Audits in the Kube API server #48
Assignees
Comments
|
Explain how to inject and extract request-scoped data with contexts package main
import (
"context"
"fmt"
)
type key int
type key_also int
// A key identifies a specific value in a Context. Functions that wish
// to store values in Context typically allocate a key in a global
// variable then use that key as the argument to context.WithValue and
// Context.Value. A key can be any type that supports equality;
// packages should define keys as an unexported type to avoid
// collisions.
//
// xref: https://godoc.org/context#Context
//The provided key must be comparable and should not be of type string
// or any other built-in type to avoid collisions between packages using
// context. Users of WithValue should define their own types for keys.
// To avoid allocating when assigning to an interface{}, context keys
// often have concrete type struct{}. Alternatively, exported context
// key variables' static type should be a pointer or interface.
//
// xref: https://godoc.org/context#WithValue
const auditAnnotationsKey key = iota
const namespaceKey key_also = iota
type auditAnnotation struct {
op string
resource string
}
func main() {
fmt.Println("auditAnnotationsKey: ", auditAnnotationsKey)
fmt.Println("namespaceKey: ", namespaceKey)
ctx := context.Background()
fmt.Printf("empty context: %#v\n", ctx)
withAuditAnnotations := func(ictx context.Context) context.Context {
a1 := auditAnnotation{op: "CREATE", resource: "POD"}
return context.WithValue(ictx, auditAnnotationsKey, &a1)
}
withNamespace := func(ictx context.Context) context.Context {
return context.WithValue(ictx, namespaceKey, "default")
}
ctx = withAuditAnnotations(ctx)
fmt.Printf("context with audit annotation: %#v\n", ctx)
ctx = withNamespace(ctx)
fmt.Printf("context with namespace: %#v\n", ctx)
namespaceFrom := func(ictx context.Context) (string, bool) {
namespace, ok := ictx.Value(namespaceKey).(string)
return namespace, ok
}
auditAnnotationFrom := func(ictx context.Context) (*auditAnnotation, bool) {
annotations, ok := ictx.Value(auditAnnotationsKey).(*auditAnnotation)
return annotations, ok
}
ns, ok1 := namespaceFrom(ctx)
audit, ok2 := auditAnnotationFrom(ctx)
fmt.Printf("context namespace: %#v %#v\n", ns, ok1)
fmt.Printf("context audit annotations: %#v %#v\n", audit, ok2)
} |
|
The above works because
|
|
This may be a good place to follow up with filters and what goes on with the audit policies https://github.com/kubernetes/kubernetes/pull/94903/files |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
So it is possible to audit the Kube API server, https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ .
The API server build audit events from the source code in https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/apiserver/pkg/audit
The cool thing that happens is that
https://github.com/kubernetes/kubernetes/blob/f5a0250800309017e667e82067d704b6ed28513a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit_annotations.go#L22-L39
the api server surfaces function which decorates an http handler.
The decorated http handler injects an audit
annotationslice into the incoming request's context.The audit
annotationis implemented as followshttps://github.com/kubernetes/kubernetes/blob/f5a0250800309017e667e82067d704b6ed28513a/staging/src/k8s.io/apiserver/pkg/audit/context.go#L49-L50
The text was updated successfully, but these errors were encountered: