Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
fa40bc8f
Commit
fa40bc8f
authored
Oct 19, 2017
by
Eric Chiang
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
audit policy: reject audit policy files without apiVersion and kind
parent
a8fc7f69
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
52 additions
and
4 deletions
+52
-4
BUILD
staging/src/k8s.io/apiserver/pkg/audit/policy/BUILD
+1
-1
reader.go
staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go
+24
-3
reader_test.go
staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go
+27
-0
No files found.
staging/src/k8s.io/apiserver/pkg/audit/policy/BUILD
View file @
fa40bc8f
...
@@ -34,7 +34,7 @@ go_library(
...
@@ -34,7 +34,7 @@ go_library(
importpath = "k8s.io/apiserver/pkg/audit/policy",
importpath = "k8s.io/apiserver/pkg/audit/policy",
deps = [
deps = [
"//vendor/github.com/golang/glog:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime
/schema
:go_default_library",
"//vendor/k8s.io/apiserver/pkg/apis/audit:go_default_library",
"//vendor/k8s.io/apiserver/pkg/apis/audit:go_default_library",
"//vendor/k8s.io/apiserver/pkg/apis/audit/v1alpha1:go_default_library",
"//vendor/k8s.io/apiserver/pkg/apis/audit/v1alpha1:go_default_library",
"//vendor/k8s.io/apiserver/pkg/apis/audit/v1beta1:go_default_library",
"//vendor/k8s.io/apiserver/pkg/apis/audit/v1beta1:go_default_library",
...
...
staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go
View file @
fa40bc8f
...
@@ -20,7 +20,7 @@ import (
...
@@ -20,7 +20,7 @@ import (
"fmt"
"fmt"
"io/ioutil"
"io/ioutil"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime
/schema
"
auditinternal
"k8s.io/apiserver/pkg/apis/audit"
auditinternal
"k8s.io/apiserver/pkg/apis/audit"
auditv1alpha1
"k8s.io/apiserver/pkg/apis/audit/v1alpha1"
auditv1alpha1
"k8s.io/apiserver/pkg/apis/audit/v1alpha1"
auditv1beta1
"k8s.io/apiserver/pkg/apis/audit/v1beta1"
auditv1beta1
"k8s.io/apiserver/pkg/apis/audit/v1beta1"
...
@@ -30,6 +30,20 @@ import (
...
@@ -30,6 +30,20 @@ import (
"github.com/golang/glog"
"github.com/golang/glog"
)
)
var
(
apiGroupVersions
=
[]
schema
.
GroupVersion
{
auditv1beta1
.
SchemeGroupVersion
,
auditv1alpha1
.
SchemeGroupVersion
,
}
apiGroupVersionSet
=
map
[
schema
.
GroupVersion
]
bool
{}
)
func
init
()
{
for
_
,
gv
:=
range
apiGroupVersions
{
apiGroupVersionSet
[
gv
]
=
true
}
}
func
LoadPolicyFromFile
(
filePath
string
)
(
*
auditinternal
.
Policy
,
error
)
{
func
LoadPolicyFromFile
(
filePath
string
)
(
*
auditinternal
.
Policy
,
error
)
{
if
filePath
==
""
{
if
filePath
==
""
{
return
nil
,
fmt
.
Errorf
(
"file path not specified"
)
return
nil
,
fmt
.
Errorf
(
"file path not specified"
)
...
@@ -40,11 +54,18 @@ func LoadPolicyFromFile(filePath string) (*auditinternal.Policy, error) {
...
@@ -40,11 +54,18 @@ func LoadPolicyFromFile(filePath string) (*auditinternal.Policy, error) {
}
}
policy
:=
&
auditinternal
.
Policy
{}
policy
:=
&
auditinternal
.
Policy
{}
decoder
:=
audit
.
Codecs
.
UniversalDecoder
(
auditv1beta1
.
SchemeGroupVersion
,
auditv1alpha1
.
SchemeGroupVersion
)
decoder
:=
audit
.
Codecs
.
UniversalDecoder
(
apiGroupVersions
...
)
if
err
:=
runtime
.
DecodeInto
(
decoder
,
policyDef
,
policy
);
err
!=
nil
{
_
,
gvk
,
err
:=
decoder
.
Decode
(
policyDef
,
nil
,
policy
)
if
err
!=
nil
{
return
nil
,
fmt
.
Errorf
(
"failed decoding file %q: %v"
,
filePath
,
err
)
return
nil
,
fmt
.
Errorf
(
"failed decoding file %q: %v"
,
filePath
,
err
)
}
}
// Ensure the policy file contained an apiVersion and kind.
if
!
apiGroupVersionSet
[
schema
.
GroupVersion
{
Group
:
gvk
.
Group
,
Version
:
gvk
.
Version
}]
{
return
nil
,
fmt
.
Errorf
(
"unknown group version field %v in policy file %s"
,
gvk
,
filePath
)
}
if
err
:=
validation
.
ValidatePolicy
(
policy
);
err
!=
nil
{
if
err
:=
validation
.
ValidatePolicy
(
policy
);
err
!=
nil
{
return
nil
,
err
.
ToAggregate
()
return
nil
,
err
.
ToAggregate
()
}
}
...
...
staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go
View file @
fa40bc8f
...
@@ -71,6 +71,24 @@ rules:
...
@@ -71,6 +71,24 @@ rules:
- level: Metadata
- level: Metadata
`
`
const
policyWithNoVersionOrKind
=
`
rules:
- level: None
nonResourceURLs:
- /healthz*
- /version
- level: RequestResponse
users: ["tim"]
userGroups: ["testers", "developers"]
verbs: ["patch", "delete", "create"]
resources:
- group: ""
- group: "rbac.authorization.k8s.io"
resources: ["clusterroles", "clusterrolebindings"]
namespaces: ["default", "kube-system"]
- level: Metadata
`
var
expectedPolicy
=
&
audit
.
Policy
{
var
expectedPolicy
=
&
audit
.
Policy
{
Rules
:
[]
audit
.
PolicyRule
{{
Rules
:
[]
audit
.
PolicyRule
{{
Level
:
audit
.
LevelNone
,
Level
:
audit
.
LevelNone
,
...
@@ -104,6 +122,15 @@ func TestParserV1alpha1(t *testing.T) {
...
@@ -104,6 +122,15 @@ func TestParserV1alpha1(t *testing.T) {
}
}
}
}
func
TestParsePolicyWithNoVersionOrKind
(
t
*
testing
.
T
)
{
f
,
err
:=
writePolicy
(
t
,
policyWithNoVersionOrKind
)
require
.
NoError
(
t
,
err
)
defer
os
.
Remove
(
f
)
_
,
err
=
LoadPolicyFromFile
(
f
)
assert
.
Contains
(
t
,
err
.
Error
(),
"unknown group version field"
)
}
func
TestParserV1beta1
(
t
*
testing
.
T
)
{
func
TestParserV1beta1
(
t
*
testing
.
T
)
{
f
,
err
:=
writePolicy
(
t
,
policyDefV1beta1
)
f
,
err
:=
writePolicy
(
t
,
policyDefV1beta1
)
require
.
NoError
(
t
,
err
)
require
.
NoError
(
t
,
err
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment