Home Explore Help
Sign In
tzeneto
/
custom-kube-scheduler
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 713db4efe3
Branches Tags
custom-kube-...
/
kubernetes
/
test
/
integration
/
master
/
audit_dynamic_test.go

audit_dynamic_test.go 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283 
  1. /*
    2. 

  2. Copyright 2018 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package master
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"fmt"
    22. 

  22. 	"sync"
    23. 

  23. 	"sync/atomic"
    24. 

  24. 	"testing"
    25. 

  25. 	"time"
    26. 

  26. 

  27. 	"github.com/stretchr/testify/require"
    28. 

  28. 

  29. 	apierrors "k8s.io/apimachinery/pkg/api/errors"
    30. 

  30. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    31. 

  31. 	"k8s.io/apimachinery/pkg/util/wait"
    32. 

  32. 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
    33. 

  33. 	"k8s.io/apiserver/pkg/features"
    34. 

  34. 	utilfeature "k8s.io/apiserver/pkg/util/feature"
    35. 

  35. 	"k8s.io/client-go/kubernetes"
    36. 

  36. 	featuregatetesting "k8s.io/component-base/featuregate/testing"
    37. 

  37. 	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
    38. 

  38. 	"k8s.io/kubernetes/test/integration/framework"
    39. 

  39. 	"k8s.io/kubernetes/test/utils"
    40. 

  40. )
    41. 

  41. 

  42. // TestDynamicAudit ensures that v1alpha of the auditregistration api works
    43. 

  43. func TestDynamicAudit(t *testing.T) {
    44. 

  44. 	// start api server
    45. 

  45. 	stopCh := make(chan struct{})
    46. 

  46. 	defer close(stopCh)
    47. 

  47. 

  48. 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DynamicAuditing, true)()
    49. 

  49. 	kubeclient, _ := framework.StartTestServer(t, stopCh, framework.TestServerSetup{
    50. 

  50. 		ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
    51. 

  51. 			opts.Audit.DynamicOptions.Enabled = true
    52. 

  52. 			// set max batch size so the buffers flush immediately
    53. 

  53. 			opts.Audit.DynamicOptions.BatchConfig.MaxBatchSize = 1
    54. 

  54. 			opts.APIEnablement.RuntimeConfig.Set("auditregistration.k8s.io/v1alpha1=true")
    55. 

  55. 		},
    56. 

  56. 	})
    57. 

  57. 

  58. 	// create test sinks
    59. 

  59. 	testServer1 := utils.NewAuditTestServer(t, "test1")
    60. 

  60. 	defer testServer1.Close()
    61. 

  61. 	testServer2 := utils.NewAuditTestServer(t, "test2")
    62. 

  62. 	defer testServer2.Close()
    63. 

  63. 

  64. 	// check that servers are healthy
    65. 

  65. 	require.NoError(t, testServer1.Health(), "server1 never became healthy")
    66. 

  66. 	require.NoError(t, testServer2.Health(), "server2 never became healthy")
    67. 

  67. 

  68. 	// build AuditSink configurations
    69. 

  69. 	sinkConfig1 := testServer1.BuildSinkConfiguration()
    70. 

  70. 	sinkConfig2 := testServer2.BuildSinkConfiguration()
    71. 

  71. 

  72. 	// test creates a single audit sink, generates audit events, and ensures they arrive at the server
    73. 

  73. 	success := t.Run("one sink", func(t *testing.T) {
    74. 

  74. 		_, err := kubeclient.AuditregistrationV1alpha1().AuditSinks().Create(context.TODO(), sinkConfig1, metav1.CreateOptions{})
    75. 

  75. 		require.NoError(t, err, "failed to create audit sink1")
    76. 

  76. 		t.Log("created audit sink1")
    77. 

  77. 

  78. 		// verify sink is ready
    79. 

  79. 		sinkHealth(t, kubeclient, testServer1)
    80. 

  80. 

  81. 		// perform configmap ops
    82. 

  82. 		configMapOperations(t, kubeclient)
    83. 

  83. 

  84. 		// check for corresponding events
    85. 

  85. 		missing, err := testServer1.WaitForEvents(expectedEvents)
    86. 

  86. 		require.NoError(t, err, "failed to match all expected events for server1, events %#v not found", missing)
    87. 

  87. 	})
    88. 

  88. 	require.True(t, success) // propagate failure
    89. 

  89. 

  90. 	// test creates a second audit sink, generates audit events, and ensures events arrive in both servers
    91. 

  91. 	success = t.Run("two sink", func(t *testing.T) {
    92. 

  92. 		_, err := kubeclient.AuditregistrationV1alpha1().AuditSinks().Create(context.TODO(), sinkConfig2, metav1.CreateOptions{})
    93. 

  93. 		require.NoError(t, err, "failed to create audit sink2")
    94. 

  94. 		t.Log("created audit sink2")
    95. 

  95. 

  96. 		// verify both sinks are ready
    97. 

  97. 		sinkHealth(t, kubeclient, testServer1, testServer2)
    98. 

  98. 

  99. 		// perform configmap ops
    100. 

  100. 		configMapOperations(t, kubeclient)
    101. 

  101. 

  102. 		// check for corresponding events in both sinks
    103. 

  103. 		missing, err := testServer1.WaitForEvents(expectedEvents)
    104. 

  104. 		require.NoError(t, err, "failed to match all expected events for server1, events %#v not found", missing)
    105. 

  105. 		missing, err = testServer2.WaitForEvents(expectedEvents)
    106. 

  106. 		require.NoError(t, err, "failed to match all expected events for server2, events %#v not found", missing)
    107. 

  107. 	})
    108. 

  108. 	require.True(t, success) // propagate failure
    109. 

  109. 

  110. 	// test deletes an audit sink, generates audit events, and ensures they don't arrive in the corresponding server
    111. 

  111. 	success = t.Run("delete sink", func(t *testing.T) {
    112. 

  112. 		err := kubeclient.AuditregistrationV1alpha1().AuditSinks().Delete(context.TODO(), sinkConfig2.Name, &metav1.DeleteOptions{})
    113. 

  113. 		require.NoError(t, err, "failed to delete audit sink2")
    114. 

  114. 		t.Log("deleted audit sink2")
    115. 

  115. 

  116. 		var finalErr error
    117. 

  117. 		err = wait.PollImmediate(100*time.Millisecond, wait.ForeverTestTimeout, func() (bool, error) {
    118. 

  118. 			// reset event lists
    119. 

  119. 			testServer1.ResetEventList()
    120. 

  120. 			testServer2.ResetEventList()
    121. 

  121. 

  122. 			// perform configmap ops
    123. 

  123. 			configMapOperations(t, kubeclient)
    124. 

  124. 

  125. 			// check for corresponding events in server1
    126. 

  126. 			missing, err := testServer1.WaitForEvents(expectedEvents)
    127. 

  127. 			if err != nil {
    128. 

  128. 				finalErr = fmt.Errorf("%v: failed to match all expected events for server1, events %#v not found", err, missing)
    129. 

  129. 				return false, nil
    130. 

  130. 			}
    131. 

  131. 

  132. 			// check that server2 is empty
    133. 

  133. 			if len(testServer2.GetEventList().Items) != 0 {
    134. 

  134. 				finalErr = fmt.Errorf("server2 event list should be empty")
    135. 

  135. 				return false, nil
    136. 

  136. 			}
    137. 

  137. 			return true, nil
    138. 

  138. 		})
    139. 

  139. 		require.NoError(t, err, finalErr)
    140. 

  140. 	})
    141. 

  141. 	require.True(t, success) // propagate failure
    142. 

  142. 

  143. 	// This test will run a background process that generates audit events sending them to a sink.
    144. 

  144. 	// Whilst that generation is occurring, the sink is updated to point to a different server.
    145. 

  145. 	// The test checks that no events are lost or duplicated during the update.
    146. 

  146. 	t.Run("update sink", func(t *testing.T) {
    147. 

  147. 		// fetch sink1 config
    148. 

  148. 		sink1, err := kubeclient.AuditregistrationV1alpha1().AuditSinks().Get(context.TODO(), sinkConfig1.Name, metav1.GetOptions{})
    149. 

  149. 		require.NoError(t, err)
    150. 

  150. 

  151. 		// reset event lists
    152. 

  152. 		testServer1.ResetEventList()
    153. 

  153. 		testServer2.ResetEventList()
    154. 

  154. 

  155. 		// run operations in background
    156. 

  156. 		stopChan := make(chan struct{})
    157. 

  157. 		expectedEvents := &atomic.Value{}
    158. 

  158. 		expectedEvents.Store([]utils.AuditEvent{})
    159. 

  159. 		wg := &sync.WaitGroup{}
    160. 

  160. 		wg.Add(1)
    161. 

  161. 		go asyncOps(stopChan, wg, kubeclient, expectedEvents)
    162. 

  162. 

  163. 		// check to see that at least 20 events have arrived in server1
    164. 

  164. 		err = testServer1.WaitForNumEvents(20)
    165. 

  165. 		require.NoError(t, err, "failed to find enough events in server1")
    166. 

  166. 

  167. 		// check that no events are in server 2 yet
    168. 

  168. 		require.Len(t, testServer2.GetEventList().Items, 0, "server2 should not have events yet")
    169. 

  169. 

  170. 		// update the url
    171. 

  171. 		sink1.Spec.Webhook.ClientConfig.URL = &testServer2.Server.URL
    172. 

  172. 		_, err = kubeclient.AuditregistrationV1alpha1().AuditSinks().Update(context.TODO(), sink1, metav1.UpdateOptions{})
    173. 

  173. 		require.NoError(t, err, "failed to update audit sink1")
    174. 

  174. 		t.Log("updated audit sink1 to point to server2")
    175. 

  175. 

  176. 		// check that at least 20 events have arrived in server2
    177. 

  177. 		err = testServer2.WaitForNumEvents(20)
    178. 

  178. 		require.NoError(t, err, "failed to find enough events in server2")
    179. 

  179. 

  180. 		// stop the operations and ensure they have finished
    181. 

  181. 		close(stopChan)
    182. 

  182. 		wg.Wait()
    183. 

  183. 

  184. 		// check that the final events have arrived
    185. 

  185. 		expected := expectedEvents.Load().([]utils.AuditEvent)
    186. 

  186. 		missing, err := testServer2.WaitForEvents(expected[len(expected)-4:])
    187. 

  187. 		require.NoError(t, err, "failed to find the final events in server2, events %#v not found", missing)
    188. 

  188. 

  189. 		// combine the event lists
    190. 

  190. 		el1 := testServer1.GetEventList()
    191. 

  191. 		el2 := testServer2.GetEventList()
    192. 

  192. 		combinedList := auditinternal.EventList{}
    193. 

  193. 		combinedList.Items = append(el1.Items, el2.Items...)
    194. 

  194. 

  195. 		// check that there are no duplicate events
    196. 

  196. 		dups, err := utils.CheckForDuplicates(combinedList)
    197. 

  197. 		require.NoError(t, err, "duplicate events found: %#v", dups)
    198. 

  198. 

  199. 		// check that no events are missing
    200. 

  200. 		missing, err = utils.CheckAuditList(combinedList, expected)
    201. 

  201. 		require.NoError(t, err, "failed to match all expected events: %#v not found", missing)
    202. 

  202. 	})
    203. 

  203. }
    204. 

  204. 

  205. // sinkHealth checks if sinks are running by verifying that uniquely identified events are found
    206. 

  206. // in the given servers
    207. 

  207. func sinkHealth(t *testing.T, kubeclient kubernetes.Interface, servers ...*utils.AuditTestServer) {
    208. 

  208. 	var missing []utils.AuditEvent
    209. 

  209. 	i := 0
    210. 

  210. 	var finalErr error
    211. 

  211. 	err := wait.PollImmediate(50*time.Millisecond, wait.ForeverTestTimeout, func() (bool, error) {
    212. 

  212. 		i++
    213. 

  213. 		name := fmt.Sprintf("health-%d-%d", i, time.Now().UnixNano())
    214. 

  214. 		expected, err := simpleOp(name, kubeclient)
    215. 

  215. 		require.NoError(t, err, "could not perform config map operations")
    216. 

  216. 

  217. 		// check that all given servers have received events
    218. 

  218. 		for _, server := range servers {
    219. 

  219. 			missing, err = server.WaitForEvents(expected)
    220. 

  220. 			if err != nil {
    221. 

  221. 				finalErr = fmt.Errorf("not all events found in %s health check: missing %#v", server.Name, missing)
    222. 

  222. 				return false, nil
    223. 

  223. 			}
    224. 

  224. 			server.ResetEventList()
    225. 

  225. 		}
    226. 

  226. 		return true, nil
    227. 

  227. 	})
    228. 

  228. 	require.NoError(t, err, finalErr)
    229. 

  229. }
    230. 

  230. 

  231. // simpleOp is a function that simply tries to get a configmap with the given name and returns the
    232. 

  232. // corresponding expected audit event
    233. 

  233. func simpleOp(name string, kubeclient kubernetes.Interface) ([]utils.AuditEvent, error) {
    234. 

  234. 	_, err := kubeclient.CoreV1().ConfigMaps(namespace).Get(context.TODO(), name, metav1.GetOptions{})
    235. 

  235. 	if err != nil && !apierrors.IsNotFound(err) {
    236. 

  236. 		return nil, err
    237. 

  237. 	}
    238. 

  238. 

  239. 	expectedEvents := []utils.AuditEvent{
    240. 

  240. 		{
    241. 

  241. 			Level:             auditinternal.LevelRequestResponse,
    242. 

  242. 			Stage:             auditinternal.StageResponseComplete,
    243. 

  243. 			RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/configmaps/%s", namespace, name),
    244. 

  244. 			Verb:              "get",
    245. 

  245. 			Code:              404,
    246. 

  246. 			User:              auditTestUser,
    247. 

  247. 			Resource:          "configmaps",
    248. 

  248. 			Namespace:         namespace,
    249. 

  249. 			RequestObject:     false,
    250. 

  250. 			ResponseObject:    true,
    251. 

  251. 			AuthorizeDecision: "allow",
    252. 

  252. 		},
    253. 

  253. 	}
    254. 

  254. 	return expectedEvents, nil
    255. 

  255. }
    256. 

  256. 

  257. // asyncOps runs the simpleOp function until the stopChan is closed updating
    258. 

  258. // the expected atomic events list
    259. 

  259. func asyncOps(
    260. 

  260. 	stopChan <-chan struct{},
    261. 

  261. 	wg *sync.WaitGroup,
    262. 

  262. 	kubeclient kubernetes.Interface,
    263. 

  263. 	expected *atomic.Value,
    264. 

  264. ) {
    265. 

  265. 	for i := 0; ; i++ {
    266. 

  266. 		select {
    267. 

  267. 		case <-stopChan:
    268. 

  268. 			wg.Done()
    269. 

  269. 			return
    270. 

  270. 		default:
    271. 

  271. 			name := fmt.Sprintf("health-%d-%d", i, time.Now().UnixNano())
    272. 

  272. 			exp, err := simpleOp(name, kubeclient)
    273. 

  273. 			if err != nil {
    274. 

  274. 				// retry on errors
    275. 

  275. 				continue
    276. 

  276. 			}
    277. 

  277. 			e := expected.Load().([]utils.AuditEvent)
    278. 

  278. 			evList := append(e, exp...)
    279. 

  279. 			expected.Store(evList)
    280. 

  280. 		}
    281. 

  281. 	}
    282. 

  282. }
    283. 

  283.