From 8399557acd40bd155c5cdb2260d04be14223515d Mon Sep 17 00:00:00 2001 From: Maciej Szulik Date: Fri, 2 Mar 2018 16:44:04 +0100 Subject: [PATCH 1/2] Register audit/v1beta1 for master config --- pkg/cmd/server/apis/config/install/install.go | 2 ++ pkg/cmd/server/apis/config/validation/master.go | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/cmd/server/apis/config/install/install.go b/pkg/cmd/server/apis/config/install/install.go index ef44960a9a4f..4da6a3e1256e 100644 --- a/pkg/cmd/server/apis/config/install/install.go +++ b/pkg/cmd/server/apis/config/install/install.go @@ -10,6 +10,7 @@ import ( apiserverv1alpha1 "k8s.io/apiserver/pkg/apis/apiserver/v1alpha1" "k8s.io/apiserver/pkg/apis/audit" auditv1alpha1 "k8s.io/apiserver/pkg/apis/audit/v1alpha1" + auditv1beta1 "k8s.io/apiserver/pkg/apis/audit/v1beta1" configapi "github.com/openshift/origin/pkg/cmd/server/apis/config" configapiv1 "github.com/openshift/origin/pkg/cmd/server/apis/config/v1" @@ -40,6 +41,7 @@ func AddToScheme(scheme *runtime.Scheme) { // policy file inside master-config.yaml audit.AddToScheme(scheme) auditv1alpha1.AddToScheme(scheme) + auditv1beta1.AddToScheme(scheme) apiserver.AddToScheme(scheme) apiserverv1alpha1.AddToScheme(scheme) } diff --git a/pkg/cmd/server/apis/config/validation/master.go b/pkg/cmd/server/apis/config/validation/master.go index 6a2b45ff054d..e881287637dd 100644 --- a/pkg/cmd/server/apis/config/validation/master.go +++ b/pkg/cmd/server/apis/config/validation/master.go @@ -242,7 +242,7 @@ func ValidateAuditConfig(config configapi.AuditConfig, fldPath *field.Path) Vali } else { policyConfiguration, ok := config.PolicyConfiguration.(*auditinternal.Policy) if !ok { - validationResults.AddErrors(field.Invalid(fldPath.Child("policyConfiguration"), config.PolicyConfiguration, "must be of type audit/v1alpha1.Policy")) + validationResults.AddErrors(field.Invalid(fldPath.Child("policyConfiguration"), config.PolicyConfiguration, "must be of type audit/v1beta1.Policy")) } else { if err := auditvalidation.ValidatePolicy(policyConfiguration); err != nil { validationResults.AddErrors(field.Invalid(fldPath.Child("policyConfiguration"), config.PolicyConfiguration, err.ToAggregate().Error())) From 5f1baf8a668a4da6b71d02c0685be42990d89624 Mon Sep 17 00:00:00 2001 From: Maciej Szulik Date: Mon, 5 Mar 2018 12:13:46 +0100 Subject: [PATCH 2/2] Additional audit tests --- test/integration/audit_test.go | 69 ++++++++++++++++++++++++++++++++-- 1 file changed, 66 insertions(+), 3 deletions(-) diff --git a/test/integration/audit_test.go b/test/integration/audit_test.go index 462d11b80f64..ea6a54129b6f 100644 --- a/test/integration/audit_test.go +++ b/test/integration/audit_test.go @@ -1,21 +1,25 @@ package integration import ( + "io/ioutil" + "os" "testing" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apiserver/pkg/apis/audit" kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" + configapi "github.com/openshift/origin/pkg/cmd/server/apis/config" testutil "github.com/openshift/origin/test/util" testserver "github.com/openshift/origin/test/util/server" ) -func setupAuditTest(t *testing.T) (kclientset.Interface, func()) { +func setupAudit(t *testing.T, auditConfig configapi.AuditConfig) (kclientset.Interface, func()) { masterConfig, err := testserver.DefaultMasterOptions() if err != nil { t.Fatalf("error creating config: %v", err) } - masterConfig.AuditConfig.Enabled = true + masterConfig.AuditConfig = auditConfig kubeConfigFile, err := testserver.StartConfiguredMasterAPI(masterConfig) if err != nil { t.Fatalf("error starting server: %v", err) @@ -30,7 +34,7 @@ func setupAuditTest(t *testing.T) (kclientset.Interface, func()) { } func TestBasicFunctionalityWithAudit(t *testing.T) { - kubeClient, fn := setupAuditTest(t) + kubeClient, fn := setupAudit(t, configapi.AuditConfig{Enabled: true}) defer fn() if _, err := kubeClient.Core().Pods(metav1.NamespaceDefault).Watch(metav1.ListOptions{}); err != nil { @@ -39,3 +43,62 @@ func TestBasicFunctionalityWithAudit(t *testing.T) { // TODO: test oc debug, exec, rsh, port-forward } + +func TestAuditConfigEmbeded(t *testing.T) { + auditConfig := configapi.AuditConfig{ + Enabled: true, + PolicyConfiguration: &audit.Policy{ + Rules: []audit.PolicyRule{ + {Level: audit.LevelMetadata}, + }, + }, + } + kubeClient, fn := setupAudit(t, auditConfig) + defer fn() + + if _, err := kubeClient.Core().Pods(metav1.NamespaceDefault).Watch(metav1.ListOptions{}); err != nil { + t.Errorf("Unexpected error watching pods: %v", err) + } +} + +func TestAuditConfigV1Alpha1File(t *testing.T) { + testAuditConfigFile(t, []byte(` +apiVersion: audit.k8s.io/v1alpha1 +kind: Policy +rules: +- level: Metadata +`)) +} + +func TestAuditConfigV1Beta1File(t *testing.T) { + testAuditConfigFile(t, []byte(` +apiVersion: audit.k8s.io/v1beta1 +kind: Policy +rules: +- level: Metadata +`)) +} + +func testAuditConfigFile(t *testing.T, policy []byte) { + tmp, err := ioutil.TempFile("", "audit-policy") + if err != nil { + t.Fatalf("Cannot create a temporary file: %v", err) + } + defer os.Remove(tmp.Name()) + if _, err := tmp.Write(policy); err != nil { + t.Fatalf("Cannot write to a temporary file: %v", err) + } + if err := tmp.Close(); err != nil { + t.Fatalf("Cannot close a temporary file: %v", err) + } + auditConfig := configapi.AuditConfig{ + Enabled: true, + PolicyFile: tmp.Name(), + } + kubeClient, fn := setupAudit(t, auditConfig) + defer fn() + + if _, err := kubeClient.Core().Pods(metav1.NamespaceDefault).Watch(metav1.ListOptions{}); err != nil { + t.Errorf("Unexpected error watching pods: %v", err) + } +}