpectNoError(scanner.Err(), "error reading audit log") + + for event, found := range expectations { + o.Expect(found).To(o.BeTrue(), "Event %#v not found!", event) + } +} + +func parseAuditLine(line string) (auditEvent, error) { + fields := strings.Fields(line) + if len(fields) < 3 { + return auditEvent{}, fmt.Errorf("could not parse audit line: %s", line) + } + // Ignore first field (timestamp) + if fields[1] != "AUDIT:" { + return auditEvent{}, fmt.Errorf("unexpected audit line format: %s", line) + } + fields = fields[2:] + event := auditEvent{} + for _, f := range fields { + parts := strings.SplitN(f, "=", 2) + if len(parts) != 2 { + return auditEvent{}, fmt.Errorf("could not parse audit line (part: %q): %s", f, line) + } + value := strings.Trim(parts[1], "\"") + switch parts[0] { + case "method": + event.method = value + case "namespace": + event.namespace = value + case "uri": + event.uri = value + case "response": + event.response = value + } + } + return event, nil +} diff --git a/test/extended/setup.sh b/test/extended/setup.sh index 69ab25a1cc54..2b3618bad148 100644 --- a/test/extended/setup.sh +++ b/test/extended/setup.sh @@ -16,7 +16,7 @@ function os::test::extended::focus () { TEST_REPORT_FILE_NAME=focus_parallel TEST_PARALLEL="${PARALLEL_NODES:-5}" os::test::extended::run -- -ginkgo.skip "\[Serial\]" -test.timeout 6h ${TEST_EXTENDED_ARGS-} || exitstatus=$? # Then run everything that requires serial and matches the $FOCUS, serially. - # there is bit of overlap here because not all serial tests declare [Serial], so they might have run in the + # there is bit of overlap here because not all serial tests declare [Serial], so they might have run in the # parallel section above. Hopefully your focus was precise enough to exclude them, and we should be adding # the [Serial] tag to them as needed. os::log::info "" @@ -110,11 +110,12 @@ function os::test::extended::setup () { CONFIG_VERSION="${CONTROLLER_VERSION}" fi os::start::configure_server "${CONFIG_VERSION}" - #turn on audit logging for extended tests ... mimic what is done in os::start::configure_server, but don't + # turn on audit logging for extended tests ... mimic what is done in os::start::configure_server, but don't # put change there - only want this for extended tests os::log::info "Turn on audit logging" cp "${SERVER_CONFIG_DIR}/master/master-config.yaml" "${SERVER_CONFIG_DIR}/master/master-config.orig2.yaml" - openshift ex config patch "${SERVER_CONFIG_DIR}/master/master-config.orig2.yaml" --patch="{\"auditConfig\": {\"enabled\": true}}" > "${SERVER_CONFIG_DIR}/master/master-config.yaml" + openshift ex config patch "${SERVER_CONFIG_DIR}/master/master-config.orig2.yaml" --patch="{\"auditConfig\": {\"enabled\": true, \"auditFilePath\": \"${LOG_DIR}/audit.log\"}}" > "${SERVER_CONFIG_DIR}/master/master-config.yaml" + exit 1 cp "${SERVER_CONFIG_DIR}/master/master-config.yaml" "${SERVER_CONFIG_DIR}/master/master-config.orig2.yaml" openshift ex config patch "${SERVER_CONFIG_DIR}/master/master-config.orig2.yaml" --patch="{\"templateServiceBrokerConfig\": {\"templateNamespaces\": [\"openshift\"]}}" > "${SERVER_CONFIG_DIR}/master/master-config.yaml" diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go index 526710c2c6fc..78082d216b41 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go @@ -59,12 +59,12 @@ func (p *policyChecker) Level(attrs authorizer.Attributes) audit.Level { // Check whether the rule matches the request attrs. func ruleMatches(r *audit.PolicyRule, attrs authorizer.Attributes) bool { - if len(r.Users) > 0 { + if len(r.Users) > 0 && attrs.GetUser() != nil { if !hasString(r.Users, attrs.GetUser().GetName()) { return false } } - if len(r.UserGroups) > 0 { + if len(r.UserGroups) > 0 && attrs.GetUser() != nil { matched := false for _, group := range attrs.GetUser().GetGroups() { if hasString(r.UserGroups, group) { diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go index 2fcce4da7500..195340ecbd26 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go @@ -54,6 +54,10 @@ func LoadPolicyFromFile(filePath string) (*auditinternal.Policy, error) { return nil, err.ToAggregate() } - glog.V(4).Infof("Loaded %d audit policy rules from file %s\n", len(policy.Rules), filePath) + policyCnt := len(policy.Rules) + if policyCnt == 0 { + return nil, fmt.Errorf("loaded illegal policy with 0 rules from file %s", filePath) + } + glog.V(4).Infof("Loaded %d audit policy rules from file %s", policyCnt, filePath) return policy, nil } diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go index be76364f59ca..3eabbd3cb352 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go @@ -67,16 +67,11 @@ var expectedPolicy = &audit.Policy{ } func TestParser(t *testing.T) { - // Create a policy file. - f, err := ioutil.TempFile("", "policy.yaml") + f, err := writePolicy(policyDef, t) require.NoError(t, err) - defer os.Remove(f.Name()) + defer os.Remove(f) - _, err = f.WriteString(policyDef) - require.NoError(t, err) - require.NoError(t, f.Close()) - - policy, err := LoadPolicyFromFile(f.Name()) + policy, err := LoadPolicyFromFile(f) require.NoError(t, err) assert.Len(t, policy.Rules, 3) // Sanity check. @@ -84,3 +79,37 @@ func TestParser(t *testing.T) { t.Errorf("Unexpected policy! Diff:\n%s", diff.ObjectDiff(policy, expectedPolicy)) } } + +func TestPolicyCntCheck(t *testing.T) { + //a set of testCases + var testCases = []struct { + caseName, policy string + }{ + { + "policyWithNoRule", + `apiVersion: audit.k8s.io/v1beta1 +kind: Policy`, + }, + {"emptyPolicyFile", ""}, + } + + for _, tc := range testCases { + f, err := writePolicy(tc.policy, t) + require.NoError(t, err) + defer os.Remove(f) + + _, err = LoadPolicyFromFile(f) + assert.Error(t, err, "loaded illegal policy with 0 rules from testCase %s", tc.caseName) + } +} + +func writePolicy(policy string, t *testing.T) (string, error) { + f, err := ioutil.TempFile("", "policy.yaml") + require.NoError(t, err) + + _, err = f.WriteString(policy) + require.NoError(t, err) + require.NoError(t, f.Close()) + + return f.Name(), nil +} diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/BUILD b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/BUILD index 3c52d52c28d7..c5340c85d96d 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/BUILD +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/BUILD @@ -13,6 +13,7 @@ go_test( srcs = [ "audit_test.go", "authentication_test.go", + "authn_audit_test.go", "authorization_test.go", "impersonation_test.go", "legacy_audit_test.go", @@ -41,6 +42,7 @@ go_library( srcs = [ "audit.go", "authentication.go", + "authn_audit.go", "authorization.go", "doc.go", "impersonation.go", diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go index 9ff9c45b9d06..c65c6119c7a7 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go @@ -23,6 +23,7 @@ import ( "net" "net/http" "sync" + "time" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" utilruntime "k8s.io/apimachinery/pkg/util/runtime" @@ -42,43 +43,19 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext return handler } return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - ctx, ok := requestContextMapper.Get(req) - if !ok { - responsewriters.InternalError(w, req, errors.New("no context found for request")) - return - } - - attribs, err := GetAuthorizerAttributes(ctx) + ctx, ev, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy) if err != nil { - utilruntime.HandleError(fmt.Errorf("failed to GetAuthorizerAttributes: %v", err)) - responsewriters.InternalError(w, req, errors.New("failed to parse request")) + utilruntime.HandleError(fmt.Errorf("failed to create audit event: %v", err)) + responsewriters.InternalError(w, req, errors.New("failed to create audit event")) return } - - level := policy.Level(attribs) - audit.ObservePolicyLevel(level) - if level == auditinternal.LevelNone { - // Don't audit. + if ev == nil || ctx == nil { handler.ServeHTTP(w, req) return } - ev, err := audit.NewEventFromRequest(req, level, attribs) - if err != nil { - utilruntime.HandleError(fmt.Errorf("failed to complete audit event from request: %v", err)) - responsewriters.InternalError(w, req, errors.New("failed to update context")) - return - } - - ctx = request.WithAuditEvent(ctx, ev) - if err := requestContextMapper.Update(req, ctx); err != nil { - utilruntime.HandleError(fmt.Errorf("failed to attach audit event to the context: %v", err)) - responsewriters.InternalError(w, req, errors.New("failed to update context")) - return - } - ev.Stage = auditinternal.StageRequestReceived - processEvent(sink, ev) + processAuditEvent(sink, ev) // intercept the status code var longRunningSink audit.Sink @@ -102,7 +79,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext Reason: metav1.StatusReasonInternalError, Message: fmt.Sprintf("APIServer panic'd: %v", r), } - processEvent(sink, ev) + processAuditEvent(sink, ev) return } @@ -115,20 +92,57 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext if ev.ResponseStatus == nil && longRunningSink != nil { ev.ResponseStatus = fakedSuccessStatus ev.Stage = auditinternal.StageResponseStarted - processEvent(longRunningSink, ev) + processAuditEvent(longRunningSink, ev) } ev.Stage = auditinternal.StageResponseComplete if ev.ResponseStatus == nil { ev.ResponseStatus = fakedSuccessStatus } - processEvent(sink, ev) + processAuditEvent(sink, ev) }() handler.ServeHTTP(respWriter, req) }) } -func processEvent(sink audit.Sink, ev *auditinternal.Event) { +// createAuditEventAndAttachToContext is responsible for creating the audit event +// and attaching it to the appropriate request context. It returns: +// - context with audit event attached to it +// - created audit event +// - error if anything bad happened +func createAuditEventAndAttachToContext(requestContextMapper request.RequestContextMapper, req *http.Request, policy policy.Checker) (request.Context, *auditinternal.Event, error) { + ctx, ok := requestContextMapper.Get(req) + if !ok { + return nil, nil, fmt.Errorf("no context found for request") + } + + attribs, err := GetAuthorizerAttributes(ctx) + if err != nil { + return nil, nil, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err) + } + + level := policy.Level(attribs) + audit.ObservePolicyLevel(level) + if level == auditinternal.LevelNone { + // Don't audit. + return nil, nil, nil + } + + ev, err := audit.NewEventFromRequest(req, level, attribs) + if err != nil { + return nil, nil, fmt.Errorf("failed to complete audit event from request: %v", err) + } + + ctx = request.WithAuditEvent(ctx, ev) + if err := requestContextMapper.Update(req, ctx); err != nil { + return nil, nil, fmt.Errorf("failed to attach audit event to context: %v", err) + } + + return ctx, ev, nil +} + +func processAuditEvent(sink audit.Sink, ev *auditinternal.Event) { + ev.CreationTimestamp = metav1.NewTime(time.Now()) audit.ObserveEvent() sink.ProcessEvents(ev) } @@ -171,7 +185,7 @@ func (a *auditResponseWriter) processCode(code int) { a.event.Stage = auditinternal.StageResponseStarted if a.sink != nil { - processEvent(a.sink, a.event) + processAuditEvent(a.sink, a.event) } }) } diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit_test.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit_test.go index b85f6c8c23f7..d1dfa73a6c4e 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit_test.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit_test.go @@ -30,12 +30,18 @@ import ( "testing" "time" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/wait" auditinternal "k8s.io/apiserver/pkg/apis/audit" + auditv1alpha1 "k8s.io/apiserver/pkg/apis/audit/v1alpha1" + "k8s.io/apiserver/pkg/audit" "k8s.io/apiserver/pkg/audit/policy" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/endpoints/request" pluginlog "k8s.io/apiserver/plugin/pkg/audit/log" + // import to call webhook's init() function to register audit.Event to schema + _ "k8s.io/apiserver/plugin/pkg/audit/webhook" ) type fakeAuditSink struct { @@ -177,7 +183,7 @@ func (*fakeHTTPHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) { w.WriteHeader(200) } -func TestAudit(t *testing.T) { +func TestAuditLegacy(t *testing.T) { writingShortRunningPrefix := func(stage string) string { return fmt.Sprintf(`[\d\:\-\.\+TZ]+ AUDIT: id="[\w-]+" stage="%s" ip="127.0.0.1" method="update" user="admin" groups="" as="" asgroups="" namespace="default" uri="/api/v1/namespaces/default/pods/foo"`, stage) } @@ -380,7 +386,7 @@ func TestAudit(t *testing.T) { }, } { var buf bytes.Buffer - backend := pluginlog.NewBackend(&buf) + backend := pluginlog.NewBackend(&buf, pluginlog.FormatLegacy) policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse) handler := WithAudit(http.HandlerFunc(test.handler), &fakeRequestContextMapper{ user: &user.DefaultInfo{Name: "admin"}, @@ -420,6 +426,411 @@ func TestAudit(t *testing.T) { } } +func TestAuditJson(t *testing.T) { + shortRunningPath := "/api/v1/namespaces/default/pods/foo" + longRunningPath := "/api/v1/namespaces/default/pods?watch=true" + + delay := 500 * time.Millisecond + + for _, test := range []struct { + desc string + path string + verb string + handler func(http.ResponseWriter, *http.Request) + expected []auditv1alpha1.Event + }{ + // short running requests with read-only verb + { + "read-only empty", + shortRunningPath, + "GET", + func(http.ResponseWriter, *http.Request) {}, + []auditv1alpha1.Event{ + { + Stage: auditinternal.StageRequestReceived, + Verb: "get", + RequestURI: shortRunningPath, + }, + { + Stage: auditinternal.StageResponseComplete, + Verb: "get", + RequestURI: shortRunningPath, + ResponseStatus: &metav1.Status{Code: 200}, + }, + }, + }, + { + "read-only panic", + shortRunningPath, + "GET", + func(w http.ResponseWriter, req *http.Request) { + panic("kaboom") + }, + []auditv1alpha1.Event{ + { + Stage: auditinternal.StageRequestReceived, + Verb: "get", + RequestURI: shortRunningPath, + }, + { + Stage: auditinternal.StagePanic, + Verb: "get", + RequestURI: shortRunningPath, + ResponseStatus: &metav1.Status{Code: 500}, + }, + }, + }, + // short running request with non-read-only verb + { + "writing empty", + shortRunningPath, + "PUT", + func(http.ResponseWriter, *http.Request) {}, + []auditv1alpha1.Event{ + { + Stage: auditinternal.StageRequestReceived, + Verb: "update", + RequestURI: shortRunningPath, + }, + { + Stage: auditinternal.StageResponseComplete, + Verb: "update", + RequestURI: shortRunningPath, + ResponseStatus: &metav1.Status{Code: 200}, + }, + }, + }, + { + "writing sleep", + shortRunningPath, + "PUT", + func(http.ResponseWriter, *http.Request) { + time.Sleep(delay) + }, + []auditv1alpha1.Event{ + { + Stage: auditinternal.StageRequestReceived, + Verb: "update", + RequestURI: shortRunningPath, + }, + { + Stage: auditinternal.StageResponseComplete, + Verb: "update", + RequestURI: shortRunningPath, + ResponseStatus: &metav1.Status{Code: 200}, + }, + }, + }, + { + "writing 403+write", + shortRunningPath, + "PUT", + func(w http.ResponseWriter, req *http.Request) { + w.WriteHeader(403) + w.Write([]byte("foo")) + }, + []auditv1alpha1.Event{ + { + Stage: auditinternal.StageRequestReceived, + Verb: "update", + RequestURI: shortRunningPath, + }, + { + Stage: auditinternal.StageResponseComplete, + Verb: "update", + RequestURI: shortRunningPath, + ResponseStatus: &metav1.Status{Code: 403}, + }, + }, + }, + { + "writing panic", + shortRunningPath, + "PUT", + func(w http.ResponseWriter, req *http.Request) { + panic("kaboom") + }, + []auditv1alpha1.Event{ + { + Stage: auditinternal.StageRequestReceived, + Verb: "update", + RequestURI: shortRunningPath, + }, + { + Stage: auditinternal.StagePanic, + Verb: "update", + RequestURI: shortRunningPath, + ResponseStatus: &metav1.Status{Code: 500}, + }, + }, + }, + { + "writing write+panic", + shortRunningPath, + "PUT", + func(w http.ResponseWriter, req *http.Request) { + w.Write([]byte("foo")) + panic("kaboom") + }, + []auditv1alpha1.Event{ + { + Stage: auditinternal.StageRequestReceived, + Verb: "update", + RequestURI: shortRunningPath, + }, + { + Stage: auditinternal.StagePanic, + Verb: "update", + RequestURI: shortRunningPath, + ResponseStatus: &metav1.Status{Code: 500}, + }, + }, + }, + // long running requests + { + "empty longrunning", + longRunningPath, + "GET", + func(http.ResponseWriter, *http.Request) {}, + []auditv1alpha1.Event{ + { + Stage: auditinternal.StageRequestReceived, + Verb: "watch", + RequestURI: longRunningPath, + }, + { + Stage: auditinternal.StageResponseStarted, + Verb: "watch", + RequestURI: longRunningPath, + ResponseStatus: &metav1.Status{Code: 200}, + }, + { + Stage: auditinternal.StageResponseComplete, + Verb: "watch", + RequestURI: longRunningPath, + ResponseStatus: &metav1.Status{Code: 200}, + }, + }, + }, + { + "sleep longrunning", + longRunningPath, + "GET", + func(http.ResponseWriter, *http.Request) { + time.Sleep(delay) + }, + []auditv1alpha1.Event{ + { + Stage: auditinternal.StageRequestReceived, + Verb: "watch", + RequestURI: longRunningPath, + }, + { + Stage: auditinternal.StageResponseStarted, + Verb: "watch", + RequestURI: longRunningPath, + ResponseStatus: &metav1.Status{Code: 200}, + }, + { + Stage: auditinternal.StageResponseComplete, + Verb: "watch", + RequestURI: longRunningPath, + ResponseStatus: &metav1.Status{Code: 200}, + }, + }, + }, + { + "sleep+403 longrunning", + longRunningPath, + "GET", + func(w http.ResponseWriter, req *http.Request) { + time.Sleep(delay) + w.WriteHeader(403) + }, + []auditv1alpha1.Event{ + { + Stage: auditinternal.StageRequestReceived, + Verb: "watch", + RequestURI: longRunningPath, + }, + { + Stage: auditinternal.StageResponseStarted, + Verb: "watch", + RequestURI: longRunningPath, + ResponseStatus: &metav1.Status{Code: 403}, + }, + { + Stage: auditinternal.StageResponseComplete, + Verb: "watch", + RequestURI: longRunningPath, + ResponseStatus: &metav1.Status{Code: 403}, + }, + }, + }, + { + "write longrunning", + longRunningPath, + "GET", + func(w http.ResponseWriter, req *http.Request) { + w.Write([]byte("foo")) + }, + []auditv1alpha1.Event{ + { + Stage: auditinternal.StageRequestReceived, + Verb: "watch", + RequestURI: longRunningPath, + }, + { + Stage: auditinternal.StageResponseStarted, + Verb: "watch", + RequestURI: longRunningPath, + ResponseStatus: &metav1.Status{Code: 200}, + }, + { + Stage: auditinternal.StageResponseComplete, + Verb: "watch", + RequestURI: longRunningPath, + ResponseStatus: &metav1.Status{Code: 200}, + }, + }, + }, + { + "403+write longrunning", + longRunningPath, + "GET", + func(w http.ResponseWriter, req *http.Request) { + w.WriteHeader(403) + w.Write([]byte("foo")) + }, + []auditv1alpha1.Event{ + { + Stage: auditinternal.StageRequestReceived, + Verb: "watch", + RequestURI: longRunningPath, + }, + { + Stage: auditinternal.StageResponseStarted, + Verb: "watch", + RequestURI: longRunningPath, + ResponseStatus: &metav1.Status{Code: 403}, + }, + { + Stage: auditinternal.StageResponseComplete, + Verb: "watch", + RequestURI: longRunningPath, + ResponseStatus: &metav1.Status{Code: 403}, + }, + }, + }, + { + "panic longrunning", + longRunningPath, + "GET", + func(w http.ResponseWriter, req *http.Request) { + panic("kaboom") + }, + []auditv1alpha1.Event{ + { + Stage: auditinternal.StageRequestReceived, + Verb: "watch", + RequestURI: longRunningPath, + }, + { + Stage: auditinternal.StagePanic, + Verb: "watch", + RequestURI: longRunningPath, + ResponseStatus: &metav1.Status{Code: 500}, + }, + }, + }, + { + "write+panic longrunning", + longRunningPath, + "GET", + func(w http.ResponseWriter, req *http.Request) { + w.Write([]byte("foo")) + panic("kaboom") + }, + []auditv1alpha1.Event{ + { + Stage: auditinternal.StageRequestReceived, + Verb: "watch", + RequestURI: longRunningPath, + }, + { + Stage: auditinternal.StageResponseStarted, + Verb: "watch", + RequestURI: longRunningPath, + ResponseStatus: &metav1.Status{Code: 200}, + }, + { + Stage: auditinternal.StagePanic, + Verb: "watch", + RequestURI: longRunningPath, + ResponseStatus: &metav1.Status{Code: 500}, + }, + }, + }, + } { + var buf bytes.Buffer + backend := pluginlog.NewBackend(&buf, pluginlog.FormatJson) + policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse) + handler := WithAudit(http.HandlerFunc(test.handler), &fakeRequestContextMapper{ + user: &user.DefaultInfo{Name: "admin"}, + }, backend, policyChecker, func(r *http.Request, ri *request.RequestInfo) bool { + // simplified long-running check + return ri.Verb == "watch" + }) + + req, _ := http.NewRequest(test.verb, test.path, nil) + req.RemoteAddr = "127.0.0.1" + + func() { + defer func() { + recover() + }() + handler.ServeHTTP(httptest.NewRecorder(), req) + }() + + t.Logf("[%s] audit log: %v", test.desc, buf.String()) + + line := strings.Split(strings.TrimSpace(buf.String()), "\n") + if len(line) != len(test.expected) { + t.Errorf("[%s] Unexpected amount of lines in audit log: %d", test.desc, len(line)) + continue + } + + for i, expect := range test.expected { + // decode events back to check json elements. + event := &auditv1alpha1.Event{} + decoder := audit.Codecs.UniversalDecoder(auditv1alpha1.SchemeGroupVersion) + if err := runtime.DecodeInto(decoder, []byte(line[i]), event); err != nil { + t.Errorf("failed decoding line %s: %v", line[i], err) + continue + } + if "admin" != event.User.Username { + t.Errorf("[%s] Unexpected username: %s", test.desc, event.User.Username) + } + if event.Stage != expect.Stage { + t.Errorf("[%s] Unexpected Stage: %s", test.desc, event.Stage) + } + if event.Verb != expect.Verb { + t.Errorf("[%s] Unexpected Verb: %s", test.desc, event.Verb) + } + if event.RequestURI != expect.RequestURI { + t.Errorf("[%s] Unexpected RequestURI: %s", test.desc, event.RequestURI) + } + if (event.ResponseStatus == nil) != (expect.ResponseStatus == nil) { + t.Errorf("[%s] Unexpected ResponseStatus: %v", test.desc, event.ResponseStatus) + continue + } + if (event.ResponseStatus != nil) && (event.ResponseStatus.Code != expect.ResponseStatus.Code) { + t.Errorf("[%s] Unexpected status code : %d", test.desc, event.ResponseStatus.Code) + } + } + } +} + type fakeRequestContextMapper struct { user *user.DefaultInfo } diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit.go new file mode 100644 index 000000000000..a3c192f79faf --- /dev/null +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit.go @@ -0,0 +1,87 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package filters + +import ( + "errors" + "fmt" + "net/http" + "strings" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + auditinternal "k8s.io/apiserver/pkg/apis/audit" + "k8s.io/apiserver/pkg/audit" + "k8s.io/apiserver/pkg/audit/policy" + "k8s.io/apiserver/pkg/endpoints/handlers/responsewriters" + "k8s.io/apiserver/pkg/endpoints/request" +) + +// WithFailedAuthenticationAudit decorates a failed http.Handler used in WithAuthentication handler. +// It is meant to log only failed authentication requests. +func WithFailedAuthenticationAudit(failedHandler http.Handler, requestContextMapper request.RequestContextMapper, sink audit.Sink, policy policy.Checker) http.Handler { + if sink == nil || policy == nil { + return failedHandler + } + return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + _, ev, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy) + if err != nil { + utilruntime.HandleError(fmt.Errorf("failed to create audit event: %v", err)) + responsewriters.InternalError(w, req, errors.New("failed to create audit event")) + return + } + if ev == nil { + failedHandler.ServeHTTP(w, req) + return + } + + ev.ResponseStatus = &metav1.Status{} + ev.ResponseStatus.Message = getAuthMethods(req) + ev.Stage = auditinternal.StageResponseStarted + + rw := decorateResponseWriter(w, ev, sink) + failedHandler.ServeHTTP(rw, req) + }) +} + +func getAuthMethods(req *http.Request) string { + authMethods := []string{} + + if _, _, ok := req.BasicAuth(); ok { + authMethods = append(authMethods, "basic") + } + + auth := strings.TrimSpace(req.Header.Get("Authorization")) + parts := strings.Split(auth, " ") + if len(parts) > 1 && strings.ToLower(parts[0]) == "bearer" { + authMethods = append(authMethods, "bearer") + } + + token := strings.TrimSpace(req.URL.Query().Get("access_token")) + if len(token) > 0 { + authMethods = append(authMethods, "access_token") + } + + if req.TLS != nil && len(req.TLS.PeerCertificates) > 0 { + authMethods = append(authMethods, "x509") + } + + if len(authMethods) > 0 { + return fmt.Sprintf("Authentication failed, attempted: %s", strings.Join(authMethods, ", ")) + } + return "Authentication failed, no credentials provided" +} diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit_test.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit_test.go new file mode 100644 index 000000000000..fb9eeebf6b3f --- /dev/null +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit_test.go @@ -0,0 +1,122 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package filters + +import ( + "crypto/tls" + "crypto/x509" + "net/http" + "net/http/httptest" + "strings" + "testing" + + auditinternal "k8s.io/apiserver/pkg/apis/audit" + "k8s.io/apiserver/pkg/audit/policy" +) + +func TestFailedAuthnAudit(t *testing.T) { + sink := &fakeAuditSink{} + policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse) + handler := WithFailedAuthenticationAudit( + http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusUnauthorized) + }), + &fakeRequestContextMapper{}, sink, policyChecker) + req, _ := http.NewRequest("GET", "/api/v1/namespaces/default/pods", nil) + req.RemoteAddr = "127.0.0.1" + req.SetBasicAuth("username", "password") + handler.ServeHTTP(httptest.NewRecorder(), req) + + if len(sink.events) != 1 { + t.Fatalf("Unexpected number of audit events generated, expected 1, got: %d", len(sink.events)) + } + ev := sink.events[0] + if ev.ResponseStatus.Code != http.StatusUnauthorized { + t.Errorf("Unexpected response code, expected unauthorized, got %d", ev.ResponseStatus.Code) + } + if !strings.Contains(ev.ResponseStatus.Message, "basic") { + t.Errorf("Expected response status message to contain basic auth method, got %s", ev.ResponseStatus.Message) + } + if ev.Verb != "list" { + t.Errorf("Unexpected verb, expected list, got %s", ev.Verb) + } + if ev.RequestURI != "/api/v1/namespaces/default/pods" { + t.Errorf("Unexpected user, expected /api/v1/namespaces/default/pods, got %s", ev.RequestURI) + } +} + +func TestFailedMultipleAuthnAudit(t *testing.T) { + sink := &fakeAuditSink{} + policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse) + handler := WithFailedAuthenticationAudit( + http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusUnauthorized) + }), + &fakeRequestContextMapper{}, sink, policyChecker) + req, _ := http.NewRequest("GET", "/api/v1/namespaces/default/pods", nil) + req.RemoteAddr = "127.0.0.1" + req.SetBasicAuth("username", "password") + req.TLS = &tls.ConnectionState{PeerCertificates: []*x509.Certificate{{}}} + handler.ServeHTTP(httptest.NewRecorder(), req) + + if len(sink.events) != 1 { + t.Fatalf("Unexpected number of audit events generated, expected 1, got: %d", len(sink.events)) + } + ev := sink.events[0] + if ev.ResponseStatus.Code != http.StatusUnauthorized { + t.Errorf("Unexpected response code, expected unauthorized, got %d", ev.ResponseStatus.Code) + } + if !strings.Contains(ev.ResponseStatus.Message, "basic") || !strings.Contains(ev.ResponseStatus.Message, "x509") { + t.Errorf("Expected response status message to contain basic and x509 auth method, got %s", ev.ResponseStatus.Message) + } + if ev.Verb != "list" { + t.Errorf("Unexpected verb, expected list, got %s", ev.Verb) + } + if ev.RequestURI != "/api/v1/namespaces/default/pods" { + t.Errorf("Unexpected user, expected /api/v1/namespaces/default/pods, got %s", ev.RequestURI) + } +} + +func TestFailedAuthnAuditWithoutAuthorization(t *testing.T) { + sink := &fakeAuditSink{} + policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse) + handler := WithFailedAuthenticationAudit( + http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusUnauthorized) + }), + &fakeRequestContextMapper{}, sink, policyChecker) + req, _ := http.NewRequest("GET", "/api/v1/namespaces/default/pods", nil) + req.RemoteAddr = "127.0.0.1" + handler.ServeHTTP(httptest.NewRecorder(), req) + + if len(sink.events) != 1 { + t.Fatalf("Unexpected number of audit events generated, expected 1, got: %d", len(sink.events)) + } + ev := sink.events[0] + if ev.ResponseStatus.Code != http.StatusUnauthorized { + t.Errorf("Unexpected response code, expected unauthorized, got %d", ev.ResponseStatus.Code) + } + if !strings.Contains(ev.ResponseStatus.Message, "no credentials provided") { + t.Errorf("Expected response status message to contain no credentials provided, got %s", ev.ResponseStatus.Message) + } + if ev.Verb != "list" { + t.Errorf("Unexpected verb, expected list, got %s", ev.Verb) + } + if ev.RequestURI != "/api/v1/namespaces/default/pods" { + t.Errorf("Unexpected user, expected /api/v1/namespaces/default/pods, got %s", ev.RequestURI) + } +} diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/config.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/config.go index 87a82518a65f..78fa466c340d 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/config.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/config.go @@ -476,7 +476,11 @@ func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler { } else { handler = genericapifilters.WithLegacyAudit(handler, c.RequestContextMapper, c.LegacyAuditWriter) } - handler = genericapifilters.WithAuthentication(handler, c.RequestContextMapper, c.Authenticator, genericapifilters.Unauthorized(c.SupportsBasicAuth)) + var failedHandler http.Handler = genericapifilters.Unauthorized(c.SupportsBasicAuth) + if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) { + failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.RequestContextMapper, c.AuditBackend, c.AuditPolicyChecker) + } + handler = genericapifilters.WithAuthentication(handler, c.RequestContextMapper, c.Authenticator, failedHandler) handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true") handler = genericfilters.WithPanicRecovery(handler) handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.RequestContextMapper, c.LongRunningFunc) diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/audit.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/audit.go index b5f310af0411..528b7094c709 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/audit.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/audit.go @@ -63,6 +63,7 @@ type AuditLogOptions struct { MaxAge int MaxBackups int MaxSize int + Format string } // AuditWebhookOptions control the webhook configuration for audit events. @@ -78,6 +79,7 @@ type AuditWebhookOptions struct { func NewAuditOptions() *AuditOptions { return &AuditOptions{ WebhookOptions: AuditWebhookOptions{Mode: pluginwebhook.ModeBatch}, + LogOptions: AuditLogOptions{Format: pluginlog.FormatLegacy}, } } @@ -131,6 +133,10 @@ func (o *AuditLogOptions) AddFlags(fs *pflag.FlagSet) { "The maximum number of old audit log files to retain.") fs.IntVar(&o.MaxSize, "audit-log-maxsize", o.MaxSize, "The maximum size in megabytes of the audit log file before it gets rotated.") + fs.StringVar(&o.Format, "audit-log-format", o.Format, + "Format of saved audits. \"legacy\" indicates 1-line text format for each event."+ + " \"json\" indicates structured json format. Requires the 'AdvancedAuditing' feature"+ + " gate. Known formats are "+strings.Join(pluginlog.AllowedFormats, ",")+".") } func (o *AuditLogOptions) applyTo(c *server.Config) error { @@ -138,6 +144,18 @@ func (o *AuditLogOptions) applyTo(c *server.Config) error { return nil } + // check log format + validFormat := false + for _, f := range pluginlog.AllowedFormats { + if f == o.Format { + validFormat = true + break + } + } + if !validFormat { + return fmt.Errorf("invalid audit log format %s, allowed formats are %q", o.Format, strings.Join(pluginlog.AllowedFormats, ",")) + } + var w io.Writer = os.Stdout if o.Path != "-" { w = &lumberjack.Logger{ @@ -150,7 +168,7 @@ func (o *AuditLogOptions) applyTo(c *server.Config) error { c.LegacyAuditWriter = w if advancedAuditingEnabled() { - c.AuditBackend = appendBackend(c.AuditBackend, pluginlog.NewBackend(w)) + c.AuditBackend = appendBackend(c.AuditBackend, pluginlog.NewBackend(w, o.Format)) } return nil } diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/audit/log/BUILD b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/audit/log/BUILD index 82005d6ab323..897aa136661b 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/audit/log/BUILD +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/audit/log/BUILD @@ -12,7 +12,9 @@ go_library( srcs = ["backend.go"], tags = ["automanaged"], deps = [ + "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library", "//vendor/k8s.io/apiserver/pkg/apis/audit:go_default_library", + "//vendor/k8s.io/apiserver/pkg/apis/audit/v1alpha1:go_default_library", "//vendor/k8s.io/apiserver/pkg/audit:go_default_library", ], ) diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/audit/log/backend.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/audit/log/backend.go index 9f381806d5f4..dec402e50417 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/audit/log/backend.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/audit/log/backend.go @@ -21,21 +21,38 @@ import ( "io" "strings" + "k8s.io/apimachinery/pkg/runtime" auditinternal "k8s.io/apiserver/pkg/apis/audit" + auditv1alpha1 "k8s.io/apiserver/pkg/apis/audit/v1alpha1" "k8s.io/apiserver/pkg/audit" ) +const ( + // FormatLegacy saves event in 1-line text format. + FormatLegacy = "legacy" + // FormatJson saves event in structured json format. + FormatJson = "json" +) + +// AllowedFormats are the formats known by log backend. +var AllowedFormats = []string{ + FormatLegacy, + FormatJson, +} + type backend struct { - out io.Writer - sink chan *auditinternal.Event + out io.Writer + sink chan *auditinternal.Event + format string } var _ audit.Backend = &backend{} -func NewBackend(out io.Writer) *backend { +func NewBackend(out io.Writer, format string) *backend { return &backend{ - out: out, - sink: make(chan *auditinternal.Event, 100), + out: out, + sink: make(chan *auditinternal.Event, 100), + format: format, } } @@ -46,8 +63,23 @@ func (b *backend) ProcessEvents(events ...*auditinternal.Event) { } func (b *backend) logEvent(ev *auditinternal.Event) { - line := audit.EventString(ev) - if _, err := fmt.Fprintln(b.out, line); err != nil { + line := "" + switch b.format { + case FormatLegacy: + line = audit.EventString(ev) + "\n" + case FormatJson: + bs, err := runtime.Encode(audit.Codecs.LegacyCodec(auditv1alpha1.SchemeGroupVersion), ev) + if err != nil { + audit.HandlePluginError("log", err, ev) + return + } + line = string(bs[:]) + default: + audit.HandlePluginError("log", fmt.Errorf("log format %q is not in list of known formats (%s)", + b.format, strings.Join(AllowedFormats, ",")), ev) + return + } + if _, err := fmt.Fprint(b.out, line); err != nil { audit.HandlePluginError("log", err, ev) } }