Home Explore Help
Sign In
tzeneto
/
custom-kube-scheduler
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: d09a286d62
Branches Tags
custom-kube-...
/
kubernetes-v1.15.4
/
test
/
integration
/
master
/
audit_dynamic_test.go

audit_dynamic_test.go 10.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283 
  1. /*
    2. 

  2. Copyright 2018 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package master
    18. 

  18. 

  19. import (
    20. 

  20. 	"fmt"
    21. 

  21. 	"sync"
    22. 

  22. 	"sync/atomic"
    23. 

  23. 	"testing"
    24. 

  24. 	"time"
    25. 

  25. 

  26. 	"github.com/stretchr/testify/require"
    27. 

  27. 

  28. 	"k8s.io/apimachinery/pkg/api/errors"
    29. 

  29. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    30. 

  30. 	"k8s.io/apimachinery/pkg/util/wait"
    31. 

  31. 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
    32. 

  32. 	"k8s.io/apiserver/pkg/features"
    33. 

  33. 	utilfeature "k8s.io/apiserver/pkg/util/feature"
    34. 

  34. 	"k8s.io/client-go/kubernetes"
    35. 

  35. 	featuregatetesting "k8s.io/component-base/featuregate/testing"
    36. 

  36. 	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
    37. 

  37. 	"k8s.io/kubernetes/test/integration/framework"
    38. 

  38. 	"k8s.io/kubernetes/test/utils"
    39. 

  39. )
    40. 

  40. 

  41. // TestDynamicAudit ensures that v1alpha of the auditregistration api works
    42. 

  42. func TestDynamicAudit(t *testing.T) {
    43. 

  43. 	// start api server
    44. 

  44. 	stopCh := make(chan struct{})
    45. 

  45. 	defer close(stopCh)
    46. 

  46. 

  47. 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DynamicAuditing, true)()
    48. 

  48. 	kubeclient, _ := framework.StartTestServer(t, stopCh, framework.TestServerSetup{
    49. 

  49. 		ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
    50. 

  50. 			opts.Audit.DynamicOptions.Enabled = true
    51. 

  51. 			// set max batch size so the buffers flush immediately
    52. 

  52. 			opts.Audit.DynamicOptions.BatchConfig.MaxBatchSize = 1
    53. 

  53. 			opts.APIEnablement.RuntimeConfig.Set("auditregistration.k8s.io/v1alpha1=true")
    54. 

  54. 		},
    55. 

  55. 	})
    56. 

  56. 

  57. 	// create test sinks
    58. 

  58. 	testServer1 := utils.NewAuditTestServer(t, "test1")
    59. 

  59. 	defer testServer1.Close()
    60. 

  60. 	testServer2 := utils.NewAuditTestServer(t, "test2")
    61. 

  61. 	defer testServer2.Close()
    62. 

  62. 

  63. 	// check that servers are healthy
    64. 

  64. 	require.NoError(t, testServer1.Health(), "server1 never became healthy")
    65. 

  65. 	require.NoError(t, testServer2.Health(), "server2 never became healthy")
    66. 

  66. 

  67. 	// build AuditSink configurations
    68. 

  68. 	sinkConfig1 := testServer1.BuildSinkConfiguration()
    69. 

  69. 	sinkConfig2 := testServer2.BuildSinkConfiguration()
    70. 

  70. 

  71. 	// test creates a single audit sink, generates audit events, and ensures they arrive at the server
    72. 

  72. 	success := t.Run("one sink", func(t *testing.T) {
    73. 

  73. 		_, err := kubeclient.AuditregistrationV1alpha1().AuditSinks().Create(sinkConfig1)
    74. 

  74. 		require.NoError(t, err, "failed to create audit sink1")
    75. 

  75. 		t.Log("created audit sink1")
    76. 

  76. 

  77. 		// verify sink is ready
    78. 

  78. 		sinkHealth(t, kubeclient, testServer1)
    79. 

  79. 

  80. 		// perform configmap ops
    81. 

  81. 		configMapOperations(t, kubeclient)
    82. 

  82. 

  83. 		// check for corresponding events
    84. 

  84. 		missing, err := testServer1.WaitForEvents(expectedEvents)
    85. 

  85. 		require.NoError(t, err, "failed to match all expected events for server1, events %#v not found", missing)
    86. 

  86. 	})
    87. 

  87. 	require.True(t, success) // propagate failure
    88. 

  88. 

  89. 	// test creates a second audit sink, generates audit events, and ensures events arrive in both servers
    90. 

  90. 	success = t.Run("two sink", func(t *testing.T) {
    91. 

  91. 		_, err := kubeclient.AuditregistrationV1alpha1().AuditSinks().Create(sinkConfig2)
    92. 

  92. 		require.NoError(t, err, "failed to create audit sink2")
    93. 

  93. 		t.Log("created audit sink2")
    94. 

  94. 

  95. 		// verify both sinks are ready
    96. 

  96. 		sinkHealth(t, kubeclient, testServer1, testServer2)
    97. 

  97. 

  98. 		// perform configmap ops
    99. 

  99. 		configMapOperations(t, kubeclient)
    100. 

  100. 

  101. 		// check for corresponding events in both sinks
    102. 

  102. 		missing, err := testServer1.WaitForEvents(expectedEvents)
    103. 

  103. 		require.NoError(t, err, "failed to match all expected events for server1, events %#v not found", missing)
    104. 

  104. 		missing, err = testServer2.WaitForEvents(expectedEvents)
    105. 

  105. 		require.NoError(t, err, "failed to match all expected events for server2, events %#v not found", missing)
    106. 

  106. 	})
    107. 

  107. 	require.True(t, success) // propagate failure
    108. 

  108. 

  109. 	// test deletes an audit sink, generates audit events, and ensures they don't arrive in the corresponding server
    110. 

  110. 	success = t.Run("delete sink", func(t *testing.T) {
    111. 

  111. 		err := kubeclient.AuditregistrationV1alpha1().AuditSinks().Delete(sinkConfig2.Name, &metav1.DeleteOptions{})
    112. 

  112. 		require.NoError(t, err, "failed to delete audit sink2")
    113. 

  113. 		t.Log("deleted audit sink2")
    114. 

  114. 

  115. 		var finalErr error
    116. 

  116. 		err = wait.PollImmediate(100*time.Millisecond, wait.ForeverTestTimeout, func() (bool, error) {
    117. 

  117. 			// reset event lists
    118. 

  118. 			testServer1.ResetEventList()
    119. 

  119. 			testServer2.ResetEventList()
    120. 

  120. 

  121. 			// perform configmap ops
    122. 

  122. 			configMapOperations(t, kubeclient)
    123. 

  123. 

  124. 			// check for corresponding events in server1
    125. 

  125. 			missing, err := testServer1.WaitForEvents(expectedEvents)
    126. 

  126. 			if err != nil {
    127. 

  127. 				finalErr = fmt.Errorf("%v: failed to match all expected events for server1, events %#v not found", err, missing)
    128. 

  128. 				return false, nil
    129. 

  129. 			}
    130. 

  130. 

  131. 			// check that server2 is empty
    132. 

  132. 			if len(testServer2.GetEventList().Items) != 0 {
    133. 

  133. 				finalErr = fmt.Errorf("server2 event list should be empty")
    134. 

  134. 				return false, nil
    135. 

  135. 			}
    136. 

  136. 			return true, nil
    137. 

  137. 		})
    138. 

  138. 		require.NoError(t, err, finalErr)
    139. 

  139. 	})
    140. 

  140. 	require.True(t, success) // propagate failure
    141. 

  141. 

  142. 	// This test will run a background process that generates audit events sending them to a sink.
    143. 

  143. 	// Whilst that generation is occurring, the sink is updated to point to a different server.
    144. 

  144. 	// The test checks that no events are lost or duplicated during the update.
    145. 

  145. 	t.Run("update sink", func(t *testing.T) {
    146. 

  146. 		// fetch sink1 config
    147. 

  147. 		sink1, err := kubeclient.AuditregistrationV1alpha1().AuditSinks().Get(sinkConfig1.Name, metav1.GetOptions{})
    148. 

  148. 		require.NoError(t, err)
    149. 

  149. 

  150. 		// reset event lists
    151. 

  151. 		testServer1.ResetEventList()
    152. 

  152. 		testServer2.ResetEventList()
    153. 

  153. 

  154. 		// run operations in background
    155. 

  155. 		stopChan := make(chan struct{})
    156. 

  156. 		expectedEvents := &atomic.Value{}
    157. 

  157. 		expectedEvents.Store([]utils.AuditEvent{})
    158. 

  158. 		wg := &sync.WaitGroup{}
    159. 

  159. 		wg.Add(1)
    160. 

  160. 		go asyncOps(stopChan, wg, kubeclient, expectedEvents)
    161. 

  161. 

  162. 		// check to see that at least 20 events have arrived in server1
    163. 

  163. 		err = testServer1.WaitForNumEvents(20)
    164. 

  164. 		require.NoError(t, err, "failed to find enough events in server1")
    165. 

  165. 

  166. 		// check that no events are in server 2 yet
    167. 

  167. 		require.Len(t, testServer2.GetEventList().Items, 0, "server2 should not have events yet")
    168. 

  168. 

  169. 		// update the url
    170. 

  170. 		sink1.Spec.Webhook.ClientConfig.URL = &testServer2.Server.URL
    171. 

  171. 		_, err = kubeclient.AuditregistrationV1alpha1().AuditSinks().Update(sink1)
    172. 

  172. 		require.NoError(t, err, "failed to update audit sink1")
    173. 

  173. 		t.Log("updated audit sink1 to point to server2")
    174. 

  174. 

  175. 		// check that at least 20 events have arrived in server2
    176. 

  176. 		err = testServer2.WaitForNumEvents(20)
    177. 

  177. 		require.NoError(t, err, "failed to find enough events in server2")
    178. 

  178. 

  179. 		// stop the operations and ensure they have finished
    180. 

  180. 		close(stopChan)
    181. 

  181. 		wg.Wait()
    182. 

  182. 

  183. 		// check that the final events have arrived
    184. 

  184. 		expected := expectedEvents.Load().([]utils.AuditEvent)
    185. 

  185. 		missing, err := testServer2.WaitForEvents(expected[len(expected)-4:])
    186. 

  186. 		require.NoError(t, err, "failed to find the final events in server2, events %#v not found", missing)
    187. 

  187. 

  188. 		// combine the event lists
    189. 

  189. 		el1 := testServer1.GetEventList()
    190. 

  190. 		el2 := testServer2.GetEventList()
    191. 

  191. 		combinedList := auditinternal.EventList{}
    192. 

  192. 		combinedList.Items = append(el1.Items, el2.Items...)
    193. 

  193. 

  194. 		// check that there are no duplicate events
    195. 

  195. 		dups, err := utils.CheckForDuplicates(combinedList)
    196. 

  196. 		require.NoError(t, err, "duplicate events found: %#v", dups)
    197. 

  197. 

  198. 		// check that no events are missing
    199. 

  199. 		missing, err = utils.CheckAuditList(combinedList, expected)
    200. 

  200. 		require.NoError(t, err, "failed to match all expected events: %#v not found", missing)
    201. 

  201. 	})
    202. 

  202. }
    203. 

  203. 

  204. // sinkHealth checks if sinks are running by verifying that uniquely identified events are found
    205. 

  205. // in the given servers
    206. 

  206. func sinkHealth(t *testing.T, kubeclient kubernetes.Interface, servers ...*utils.AuditTestServer) {
    207. 

  207. 	var missing []utils.AuditEvent
    208. 

  208. 	i := 0
    209. 

  209. 	var finalErr error
    210. 

  210. 	err := wait.PollImmediate(50*time.Millisecond, wait.ForeverTestTimeout, func() (bool, error) {
    211. 

  211. 		i++
    212. 

  212. 		name := fmt.Sprintf("health-%d-%d", i, time.Now().UnixNano())
    213. 

  213. 		expected, err := simpleOp(name, kubeclient)
    214. 

  214. 		require.NoError(t, err, "could not perform config map operations")
    215. 

  215. 

  216. 		// check that all given servers have received events
    217. 

  217. 		for _, server := range servers {
    218. 

  218. 			missing, err = server.WaitForEvents(expected)
    219. 

  219. 			if err != nil {
    220. 

  220. 				finalErr = fmt.Errorf("not all events found in %s health check: missing %#v", server.Name, missing)
    221. 

  221. 				return false, nil
    222. 

  222. 			}
    223. 

  223. 			server.ResetEventList()
    224. 

  224. 		}
    225. 

  225. 		return true, nil
    226. 

  226. 	})
    227. 

  227. 	require.NoError(t, err, finalErr)
    228. 

  228. }
    229. 

  229. 

  230. // simpleOp is a function that simply tries to get a configmap with the given name and returns the
    231. 

  231. // corresponding expected audit event
    232. 

  232. func simpleOp(name string, kubeclient kubernetes.Interface) ([]utils.AuditEvent, error) {
    233. 

  233. 	_, err := kubeclient.CoreV1().ConfigMaps(namespace).Get(name, metav1.GetOptions{})
    234. 

  234. 	if err != nil && !errors.IsNotFound(err) {
    235. 

  235. 		return nil, err
    236. 

  236. 	}
    237. 

  237. 

  238. 	expectedEvents := []utils.AuditEvent{
    239. 

  239. 		{
    240. 

  240. 			Level:             auditinternal.LevelRequestResponse,
    241. 

  241. 			Stage:             auditinternal.StageResponseComplete,
    242. 

  242. 			RequestURI:        fmt.Sprintf("/api/v1/namespaces/%s/configmaps/%s", namespace, name),
    243. 

  243. 			Verb:              "get",
    244. 

  244. 			Code:              404,
    245. 

  245. 			User:              auditTestUser,
    246. 

  246. 			Resource:          "configmaps",
    247. 

  247. 			Namespace:         namespace,
    248. 

  248. 			RequestObject:     false,
    249. 

  249. 			ResponseObject:    true,
    250. 

  250. 			AuthorizeDecision: "allow",
    251. 

  251. 		},
    252. 

  252. 	}
    253. 

  253. 	return expectedEvents, nil
    254. 

  254. }
    255. 

  255. 

  256. // asyncOps runs the simpleOp function until the stopChan is closed updating
    257. 

  257. // the expected atomic events list
    258. 

  258. func asyncOps(
    259. 

  259. 	stopChan <-chan struct{},
    260. 

  260. 	wg *sync.WaitGroup,
    261. 

  261. 	kubeclient kubernetes.Interface,
    262. 

  262. 	expected *atomic.Value,
    263. 

  263. ) {
    264. 

  264. 	for i := 0; ; i++ {
    265. 

  265. 		select {
    266. 

  266. 		case <-stopChan:
    267. 

  267. 			wg.Done()
    268. 

  268. 			return
    269. 

  269. 		default:
    270. 

  270. 			name := fmt.Sprintf("health-%d-%d", i, time.Now().UnixNano())
    271. 

  271. 			exp, err := simpleOp(name, kubeclient)
    272. 

  272. 			if err != nil {
    273. 

  273. 				// retry on errors
    274. 

  274. 				continue
    275. 

  275. 			}
    276. 

  276. 			e := expected.Load().([]utils.AuditEvent)
    277. 

  277. 			evList := []utils.AuditEvent{}
    278. 

  278. 			evList = append(e, exp...)
    279. 

  279. 			expected.Store(evList)
    280. 

  280. 		}
    281. 

  281. 	}
    282. 

  282. }
    283. 

  283.