Головна сторінка Огляд Довідка
Увійти
tzeneto
/
custom-kube-scheduler
Слідкувати 1
Зірка 0
Відгалуження 0
Файли Проблеми 0 Запити на злиття 0 Wiki
Дерево: d09a286d62
Гілки Теги
custom-kube-...
/
kubernetes-v1.15.4
/
test
/
e2e
/
auth
/
audit.go

audit.go 29 KB
Історія Запис

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751 
  1. /*
    2. 

  2. Copyright 2017 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package auth
    18. 

  18. 

  19. import (
    20. 

  20. 	"encoding/json"
    21. 

  21. 	"fmt"
    22. 

  22. 	"strings"
    23. 

  23. 	"time"
    24. 

  24. 

  25. 	apps "k8s.io/api/apps/v1"
    26. 

  26. 	apiv1 "k8s.io/api/core/v1"
    27. 

  27. 	apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
    28. 

  28. 	apiextensionclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
    29. 

  29. 	"k8s.io/apiextensions-apiserver/test/integration/fixtures"
    30. 

  30. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    31. 

  31. 	"k8s.io/apimachinery/pkg/types"
    32. 

  32. 	"k8s.io/apimachinery/pkg/util/wait"
    33. 

  33. 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
    34. 

  34. 	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
    35. 

  35. 	clientset "k8s.io/client-go/kubernetes"
    36. 

  36. 	restclient "k8s.io/client-go/rest"
    37. 

  37. 	"k8s.io/kubernetes/test/e2e/framework"
    38. 

  38. 	"k8s.io/kubernetes/test/e2e/framework/auth"
    39. 

  39. 	e2edeploy "k8s.io/kubernetes/test/e2e/framework/deployment"
    40. 

  40. 	e2elog "k8s.io/kubernetes/test/e2e/framework/log"
    41. 

  41. 	"k8s.io/kubernetes/test/utils"
    42. 

  42. 	imageutils "k8s.io/kubernetes/test/utils/image"
    43. 

  43. 

  44. 	jsonpatch "github.com/evanphx/json-patch"
    45. 

  45. 	"github.com/onsi/ginkgo"
    46. 

  46. )
    47. 

  47. 

  48. var (
    49. 

  49. 	watchTestTimeout int64 = 1
    50. 

  50. 	auditTestUser          = "kubecfg"
    51. 

  51. 

  52. 	crd          = fixtures.NewRandomNameCustomResourceDefinition(apiextensionsv1beta1.ClusterScoped)
    53. 

  53. 	crdName      = strings.SplitN(crd.Name, ".", 2)[0]
    54. 

  54. 	crdNamespace = strings.SplitN(crd.Name, ".", 2)[1]
    55. 

  55. 

  56. 	watchOptions = metav1.ListOptions{TimeoutSeconds: &watchTestTimeout}
    57. 

  57. 	patch, _     = json.Marshal(jsonpatch.Patch{})
    58. 

  58. )
    59. 

  59. 

  60. // TODO: Get rid of [DisabledForLargeClusters] when feature request #53455 is ready.
    61. 

  61. // Marked as flaky until a reliable method for collecting server-side audit logs is available. See http://issue.k8s.io/74745#issuecomment-474052439
    62. 

  62. var _ = SIGDescribe("Advanced Audit [DisabledForLargeClusters][Flaky]", func() {
    63. 

  63. 	f := framework.NewDefaultFramework("audit")
    64. 

  64. 	var namespace string
    65. 

  65. 	ginkgo.BeforeEach(func() {
    66. 

  66. 		framework.SkipUnlessProviderIs("gce")
    67. 

  67. 		namespace = f.Namespace.Name
    68. 

  68. 	})
    69. 

  69. 

  70. 	ginkgo.It("should audit API calls to create, get, update, patch, delete, list, watch pods.", func() {
    71. 

  71. 		pod := &apiv1.Pod{
    72. 

  72. 			ObjectMeta: metav1.ObjectMeta{
    73. 

  73. 				Name: "audit-pod",
    74. 

  74. 			},
    75. 

  75. 			Spec: apiv1.PodSpec{
    76. 

  76. 				Containers: []apiv1.Container{{
    77. 

  77. 					Name:  "pause",
    78. 

  78. 					Image: imageutils.GetPauseImageName(),
    79. 

  79. 				}},
    80. 

  80. 			},
    81. 

  81. 		}
    82. 

  82. 		updatePod := func(pod *apiv1.Pod) {}
    83. 

  83. 

  84. 		f.PodClient().CreateSync(pod)
    85. 

  85. 

  86. 		_, err := f.PodClient().Get(pod.Name, metav1.GetOptions{})
    87. 

  87. 		framework.ExpectNoError(err, "failed to get audit-pod")
    88. 

  88. 

  89. 		podChan, err := f.PodClient().Watch(watchOptions)
    90. 

  90. 		framework.ExpectNoError(err, "failed to create watch for pods")
    91. 

  91. 		podChan.Stop()
    92. 

  92. 

  93. 		f.PodClient().Update(pod.Name, updatePod)
    94. 

  94. 

  95. 		_, err = f.PodClient().List(metav1.ListOptions{})
    96. 

  96. 		framework.ExpectNoError(err, "failed to list pods")
    97. 

  97. 

  98. 		_, err = f.PodClient().Patch(pod.Name, types.JSONPatchType, patch)
    99. 

  99. 		framework.ExpectNoError(err, "failed to patch pod")
    100. 

  100. 

  101. 		f.PodClient().DeleteSync(pod.Name, &metav1.DeleteOptions{}, framework.DefaultPodDeletionTimeout)
    102. 

  102. 

  103. 		expectEvents(f, []utils.AuditEvent{
    104. 

  104. 			{
    105. 

  105. 				Level:             auditinternal.LevelRequestResponse,
    106. 

  106. 				Stage:             auditinternal.StageResponseComplete,
    107. 

  107. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/pods", namespace),
    108. 

  108. 				Verb:              "create",
    109. 

  109. 				Code:              201,
    110. 

  110. 				User:              auditTestUser,
    111. 

  111. 				Resource:          "pods",
    112. 

  112. 				Namespace:         namespace,
    113. 

  113. 				RequestObject:     true,
    114. 

  114. 				ResponseObject:    true,
    115. 

  115. 				AuthorizeDecision: "allow",
    116. 

  116. 			}, {
    117. 

  117. 				Level:             auditinternal.LevelRequest,
    118. 

  118. 				Stage:             auditinternal.StageResponseComplete,
    119. 

  119. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/pods/audit-pod", namespace),
    120. 

  120. 				Verb:              "get",
    121. 

  121. 				Code:              200,
    122. 

  122. 				User:              auditTestUser,
    123. 

  123. 				Resource:          "pods",
    124. 

  124. 				Namespace:         namespace,
    125. 

  125. 				RequestObject:     false,
    126. 

  126. 				ResponseObject:    false,
    127. 

  127. 				AuthorizeDecision: "allow",
    128. 

  128. 			}, {
    129. 

  129. 				Level:             auditinternal.LevelRequest,
    130. 

  130. 				Stage:             auditinternal.StageResponseComplete,
    131. 

  131. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/pods", namespace),
    132. 

  132. 				Verb:              "list",
    133. 

  133. 				Code:              200,
    134. 

  134. 				User:              auditTestUser,
    135. 

  135. 				Resource:          "pods",
    136. 

  136. 				Namespace:         namespace,
    137. 

  137. 				RequestObject:     false,
    138. 

  138. 				ResponseObject:    false,
    139. 

  139. 				AuthorizeDecision: "allow",
    140. 

  140. 			}, {
    141. 

  141. 				Level:             auditinternal.LevelRequest,
    142. 

  142. 				Stage:             auditinternal.StageResponseStarted,
    143. 

  143. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/pods?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
    144. 

  144. 				Verb:              "watch",
    145. 

  145. 				Code:              200,
    146. 

  146. 				User:              auditTestUser,
    147. 

  147. 				Resource:          "pods",
    148. 

  148. 				Namespace:         namespace,
    149. 

  149. 				RequestObject:     false,
    150. 

  150. 				ResponseObject:    false,
    151. 

  151. 				AuthorizeDecision: "allow",
    152. 

  152. 			}, {
    153. 

  153. 				Level:             auditinternal.LevelRequest,
    154. 

  154. 				Stage:             auditinternal.StageResponseComplete,
    155. 

  155. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/pods?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
    156. 

  156. 				Verb:              "watch",
    157. 

  157. 				Code:              200,
    158. 

  158. 				User:              auditTestUser,
    159. 

  159. 				Resource:          "pods",
    160. 

  160. 				Namespace:         namespace,
    161. 

  161. 				RequestObject:     false,
    162. 

  162. 				ResponseObject:    false,
    163. 

  163. 				AuthorizeDecision: "allow",
    164. 

  164. 			}, {
    165. 

  165. 				Level:             auditinternal.LevelRequestResponse,
    166. 

  166. 				Stage:             auditinternal.StageResponseComplete,
    167. 

  167. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/pods/audit-pod", namespace),
    168. 

  168. 				Verb:              "update",
    169. 

  169. 				Code:              200,
    170. 

  170. 				User:              auditTestUser,
    171. 

  171. 				Resource:          "pods",
    172. 

  172. 				Namespace:         namespace,
    173. 

  173. 				RequestObject:     true,
    174. 

  174. 				ResponseObject:    true,
    175. 

  175. 				AuthorizeDecision: "allow",
    176. 

  176. 			}, {
    177. 

  177. 				Level:             auditinternal.LevelRequestResponse,
    178. 

  178. 				Stage:             auditinternal.StageResponseComplete,
    179. 

  179. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/pods/audit-pod", namespace),
    180. 

  180. 				Verb:              "patch",
    181. 

  181. 				Code:              200,
    182. 

  182. 				User:              auditTestUser,
    183. 

  183. 				Resource:          "pods",
    184. 

  184. 				Namespace:         namespace,
    185. 

  185. 				RequestObject:     true,
    186. 

  186. 				ResponseObject:    true,
    187. 

  187. 				AuthorizeDecision: "allow",
    188. 

  188. 			}, {
    189. 

  189. 				Level:             auditinternal.LevelRequestResponse,
    190. 

  190. 				Stage:             auditinternal.StageResponseComplete,
    191. 

  191. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/pods/audit-pod", namespace),
    192. 

  192. 				Verb:              "delete",
    193. 

  193. 				Code:              200,
    194. 

  194. 				User:              auditTestUser,
    195. 

  195. 				Resource:          "pods",
    196. 

  196. 				Namespace:         namespace,
    197. 

  197. 				RequestObject:     true,
    198. 

  198. 				ResponseObject:    true,
    199. 

  199. 				AuthorizeDecision: "allow",
    200. 

  200. 			},
    201. 

  201. 		})
    202. 

  202. 	})
    203. 

  203. 

  204. 	ginkgo.It("should audit API calls to create, get, update, patch, delete, list, watch deployments.", func() {
    205. 

  205. 		podLabels := map[string]string{"name": "audit-deployment-pod"}
    206. 

  206. 		d := e2edeploy.NewDeployment("audit-deployment", int32(1), podLabels, "redis", imageutils.GetE2EImage(imageutils.Redis), apps.RecreateDeploymentStrategyType)
    207. 

  207. 

  208. 		_, err := f.ClientSet.AppsV1().Deployments(namespace).Create(d)
    209. 

  209. 		framework.ExpectNoError(err, "failed to create audit-deployment")
    210. 

  210. 

  211. 		_, err = f.ClientSet.AppsV1().Deployments(namespace).Get(d.Name, metav1.GetOptions{})
    212. 

  212. 		framework.ExpectNoError(err, "failed to get audit-deployment")
    213. 

  213. 

  214. 		deploymentChan, err := f.ClientSet.AppsV1().Deployments(namespace).Watch(watchOptions)
    215. 

  215. 		framework.ExpectNoError(err, "failed to create watch for deployments")
    216. 

  216. 		deploymentChan.Stop()
    217. 

  217. 

  218. 		_, err = f.ClientSet.AppsV1().Deployments(namespace).Update(d)
    219. 

  219. 		framework.ExpectNoError(err, "failed to update audit-deployment")
    220. 

  220. 

  221. 		_, err = f.ClientSet.AppsV1().Deployments(namespace).Patch(d.Name, types.JSONPatchType, patch)
    222. 

  222. 		framework.ExpectNoError(err, "failed to patch deployment")
    223. 

  223. 

  224. 		_, err = f.ClientSet.AppsV1().Deployments(namespace).List(metav1.ListOptions{})
    225. 

  225. 		framework.ExpectNoError(err, "failed to create list deployments")
    226. 

  226. 

  227. 		err = f.ClientSet.AppsV1().Deployments(namespace).Delete("audit-deployment", &metav1.DeleteOptions{})
    228. 

  228. 		framework.ExpectNoError(err, "failed to delete deployments")
    229. 

  229. 

  230. 		expectEvents(f, []utils.AuditEvent{
    231. 

  231. 			{
    232. 

  232. 				Level:             auditinternal.LevelRequestResponse,
    233. 

  233. 				Stage:             auditinternal.StageResponseComplete,
    234. 

  234. 				RequestURI:        fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments", namespace),
    235. 

  235. 				Verb:              "create",
    236. 

  236. 				Code:              201,
    237. 

  237. 				User:              auditTestUser,
    238. 

  238. 				Resource:          "deployments",
    239. 

  239. 				Namespace:         namespace,
    240. 

  240. 				RequestObject:     true,
    241. 

  241. 				ResponseObject:    true,
    242. 

  242. 				AuthorizeDecision: "allow",
    243. 

  243. 			}, {
    244. 

  244. 				Level:             auditinternal.LevelRequest,
    245. 

  245. 				Stage:             auditinternal.StageResponseComplete,
    246. 

  246. 				RequestURI:        fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
    247. 

  247. 				Verb:              "get",
    248. 

  248. 				Code:              200,
    249. 

  249. 				User:              auditTestUser,
    250. 

  250. 				Resource:          "deployments",
    251. 

  251. 				Namespace:         namespace,
    252. 

  252. 				RequestObject:     false,
    253. 

  253. 				ResponseObject:    false,
    254. 

  254. 				AuthorizeDecision: "allow",
    255. 

  255. 			}, {
    256. 

  256. 				Level:             auditinternal.LevelRequest,
    257. 

  257. 				Stage:             auditinternal.StageResponseComplete,
    258. 

  258. 				RequestURI:        fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments", namespace),
    259. 

  259. 				Verb:              "list",
    260. 

  260. 				Code:              200,
    261. 

  261. 				User:              auditTestUser,
    262. 

  262. 				Resource:          "deployments",
    263. 

  263. 				Namespace:         namespace,
    264. 

  264. 				RequestObject:     false,
    265. 

  265. 				ResponseObject:    false,
    266. 

  266. 				AuthorizeDecision: "allow",
    267. 

  267. 			}, {
    268. 

  268. 				Level:             auditinternal.LevelRequest,
    269. 

  269. 				Stage:             auditinternal.StageResponseStarted,
    270. 

  270. 				RequestURI:        fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
    271. 

  271. 				Verb:              "watch",
    272. 

  272. 				Code:              200,
    273. 

  273. 				User:              auditTestUser,
    274. 

  274. 				Resource:          "deployments",
    275. 

  275. 				Namespace:         namespace,
    276. 

  276. 				RequestObject:     false,
    277. 

  277. 				ResponseObject:    false,
    278. 

  278. 				AuthorizeDecision: "allow",
    279. 

  279. 			}, {
    280. 

  280. 				Level:             auditinternal.LevelRequest,
    281. 

  281. 				Stage:             auditinternal.StageResponseComplete,
    282. 

  282. 				RequestURI:        fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
    283. 

  283. 				Verb:              "watch",
    284. 

  284. 				Code:              200,
    285. 

  285. 				User:              auditTestUser,
    286. 

  286. 				Resource:          "deployments",
    287. 

  287. 				Namespace:         namespace,
    288. 

  288. 				RequestObject:     false,
    289. 

  289. 				ResponseObject:    false,
    290. 

  290. 				AuthorizeDecision: "allow",
    291. 

  291. 			}, {
    292. 

  292. 				Level:             auditinternal.LevelRequestResponse,
    293. 

  293. 				Stage:             auditinternal.StageResponseComplete,
    294. 

  294. 				RequestURI:        fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
    295. 

  295. 				Verb:              "update",
    296. 

  296. 				Code:              200,
    297. 

  297. 				User:              auditTestUser,
    298. 

  298. 				Resource:          "deployments",
    299. 

  299. 				Namespace:         namespace,
    300. 

  300. 				RequestObject:     true,
    301. 

  301. 				ResponseObject:    true,
    302. 

  302. 				AuthorizeDecision: "allow",
    303. 

  303. 			}, {
    304. 

  304. 				Level:             auditinternal.LevelRequestResponse,
    305. 

  305. 				Stage:             auditinternal.StageResponseComplete,
    306. 

  306. 				RequestURI:        fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
    307. 

  307. 				Verb:              "patch",
    308. 

  308. 				Code:              200,
    309. 

  309. 				User:              auditTestUser,
    310. 

  310. 				Resource:          "deployments",
    311. 

  311. 				Namespace:         namespace,
    312. 

  312. 				RequestObject:     true,
    313. 

  313. 				ResponseObject:    true,
    314. 

  314. 				AuthorizeDecision: "allow",
    315. 

  315. 			}, {
    316. 

  316. 				Level:             auditinternal.LevelRequestResponse,
    317. 

  317. 				Stage:             auditinternal.StageResponseComplete,
    318. 

  318. 				RequestURI:        fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
    319. 

  319. 				Verb:              "delete",
    320. 

  320. 				Code:              200,
    321. 

  321. 				User:              auditTestUser,
    322. 

  322. 				Resource:          "deployments",
    323. 

  323. 				Namespace:         namespace,
    324. 

  324. 				RequestObject:     true,
    325. 

  325. 				ResponseObject:    true,
    326. 

  326. 				AuthorizeDecision: "allow",
    327. 

  327. 			},
    328. 

  328. 		})
    329. 

  329. 	})
    330. 

  330. 

  331. 	ginkgo.It("should audit API calls to create, get, update, patch, delete, list, watch configmaps.", func() {
    332. 

  332. 		configMap := &apiv1.ConfigMap{
    333. 

  333. 			ObjectMeta: metav1.ObjectMeta{
    334. 

  334. 				Name: "audit-configmap",
    335. 

  335. 			},
    336. 

  336. 			Data: map[string]string{
    337. 

  337. 				"map-key": "map-value",
    338. 

  338. 			},
    339. 

  339. 		}
    340. 

  340. 

  341. 		_, err := f.ClientSet.CoreV1().ConfigMaps(namespace).Create(configMap)
    342. 

  342. 		framework.ExpectNoError(err, "failed to create audit-configmap")
    343. 

  343. 

  344. 		_, err = f.ClientSet.CoreV1().ConfigMaps(namespace).Get(configMap.Name, metav1.GetOptions{})
    345. 

  345. 		framework.ExpectNoError(err, "failed to get audit-configmap")
    346. 

  346. 

  347. 		configMapChan, err := f.ClientSet.CoreV1().ConfigMaps(namespace).Watch(watchOptions)
    348. 

  348. 		framework.ExpectNoError(err, "failed to create watch for config maps")
    349. 

  349. 		configMapChan.Stop()
    350. 

  350. 

  351. 		_, err = f.ClientSet.CoreV1().ConfigMaps(namespace).Update(configMap)
    352. 

  352. 		framework.ExpectNoError(err, "failed to update audit-configmap")
    353. 

  353. 

  354. 		_, err = f.ClientSet.CoreV1().ConfigMaps(namespace).Patch(configMap.Name, types.JSONPatchType, patch)
    355. 

  355. 		framework.ExpectNoError(err, "failed to patch configmap")
    356. 

  356. 

  357. 		_, err = f.ClientSet.CoreV1().ConfigMaps(namespace).List(metav1.ListOptions{})
    358. 

  358. 		framework.ExpectNoError(err, "failed to list config maps")
    359. 

  359. 

  360. 		err = f.ClientSet.CoreV1().ConfigMaps(namespace).Delete(configMap.Name, &metav1.DeleteOptions{})
    361. 

  361. 		framework.ExpectNoError(err, "failed to delete audit-configmap")
    362. 

  362. 

  363. 		expectEvents(f, []utils.AuditEvent{
    364. 

  364. 			{
    365. 

  365. 				Level:             auditinternal.LevelMetadata,
    366. 

  366. 				Stage:             auditinternal.StageResponseComplete,
    367. 

  367. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/configmaps", namespace),
    368. 

  368. 				Verb:              "create",
    369. 

  369. 				Code:              201,
    370. 

  370. 				User:              auditTestUser,
    371. 

  371. 				Resource:          "configmaps",
    372. 

  372. 				Namespace:         namespace,
    373. 

  373. 				RequestObject:     false,
    374. 

  374. 				ResponseObject:    false,
    375. 

  375. 				AuthorizeDecision: "allow",
    376. 

  376. 			}, {
    377. 

  377. 				Level:             auditinternal.LevelMetadata,
    378. 

  378. 				Stage:             auditinternal.StageResponseComplete,
    379. 

  379. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/configmaps/audit-configmap", namespace),
    380. 

  380. 				Verb:              "get",
    381. 

  381. 				Code:              200,
    382. 

  382. 				User:              auditTestUser,
    383. 

  383. 				Resource:          "configmaps",
    384. 

  384. 				Namespace:         namespace,
    385. 

  385. 				RequestObject:     false,
    386. 

  386. 				ResponseObject:    false,
    387. 

  387. 				AuthorizeDecision: "allow",
    388. 

  388. 			}, {
    389. 

  389. 				Level:             auditinternal.LevelMetadata,
    390. 

  390. 				Stage:             auditinternal.StageResponseComplete,
    391. 

  391. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/configmaps", namespace),
    392. 

  392. 				Verb:              "list",
    393. 

  393. 				Code:              200,
    394. 

  394. 				User:              auditTestUser,
    395. 

  395. 				Resource:          "configmaps",
    396. 

  396. 				Namespace:         namespace,
    397. 

  397. 				RequestObject:     false,
    398. 

  398. 				ResponseObject:    false,
    399. 

  399. 				AuthorizeDecision: "allow",
    400. 

  400. 			}, {
    401. 

  401. 				Level:             auditinternal.LevelMetadata,
    402. 

  402. 				Stage:             auditinternal.StageResponseStarted,
    403. 

  403. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/configmaps?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
    404. 

  404. 				Verb:              "watch",
    405. 

  405. 				Code:              200,
    406. 

  406. 				User:              auditTestUser,
    407. 

  407. 				Resource:          "configmaps",
    408. 

  408. 				Namespace:         namespace,
    409. 

  409. 				RequestObject:     false,
    410. 

  410. 				ResponseObject:    false,
    411. 

  411. 				AuthorizeDecision: "allow",
    412. 

  412. 			}, {
    413. 

  413. 				Level:             auditinternal.LevelMetadata,
    414. 

  414. 				Stage:             auditinternal.StageResponseComplete,
    415. 

  415. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/configmaps?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
    416. 

  416. 				Verb:              "watch",
    417. 

  417. 				Code:              200,
    418. 

  418. 				User:              auditTestUser,
    419. 

  419. 				Resource:          "configmaps",
    420. 

  420. 				Namespace:         namespace,
    421. 

  421. 				RequestObject:     false,
    422. 

  422. 				ResponseObject:    false,
    423. 

  423. 				AuthorizeDecision: "allow",
    424. 

  424. 			}, {
    425. 

  425. 				Level:             auditinternal.LevelMetadata,
    426. 

  426. 				Stage:             auditinternal.StageResponseComplete,
    427. 

  427. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/configmaps/audit-configmap", namespace),
    428. 

  428. 				Verb:              "update",
    429. 

  429. 				Code:              200,
    430. 

  430. 				User:              auditTestUser,
    431. 

  431. 				Resource:          "configmaps",
    432. 

  432. 				Namespace:         namespace,
    433. 

  433. 				RequestObject:     false,
    434. 

  434. 				ResponseObject:    false,
    435. 

  435. 				AuthorizeDecision: "allow",
    436. 

  436. 			}, {
    437. 

  437. 				Level:             auditinternal.LevelMetadata,
    438. 

  438. 				Stage:             auditinternal.StageResponseComplete,
    439. 

  439. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/configmaps/audit-configmap", namespace),
    440. 

  440. 				Verb:              "patch",
    441. 

  441. 				Code:              200,
    442. 

  442. 				User:              auditTestUser,
    443. 

  443. 				Resource:          "configmaps",
    444. 

  444. 				Namespace:         namespace,
    445. 

  445. 				RequestObject:     false,
    446. 

  446. 				ResponseObject:    false,
    447. 

  447. 				AuthorizeDecision: "allow",
    448. 

  448. 			}, {
    449. 

  449. 				Level:             auditinternal.LevelMetadata,
    450. 

  450. 				Stage:             auditinternal.StageResponseComplete,
    451. 

  451. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/configmaps/audit-configmap", namespace),
    452. 

  452. 				Verb:              "delete",
    453. 

  453. 				Code:              200,
    454. 

  454. 				User:              auditTestUser,
    455. 

  455. 				Resource:          "configmaps",
    456. 

  456. 				Namespace:         namespace,
    457. 

  457. 				RequestObject:     false,
    458. 

  458. 				ResponseObject:    false,
    459. 

  459. 				AuthorizeDecision: "allow",
    460. 

  460. 			},
    461. 

  461. 		})
    462. 

  462. 	})
    463. 

  463. 

  464. 	ginkgo.It("should audit API calls to create, get, update, patch, delete, list, watch secrets.", func() {
    465. 

  465. 		secret := &apiv1.Secret{
    466. 

  466. 			ObjectMeta: metav1.ObjectMeta{
    467. 

  467. 				Name: "audit-secret",
    468. 

  468. 			},
    469. 

  469. 			Data: map[string][]byte{
    470. 

  470. 				"top-secret": []byte("foo-bar"),
    471. 

  471. 			},
    472. 

  472. 		}
    473. 

  473. 		_, err := f.ClientSet.CoreV1().Secrets(namespace).Create(secret)
    474. 

  474. 		framework.ExpectNoError(err, "failed to create audit-secret")
    475. 

  475. 

  476. 		_, err = f.ClientSet.CoreV1().Secrets(namespace).Get(secret.Name, metav1.GetOptions{})
    477. 

  477. 		framework.ExpectNoError(err, "failed to get audit-secret")
    478. 

  478. 

  479. 		secretChan, err := f.ClientSet.CoreV1().Secrets(namespace).Watch(watchOptions)
    480. 

  480. 		framework.ExpectNoError(err, "failed to create watch for secrets")
    481. 

  481. 		secretChan.Stop()
    482. 

  482. 

  483. 		_, err = f.ClientSet.CoreV1().Secrets(namespace).Update(secret)
    484. 

  484. 		framework.ExpectNoError(err, "failed to update audit-secret")
    485. 

  485. 

  486. 		_, err = f.ClientSet.CoreV1().Secrets(namespace).Patch(secret.Name, types.JSONPatchType, patch)
    487. 

  487. 		framework.ExpectNoError(err, "failed to patch secret")
    488. 

  488. 

  489. 		_, err = f.ClientSet.CoreV1().Secrets(namespace).List(metav1.ListOptions{})
    490. 

  490. 		framework.ExpectNoError(err, "failed to list secrets")
    491. 

  491. 

  492. 		err = f.ClientSet.CoreV1().Secrets(namespace).Delete(secret.Name, &metav1.DeleteOptions{})
    493. 

  493. 		framework.ExpectNoError(err, "failed to delete audit-secret")
    494. 

  494. 

  495. 		expectEvents(f, []utils.AuditEvent{
    496. 

  496. 			{
    497. 

  497. 				Level:             auditinternal.LevelMetadata,
    498. 

  498. 				Stage:             auditinternal.StageResponseComplete,
    499. 

  499. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/secrets", namespace),
    500. 

  500. 				Verb:              "create",
    501. 

  501. 				Code:              201,
    502. 

  502. 				User:              auditTestUser,
    503. 

  503. 				Resource:          "secrets",
    504. 

  504. 				Namespace:         namespace,
    505. 

  505. 				RequestObject:     false,
    506. 

  506. 				ResponseObject:    false,
    507. 

  507. 				AuthorizeDecision: "allow",
    508. 

  508. 			}, {
    509. 

  509. 				Level:             auditinternal.LevelMetadata,
    510. 

  510. 				Stage:             auditinternal.StageResponseComplete,
    511. 

  511. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/secrets/audit-secret", namespace),
    512. 

  512. 				Verb:              "get",
    513. 

  513. 				Code:              200,
    514. 

  514. 				User:              auditTestUser,
    515. 

  515. 				Resource:          "secrets",
    516. 

  516. 				Namespace:         namespace,
    517. 

  517. 				RequestObject:     false,
    518. 

  518. 				ResponseObject:    false,
    519. 

  519. 				AuthorizeDecision: "allow",
    520. 

  520. 			}, {
    521. 

  521. 				Level:             auditinternal.LevelMetadata,
    522. 

  522. 				Stage:             auditinternal.StageResponseComplete,
    523. 

  523. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/secrets", namespace),
    524. 

  524. 				Verb:              "list",
    525. 

  525. 				Code:              200,
    526. 

  526. 				User:              auditTestUser,
    527. 

  527. 				Resource:          "secrets",
    528. 

  528. 				Namespace:         namespace,
    529. 

  529. 				RequestObject:     false,
    530. 

  530. 				ResponseObject:    false,
    531. 

  531. 				AuthorizeDecision: "allow",
    532. 

  532. 			}, {
    533. 

  533. 				Level:             auditinternal.LevelMetadata,
    534. 

  534. 				Stage:             auditinternal.StageResponseStarted,
    535. 

  535. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/secrets?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
    536. 

  536. 				Verb:              "watch",
    537. 

  537. 				Code:              200,
    538. 

  538. 				User:              auditTestUser,
    539. 

  539. 				Resource:          "secrets",
    540. 

  540. 				Namespace:         namespace,
    541. 

  541. 				RequestObject:     false,
    542. 

  542. 				ResponseObject:    false,
    543. 

  543. 				AuthorizeDecision: "allow",
    544. 

  544. 			}, {
    545. 

  545. 				Level:             auditinternal.LevelMetadata,
    546. 

  546. 				Stage:             auditinternal.StageResponseComplete,
    547. 

  547. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/secrets?timeout=%ds&timeoutSeconds=%d&watch=true", namespace, watchTestTimeout, watchTestTimeout),
    548. 

  548. 				Verb:              "watch",
    549. 

  549. 				Code:              200,
    550. 

  550. 				User:              auditTestUser,
    551. 

  551. 				Resource:          "secrets",
    552. 

  552. 				Namespace:         namespace,
    553. 

  553. 				RequestObject:     false,
    554. 

  554. 				ResponseObject:    false,
    555. 

  555. 				AuthorizeDecision: "allow",
    556. 

  556. 			}, {
    557. 

  557. 				Level:             auditinternal.LevelMetadata,
    558. 

  558. 				Stage:             auditinternal.StageResponseComplete,
    559. 

  559. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/secrets/audit-secret", namespace),
    560. 

  560. 				Verb:              "update",
    561. 

  561. 				Code:              200,
    562. 

  562. 				User:              auditTestUser,
    563. 

  563. 				Resource:          "secrets",
    564. 

  564. 				Namespace:         namespace,
    565. 

  565. 				RequestObject:     false,
    566. 

  566. 				ResponseObject:    false,
    567. 

  567. 				AuthorizeDecision: "allow",
    568. 

  568. 			}, {
    569. 

  569. 				Level:             auditinternal.LevelMetadata,
    570. 

  570. 				Stage:             auditinternal.StageResponseComplete,
    571. 

  571. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/secrets/audit-secret", namespace),
    572. 

  572. 				Verb:              "patch",
    573. 

  573. 				Code:              200,
    574. 

  574. 				User:              auditTestUser,
    575. 

  575. 				Resource:          "secrets",
    576. 

  576. 				Namespace:         namespace,
    577. 

  577. 				RequestObject:     false,
    578. 

  578. 				ResponseObject:    false,
    579. 

  579. 				AuthorizeDecision: "allow",
    580. 

  580. 			}, {
    581. 

  581. 				Level:             auditinternal.LevelMetadata,
    582. 

  582. 				Stage:             auditinternal.StageResponseComplete,
    583. 

  583. 				RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/secrets/audit-secret", namespace),
    584. 

  584. 				Verb:              "delete",
    585. 

  585. 				Code:              200,
    586. 

  586. 				User:              auditTestUser,
    587. 

  587. 				Resource:          "secrets",
    588. 

  588. 				Namespace:         namespace,
    589. 

  589. 				RequestObject:     false,
    590. 

  590. 				ResponseObject:    false,
    591. 

  591. 				AuthorizeDecision: "allow",
    592. 

  592. 			},
    593. 

  593. 		})
    594. 

  594. 	})
    595. 

  595. 

  596. 	ginkgo.It("should audit API calls to create and delete custom resource definition.", func() {
    597. 

  597. 		config, err := framework.LoadConfig()
    598. 

  598. 		framework.ExpectNoError(err, "failed to load config")
    599. 

  599. 		apiExtensionClient, err := apiextensionclientset.NewForConfig(config)
    600. 

  600. 		framework.ExpectNoError(err, "failed to initialize apiExtensionClient")
    601. 

  601. 

  602. 		crd, err = fixtures.CreateNewCustomResourceDefinition(crd, apiExtensionClient, f.DynamicClient)
    603. 

  603. 		framework.ExpectNoError(err, "failed to create custom resource definition")
    604. 

  604. 		err = fixtures.DeleteCustomResourceDefinition(crd, apiExtensionClient)
    605. 

  605. 		framework.ExpectNoError(err, "failed to delete custom resource definition")
    606. 

  606. 

  607. 		expectEvents(f, []utils.AuditEvent{
    608. 

  608. 			{
    609. 

  609. 				Level:             auditinternal.LevelRequestResponse,
    610. 

  610. 				Stage:             auditinternal.StageResponseComplete,
    611. 

  611. 				RequestURI:        "/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions",
    612. 

  612. 				Verb:              "create",
    613. 

  613. 				Code:              201,
    614. 

  614. 				User:              auditTestUser,
    615. 

  615. 				Resource:          "customresourcedefinitions",
    616. 

  616. 				RequestObject:     true,
    617. 

  617. 				ResponseObject:    true,
    618. 

  618. 				AuthorizeDecision: "allow",
    619. 

  619. 			}, {
    620. 

  620. 				Level:             auditinternal.LevelMetadata,
    621. 

  621. 				Stage:             auditinternal.StageResponseComplete,
    622. 

  622. 				RequestURI:        fmt.Sprintf("/apis/%s/v1beta1/%s", crdNamespace, crdName),
    623. 

  623. 				Verb:              "create",
    624. 

  624. 				Code:              201,
    625. 

  625. 				User:              auditTestUser,
    626. 

  626. 				Resource:          crdName,
    627. 

  627. 				RequestObject:     false,
    628. 

  628. 				ResponseObject:    false,
    629. 

  629. 				AuthorizeDecision: "allow",
    630. 

  630. 			}, {
    631. 

  631. 				Level:             auditinternal.LevelRequestResponse,
    632. 

  632. 				Stage:             auditinternal.StageResponseComplete,
    633. 

  633. 				RequestURI:        fmt.Sprintf("/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/%s", crd.Name),
    634. 

  634. 				Verb:              "delete",
    635. 

  635. 				Code:              200,
    636. 

  636. 				User:              auditTestUser,
    637. 

  637. 				Resource:          "customresourcedefinitions",
    638. 

  638. 				RequestObject:     false,
    639. 

  639. 				ResponseObject:    true,
    640. 

  640. 				AuthorizeDecision: "allow",
    641. 

  641. 			}, {
    642. 

  642. 				Level:             auditinternal.LevelMetadata,
    643. 

  643. 				Stage:             auditinternal.StageResponseComplete,
    644. 

  644. 				RequestURI:        fmt.Sprintf("/apis/%s/v1beta1/%s/setup-instance", crdNamespace, crdName),
    645. 

  645. 				Verb:              "delete",
    646. 

  646. 				Code:              200,
    647. 

  647. 				User:              auditTestUser,
    648. 

  648. 				Resource:          crdName,
    649. 

  649. 				RequestObject:     false,
    650. 

  650. 				ResponseObject:    false,
    651. 

  651. 				AuthorizeDecision: "allow",
    652. 

  652. 			},
    653. 

  653. 		})
    654. 

  654. 	})
    655. 

  655. 

  656. 	// test authorizer annotations, RBAC is required.
    657. 

  657. 	ginkgo.It("should audit API calls to get a pod with unauthorized user.", func() {
    658. 

  658. 		if !auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) {
    659. 

  659. 			framework.Skipf("RBAC not enabled.")
    660. 

  660. 		}
    661. 

  661. 

  662. 		ginkgo.By("Creating a kubernetes client that impersonates an unauthorized anonymous user")
    663. 

  663. 		config, err := framework.LoadConfig()
    664. 

  664. 		framework.ExpectNoError(err)
    665. 

  665. 		config.Impersonate = restclient.ImpersonationConfig{
    666. 

  666. 			UserName: "system:anonymous",
    667. 

  667. 			Groups:   []string{"system:unauthenticated"},
    668. 

  668. 		}
    669. 

  669. 		anonymousClient, err := clientset.NewForConfig(config)
    670. 

  670. 		framework.ExpectNoError(err)
    671. 

  671. 

  672. 		_, err = anonymousClient.CoreV1().Pods(namespace).Get("another-audit-pod", metav1.GetOptions{})
    673. 

  673. 		expectForbidden(err)
    674. 

  674. 

  675. 		expectEvents(f, []utils.AuditEvent{
    676. 

  676. 			{
    677. 

  677. 				Level:              auditinternal.LevelRequest,
    678. 

  678. 				Stage:              auditinternal.StageResponseComplete,
    679. 

  679. 				RequestURI:         fmt.Sprintf("/api/v1/namespaces/%s/pods/another-audit-pod", namespace),
    680. 

  680. 				Verb:               "get",
    681. 

  681. 				Code:               403,
    682. 

  682. 				User:               auditTestUser,
    683. 

  683. 				ImpersonatedUser:   "system:anonymous",
    684. 

  684. 				ImpersonatedGroups: "system:unauthenticated",
    685. 

  685. 				Resource:           "pods",
    686. 

  686. 				Namespace:          namespace,
    687. 

  687. 				RequestObject:      false,
    688. 

  688. 				ResponseObject:     false,
    689. 

  689. 				AuthorizeDecision:  "forbid",
    690. 

  690. 			},
    691. 

  691. 		})
    692. 

  692. 	})
    693. 

  693. 

  694. 	ginkgo.It("should list pods as impersonated user.", func() {
    695. 

  695. 		ginkgo.By("Creating a kubernetes client that impersonates an authorized user")
    696. 

  696. 		config, err := framework.LoadConfig()
    697. 

  697. 		framework.ExpectNoError(err)
    698. 

  698. 		config.Impersonate = restclient.ImpersonationConfig{
    699. 

  699. 			UserName: "superman",
    700. 

  700. 			Groups:   []string{"system:masters"},
    701. 

  701. 		}
    702. 

  702. 		impersonatedClient, err := clientset.NewForConfig(config)
    703. 

  703. 		framework.ExpectNoError(err)
    704. 

  704. 

  705. 		_, err = impersonatedClient.CoreV1().Pods(namespace).List(metav1.ListOptions{})
    706. 

  706. 		framework.ExpectNoError(err, "failed to list pods")
    707. 

  707. 

  708. 		expectEvents(f, []utils.AuditEvent{
    709. 

  709. 			{
    710. 

  710. 				Level:              auditinternal.LevelRequest,
    711. 

  711. 				Stage:              auditinternal.StageResponseComplete,
    712. 

  712. 				RequestURI:         fmt.Sprintf("/api/v1/namespaces/%s/pods", namespace),
    713. 

  713. 				Verb:               "list",
    714. 

  714. 				Code:               200,
    715. 

  715. 				User:               auditTestUser,
    716. 

  716. 				ImpersonatedUser:   "superman",
    717. 

  717. 				ImpersonatedGroups: "system:masters",
    718. 

  718. 				Resource:           "pods",
    719. 

  719. 				Namespace:          namespace,
    720. 

  720. 				RequestObject:      false,
    721. 

  721. 				ResponseObject:     false,
    722. 

  722. 				AuthorizeDecision:  "allow",
    723. 

  723. 			},
    724. 

  724. 		})
    725. 

  725. 	})
    726. 

  726. 

  727. })
    728. 

  728. 

  729. func expectEvents(f *framework.Framework, expectedEvents []utils.AuditEvent) {
    730. 

  730. 	// The default flush timeout is 30 seconds, therefore it should be enough to retry once
    731. 

  731. 	// to find all expected events. However, we're waiting for 5 minutes to avoid flakes.
    732. 

  732. 	pollingInterval := 30 * time.Second
    733. 

  733. 	pollingTimeout := 5 * time.Minute
    734. 

  734. 	err := wait.Poll(pollingInterval, pollingTimeout, func() (bool, error) {
    735. 

  735. 		// Fetch the log stream.
    736. 

  736. 		stream, err := f.ClientSet.CoreV1().RESTClient().Get().AbsPath("/logs/kube-apiserver-audit.log").Stream()
    737. 

  737. 		if err != nil {
    738. 

  738. 			return false, err
    739. 

  739. 		}
    740. 

  740. 		defer stream.Close()
    741. 

  741. 		missingReport, err := utils.CheckAuditLines(stream, expectedEvents, auditv1.SchemeGroupVersion)
    742. 

  742. 		if err != nil {
    743. 

  743. 			e2elog.Logf("Failed to observe audit events: %v", err)
    744. 

  744. 		} else if len(missingReport.MissingEvents) > 0 {
    745. 

  745. 			e2elog.Logf(missingReport.String())
    746. 

  746. 		}
    747. 

  747. 		return len(missingReport.MissingEvents) == 0, nil
    748. 

  748. 	})
    749. 

  749. 	framework.ExpectNoError(err, "after %v failed to observe audit events", pollingTimeout)
    750. 

  750. }
    751. 

  751.