Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix invalid match rules for advanced audit policy #59398

Merged
merged 1 commit into from
Feb 19, 2018
Merged

fix invalid match rules for advanced audit policy #59398

merged 1 commit into from
Feb 19, 2018

Conversation

CaoShuFeng
Copy link
Contributor

@CaoShuFeng CaoShuFeng commented Feb 6, 2018
edited
Loading

When users or groups are set in a rule, this rule should not match
attribute with unauthorized request where user and group are nil.

Release note:

Unauthorized requests will not match audit policy rules where users or groups are set.

Fixes: #59331

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 6, 2018
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Feb 6, 2018
@CaoShuFeng CaoShuFeng mentioned this pull request Feb 6, 2018
Closed
dixudx
dixudx reviewed Feb 6, 2018
View reviewed changes
staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go Outdated
if len(r.Users) > 0 && attrs.GetUser() != nil {
if !hasString(r.Users, attrs.GetUser().GetName()) {
if len(r.Users) > 0 {
if attrs.GetUser() == nil || !hasString(r.Users, attrs.GetUser().GetName()) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to call attrs.GetUser() again and again.
Better assign to a variable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@CaoShuFeng
fix invalid match rules for advanced audit policy
9a7acaa 
When users or groups are set in a rule, this rule should not match
attribute with unauthorized request where user and group are nil.
@dixudx
Copy link
Member

dixudx commented Feb 6, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 6, 2018
@CaoShuFeng CaoShuFeng mentioned this pull request Feb 6, 2018
Merged
smurfralf
smurfralf approved these changes Feb 6, 2018
View reviewed changes
Copy link

@smurfralf smurfralf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@crassirostris crassirostris mentioned this pull request Feb 13, 2018
Closed
11 tasks
@CaoShuFeng
Copy link
Contributor Author

/test pull-kubernetes-bazel-test
/test pull-kubernetes-unit

crassirostris
crassirostris reviewed Feb 14, 2018
View reviewed changes
Copy link

@crassirostris crassirostris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One nit, otherwise LGTM

staging/src/k8s.io/apiserver/pkg/audit/policy/checker_test.go
@@ -73,6 +73,16 @@ var (
ResourceRequest: true,
Path: "/api/v1/namespaces/default/pods/busybox",
},
"Unauthorized": &authorizer.AttributesRecord{
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unauthenticated?

@tallclair
Copy link
Member

lgtm.
I could see us wanting to add support for empty string == unauthenticated user (in case the operator wants to explicitly log unauthenticated requests)

@sttts
Copy link
Contributor

sttts commented Feb 19, 2018

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CaoShuFeng, dixudx, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 19, 2018
@crassirostris crassirostris mentioned this pull request Feb 19, 2018
Merged
@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 89ac18d into kubernetes:master Feb 19, 2018
@tallclair
Copy link
Member

When is the user nil vs system:anonymous? I'd like to be able to match policy to anonymous requests, so I'm wondering whether we need to add code to allow the empty string to match nil users. e.g.

 - level: None
    users: ["", "system:anonymous"]  # Don't log unauthenticated requests

@smurfralf
Copy link

@tallclair: It would seem to me that having the empty string match the nil user is a related feature which should exist in its own ticket. The issue here is that rules are matching events that they should not match, while your request is for an expansion in rule semantics.

@tallclair
Copy link
Member

@smurfralf agreed, this just seemed like a good place to discuss whether we want that feature :) sorry for the confusion.

k8s-github-robot pushed a commit that referenced this pull request Mar 14, 2018
Merge pull request #59399 from CaoShuFeng/automated-cherry-pick-of-#5…
508365c 
…9398-upstream-release-1.9

Automatic merge from submit-queue.

Automated cherry pick of #59398: fix invalid match rules for advanced audit policy

Cherry pick of #59398 on release-1.9.

#59398: fix invalid match rules for advanced audit policy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crassirostris crassirostris crassirostris left review comments

@dixudx dixudx dixudx left review comments

@smurfralf smurfralf smurfralf approved these changes

@caesarxuchao caesarxuchao Awaiting requested review from caesarxuchao

@smarterclayton smarterclayton Awaiting requested review from smarterclayton

Assignees

@dixudx dixudx

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/audit cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@CaoShuFeng @dixudx @tallclair @sttts @k8s-ci-robot @k8s-github-robot @smurfralf @crassirostris