dynamic audit configuration api

[pbarker]

What this PR does / why we need it:
Implements dynamic audit configuration api

Special notes for your reviewer:
This is just the api changes for the dynamic audit configuration feature. Part 2 of the implementation is here #67257

Release note:

Add dynamic audit configuration api

[tallclair]

/ok-to-test
/kind api-change
/priority important-soon
/sig auth
/milestone v1.12

/assign @kubernetes/api-reviewers

[tallclair]

@kubernetes/sig-api-machinery-api-reviews

[pbarker]

@tallclair would you like to see the storage and registration pieces for the api here or in the other PR?

[tallclair]

I think they belong here.

[lavalamp]

Why are we copying hack scripts into staging repos? That doesn't seem like a good precedent.

[pbarker]

I copied the pattern from the sample api server, should this be placed elsewhere?

[tallclair]

It looks like we already do this: https://github.com/kubernetes/kubernetes/blob/master/hack/update-codegen.sh#L133

If you follow this pattern, this script should be called from there too.

[pbarker]

yeah thats the pattern I went with, if we theres a new pattern were shooting for I'm happy to change

[lavalamp]

:'(

[lavalamp]

Copied from the admission webhook configuration?

[pbarker]

yeah, it essentially needs the same methods but there were incompatibilities with the admission implementation. Talking internally we decided to factor it into a common package. This PR doesn't look to refactor the admission pieces but does allow the owners of that package the ability to go that route in the future.

[lavalamp]

I am confused about why this is a separate type from the backend configuration.

[pbarker]

yeah this may not be necessary, just wrapping the client configuration similar to the current admission package. We can scrap it

[lavalamp]

If this is supposed to be a reference to a webhook, shouldn't it be a name? OTOH if this is where the webhook configuration is stored, why is there a top level Webhook type?

[pbarker]

This is a nested webhook configuration, the top level webhook type was just to keep parity with the original design, it can be scrapped though

[lavalamp]

/assign

[lavalamp]

Sounds good, please scrap the top-level webhook type :) Unlike normal code, it's not problematic to copy the webhook configuration API definition types instead of trying to reuse: you may want the documentation to differ, for example.

…

On Fri, Aug 17, 2018 at 1:13 PM Patrick Barker ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In staging/src/k8s.io/apiserver/hack/update-codegen.sh <#67547 (comment)> : > @@ -0,0 +1,81 @@ + +#!/usr/bin/env bash I copied the pattern from the sample api server, should this be placed elsewhere? ------------------------------ In staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go <#67547 (comment)> : > + // The name of the webhook. + // Required. + Name string `json:"name" protobuf:"bytes,2,opt,name=name"` + + // ClientConfig defines how to communicate with the hook. + // Required + ClientConfig WebhookClientConfig `json:"clientConfig" protobuf:"bytes,3,opt,name=clientConfig"` +} + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// +k8s:openapi-gen=true +// WebhookClientConfig contains the information to make a connection with the webhook +type WebhookClientConfig struct { yeah, it essentially needs the same methods but there were incompatibilities with the admission implementation. Talking internally we decided to factor it into a common package. This PR doesn't look to refactor the admission pieces but does allow the owners of that package the ability to go that route in the future. ------------------------------ In staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go <#67547 (comment)> : > @@ -48,3 +48,89 @@ type AdmissionPluginConfiguration struct { // +optional Configuration *runtime.Unknown } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// Webhook describes a webhook and the resources and operations it applies to. +type Webhook struct { yeah this may not be necessary, just wrapping the client configuration similar to the current admission package. We can scrap it ------------------------------ In staging/src/k8s.io/apiserver/pkg/apis/audit/types.go <#67547 (comment)> : > + + // ThrottleBurst is the maximum number of events sent at the same moment + // +optional + ThrottleBurst *int64 + + // ThrottleEnabled determines whether throttling is enabled + // +optional + ThrottleEnabled *bool + + // ThrottleQPS maximum number of batches per second + // +optional + ThrottleQPS *float32 + + // ClientConfig holds the connection parameters for the webhook + // required + ClientConfig apiv1alpha1.WebhookClientConfig This is a nested webhook configuration, the top level webhook type was just to keep parity with the original design, it can be scrapped though — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#67547 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAngll8-hOOr8Ig9CiJKI3ZLmAXQcpk8ks5uRyPtgaJpZM4WB3h0> .

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pbarker, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• api/OWNERS [thockin]
• docs/api-reference/OWNERS [thockin]
• hack/OWNERS [thockin]
• pkg/OWNERS [thockin]
• pkg/api/OWNERS [thockin]
• staging/OWNERS [thockin]
• staging/src/k8s.io/api/OWNERS [thockin]
• test/OWNERS [thockin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[lavalamp]

Sorry, still one more thing about the defaulting...

[lavalamp]

Something got scrambled, no doubt in a comment I gave :)

I suggest making these consts, declaring func intPtr(i int64) *int64 { return &i } somewhere, and calling intPtr(DefaultQPS) in the DefaultThrottle function.

Making these constant will prevent people from taking their address, which is the error I think it's important to avoid.

[tallclair]

nit: use

utilpointer "k8s.io/utils/pointer"
utilpointer.Int64Ptr

(of dubious value, but we favour consistency...)

[tallclair]

@lavalamp - I just noticed these APIs are being added to Kubernetes (k8s.io/api/auditregistration/v1alpha1/types.go) but auditing is really a generic apiserver feature. Should these APIs be moved to apiserver apis (k8s.io/apiserver/pkg/apis/auditregistration/v1alpha1/types.go)?

[pbarker]

@tallclair that was initially explored but there were issues with the scheme #67547 (comment) In order to do this properly there wound need to be some fundamental changes to the apiserver

[tallclair]

@pbarker Thanks, but I interpreted that comment as separating audit & auditregistration into 2 different API groups. IIUC, the auditregistration API group could still be part of the apiserver apis. I don't feel particularly strongly on the distinction, but I'd like an ACK from someone with more of a stake in the difference.

[pbarker]

Sorry @tallclair, couldn't remember where all the conversations happened, there is more context here #67547 (comment)

[pbarker]

/retest

[k8s-ci-robot]

@pbarker: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-local-e2e-containerized	be4c4a8f5c6f56222ce9818e34f64b85ecd8b8e9	link	/test pull-kubernetes-local-e2e-containerized

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[lavalamp]

I argued so hard against making these library functions :( I just don't think it's worth the import dependency to avoid a 3 line function definition.

But this is tilting at windmills so I'm not asking for a change :(

[tallclair]

Yeah, sorry. To quote my original comment:

(of dubious value, but we favour consistency...)

[lavalamp]

Give me a minute to think about whether it now makes sense to put this in with the meta api.

[spiffxp]

/milestone v1.13
I'm adding this to the v1.13 milestone since it relates to kubernetes/enhancements#600 which is currently planned for v1.13

[lavalamp]

/lgtm

I don't want to block this any more. Likely it should go in a more general place. We can always move it later.

[WanLinghao]

@pbarker In the design doc(https://github.com/kubernetes/community/blob/master/keps/sig-auth/0014-dynamic-audit-configuration.md), it is mentioned that the Policy in dynamic audit feature is v1beta1 of legacy audit. Why it is changed in your implementation. Did I miss anything?

 // Policy is the current audit v1beta1 Policy object
    // if undefined it will default to the statically configured cluster policy if available
    // if neither exist the backend will fail
    Policy *Policy

[pbarker]

Hey @WanLinghao, this was a piece we iterated on in this PR. There was a desire to have the audit mechanism in the API be more composable and additive, so that as an app developer I could write audit rules and have them contained with the rest of my deployment configuration. So we temporarily slimmed down the audit policy so that we could do this rework as we head to beta. We'll be having some talks on this in the future.

[WanLinghao]

@pbarker So do we have any plan to push the Policy in dynamic audit feature into something similar with the one in legacy audit feature?

[pbarker]

@WanLinghao its not possible to delete fields from an API once you put them there. So we scoped down the policy object to the bare minimum until we have a clear direction, then it will be added to.