Commit f9df691c authored by Dennis Czombera's avatar Dennis Czombera

Add an impersonation test case to the audit E2E test

parent 7ba79c31
...@@ -79,6 +79,16 @@ var _ = SIGDescribe("Advanced Audit", func() { ...@@ -79,6 +79,16 @@ var _ = SIGDescribe("Advanced Audit", func() {
anonymousClient, err := clientset.NewForConfig(config) anonymousClient, err := clientset.NewForConfig(config)
framework.ExpectNoError(err) framework.ExpectNoError(err)
By("Creating a kubernetes client that impersonates an authorized user")
config, err = framework.LoadConfig()
framework.ExpectNoError(err)
config.Impersonate = restclient.ImpersonationConfig{
UserName: "superman",
Groups: []string{"system:masters"},
}
impersonatedClient, err := clientset.NewForConfig(config)
framework.ExpectNoError(err)
testCases := []struct { testCases := []struct {
action func() action func()
events []utils.AuditEvent events []utils.AuditEvent
...@@ -668,6 +678,30 @@ var _ = SIGDescribe("Advanced Audit", func() { ...@@ -668,6 +678,30 @@ var _ = SIGDescribe("Advanced Audit", func() {
}, },
}, },
}, },
// List pods as impersonated user.
{
func() {
_, err = impersonatedClient.CoreV1().Pods(namespace).List(metav1.ListOptions{})
framework.ExpectNoError(err, "failed to list pods")
},
[]utils.AuditEvent{
{
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods", namespace),
Verb: "list",
Code: 200,
User: auditTestUser,
ImpersonatedUser: "superman",
ImpersonatedGroups: "system:masters",
Resource: "pods",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
},
},
},
} }
// test authorizer annotations, RBAC is required. // test authorizer annotations, RBAC is required.
...@@ -684,17 +718,19 @@ var _ = SIGDescribe("Advanced Audit", func() { ...@@ -684,17 +718,19 @@ var _ = SIGDescribe("Advanced Audit", func() {
}, },
[]utils.AuditEvent{ []utils.AuditEvent{
{ {
Level: auditinternal.LevelRequest, Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete, Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/another-audit-pod", namespace), RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/another-audit-pod", namespace),
Verb: "get", Verb: "get",
Code: 403, Code: 403,
User: auditTestUser, User: auditTestUser,
Resource: "pods", ImpersonatedUser: "system:anonymous",
Namespace: namespace, ImpersonatedGroups: "system:unauthenticated",
RequestObject: false, Resource: "pods",
ResponseObject: false, Namespace: namespace,
AuthorizeDecision: "forbid", RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "forbid",
}, },
}, },
}, },
......
...@@ -20,6 +20,8 @@ import ( ...@@ -20,6 +20,8 @@ import (
"bufio" "bufio"
"fmt" "fmt"
"io" "io"
"sort"
"strings"
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
...@@ -28,17 +30,19 @@ import ( ...@@ -28,17 +30,19 @@ import (
) )
type AuditEvent struct { type AuditEvent struct {
Level auditinternal.Level Level auditinternal.Level
Stage auditinternal.Stage Stage auditinternal.Stage
RequestURI string RequestURI string
Verb string Verb string
Code int32 Code int32
User string User string
Resource string ImpersonatedUser string
Namespace string ImpersonatedGroups string
RequestObject bool Resource string
ResponseObject bool Namespace string
AuthorizeDecision string RequestObject bool
ResponseObject bool
AuthorizeDecision string
} }
// Search the audit log for the expected audit lines. // Search the audit log for the expected audit lines.
...@@ -101,6 +105,11 @@ func parseAuditLine(line string, version schema.GroupVersion) (AuditEvent, error ...@@ -101,6 +105,11 @@ func parseAuditLine(line string, version schema.GroupVersion) (AuditEvent, error
if e.RequestObject != nil { if e.RequestObject != nil {
event.RequestObject = true event.RequestObject = true
} }
if e.ImpersonatedUser != nil {
event.ImpersonatedUser = e.ImpersonatedUser.Username
sort.Strings(e.ImpersonatedUser.Groups)
event.ImpersonatedGroups = strings.Join(e.ImpersonatedUser.Groups, ",")
}
event.AuthorizeDecision = e.Annotations["authorization.k8s.io/decision"] event.AuthorizeDecision = e.Annotations["authorization.k8s.io/decision"]
return event, nil return event, nil
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment