Add PodSecurityPolicy information to audit logs

[CaoShuFeng]

Depends on: #58806
Fix #56209

Release note:

PodSecurityPolicy admission information is added to audit logs

[CaoShuFeng]

/assign @sttts @liggitt
What's your opinion about this version?

[sttts]

we need better keys here, maybe podsecuritypolicy.admission.k8s.io/policy

[soltysh]

👍 we should always use full names

[sttts]

would move these into its own struct. maybe struct reason

[sttts]

len(...) != 0 is our convention

[sttts]

auditEvent

[sttts]

@tallclair @crassirostris @ericchiang @soltysh this is about the API. Are we happy with this representation?

[crassirostris]

I'm fine with this interface, but I remember someone was not happy with it

[sttts]

We have plugin names (those which are also used in the apiserver flags). We could make this more structured using them if we concentrate on admission. We could render the whole chain here in the event.

RBAC would then be another step, probably with an explicit authorization field.

[soltysh]

I'm not too happy with the name, but can't come up with a better one, so I guess I'll just have to live with it ;).
As for the structured, having map[string]string give us more freedom, if we decide to add additional information. Maybe we should name the field as AdditionalInfo or something like that? At the same time, I'm worried this might end up being a grab bag for all the things we want to have here. Hm....

[soltysh]

I just spoke with @sttts and we agreed it would be nice to:

1. be able to decide which admission and rbac plugins are logged, so that would require additional rule changes
2. Authorization logging happens in authorizingVisitor which is perfect, but admission happens only in PSP, I'd imagine this should happen a level higher to be able to do what I said in 1.

@tallclair @crassirostris @ericchiang @CaoShuFeng opinions?

[tallclair]

be able to decide which admission and rbac plugins are logged, so that would require additional rule changes

This feels like something that should be resolved with filters, if we ever get around to implementing them. We don't currently allow fine grained selection of what's logged, so I think the current approach is consistent.

Authorization logging happens in authorizingVisitor which is perfect,

Only for RBAC, it's an implementation detail.

but admission happens only in PSP, I'd imagine this should happen a level higher to be able to do what I said in 1.

I see this field as arbitrary metadata that plugins invoked in the serving path can add to. I think the authorization & admission interfaces should enable this on a case-by-case basis.

I'm happy with the current unstructured approach.

[sttts]

do we really need this new func name?

[sttts]

I would keep the old func name and make that argument mandatory (possibly nil)

[CaoShuFeng]

OK.
I will modify all NewAttributesRecord functions.

$ LANG=C grep "NewAttributesRecord" * -r  | grep "\.go"  | wc -l
262

:)

[sttts]

262

https://www.gnu.org/software/sed/manual/html_node/index.html ;)

[sttts]

For easier review, please do that in another commit.

99% of those calls are in tests btw. Was surprised that the number is that high.

[sttts]

What's your opinion about this version?

Much better. It's what I expected 👍

[CaoShuFeng]

Much better. It's what I expected 👍

Thanks. I will address all your comments and add some unit tests.

[liggitt]

prefer (*rbac.RoleRef, *rbac.PolicyRule, ...), since we have the reference already?

[liggitt]

hmm, I guess you need the binding name/namespace as well

[liggitt]

this interface is supposed to be fully serializable so it can be delegated via a subject access review. an audit.Event pointer breaks that, and implies getting a writeable object out of the attributes, which reverses the information flow of this interface

[sttts]

Which means that we have to expose the audit annotations (or any other data structure we choose) for authz/n in a different way here. Also a delgated authorizer should fill in values.

[liggitt]

authz already has the ability to return a reason along with the authorization decision. can we use that from the outside, rather than plumbing audit into all the authorizers? that would work with remote authorization as well without any changes to the authz APIs

[sttts]

@tallclair @crassirostris can you comment whether the reason is enough?

[liggitt]

I would expect the following behavior:

• when authorization failed, the reason would contain aggregated reasons from all authorizers that provided failure reasons
• when authorization succeeded, the reason would contain the reason from the succeeding authorizer if it provided one

[liggitt]

the authorizer reason is currently plumbed all the way up to https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization.go#L49 which seems like a much easier place to get a handle to the audit event

[liggitt]

PR that makes RBAC return a detailed reason for what it allows that includes the subject, binding, and role: #58531

[CaoShuFeng]

Done.

[liggitt]

getting an object out of requestAttributes in order to write back to it is a fundamental change in the way the authorizer attributes are used, and breaks remote delegation cases for that interface

[sttts]

See above. We need an explicit data structure here. Not a huge event with unclear ownership.

[tallclair]

/status approved-for-milestone

[k8s-github-robot]

[MILESTONENOTIFIER] Milestone Pull Request: Up-to-date for process

@CaoShuFeng @justinsb @liggitt @sttts @tallclair

Pull Request Labels

• sig/auth: Pull Request will be escalated to these SIGs if needed.
• priority/important-soon: Escalate to the pull request owners and SIG owner; move out of milestone after several unsuccessful escalation attempts.
• kind/feature: New functionality.

Help

• Additional instructions
• Commands for setting labels

[sttts]

this switched to an error from a warning? Am fine with this.

[CaoShuFeng]

Yes.
According to @tallclair 's suggestion.

[sttts]

👍

[sttts]

nit: odd formatting. usually we put the ) on the next line.

[CaoShuFeng]

Done.

[sttts]

why do we need this?

[sttts]

I don't see this used. Premature abstraction? Would drop it.

[CaoShuFeng]

This interface is used according to @liggitt 's suggestion.

d7474b8#r29220311

[CaoShuFeng]

It's used in WithAudit decorator to check the attribute interface.
Would be useful for alternate Attributes.

[sttts]

ok, sounds reasonable.

[sttts]

/lgtm
/approve

[sttts]

@tallclair @liggitt approved?

[liggitt]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CaoShuFeng, liggitt, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• plugin/pkg/admission/security/podsecuritypolicy/OWNERS [liggitt]
• staging/src/k8s.io/apiserver/OWNERS [liggitt,sttts]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

[jberkus]

/retest pull-kubernetes-e2e-kops-aws

[liggitt]

/retest

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 61610, 64591, 58143, 63929). If you want to cherry-pick this change to another branch, please follow the instructions here.