Bump sigs.k8s.io/controller-runtime to v0.14.4 (#5507)

* Bump sigs.k8s.io/controller-runtime to v0.14.4 * Update gofmt
2023-02-08 14:06:15 +08:00
parent 129e6fbec3
commit 1c49fcd57e
1404 changed files with 141422 additions and 47769 deletions
--- a/vendor/k8s.io/apiserver/pkg/audit/context.go
+++ b/vendor/k8s.io/apiserver/pkg/audit/context.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"sync"

+	"k8s.io/apimachinery/pkg/types"
 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/klog/v2"
@@ -28,38 +29,31 @@ import (
 // The key type is unexported to prevent collisions
 type key int

-const (
-	// auditAnnotationsKey is the context key for the audit annotations.
-	// TODO: consolidate all audit info under the AuditContext, rather than storing 3 separate keys.
-	auditAnnotationsKey key = iota
+// auditKey is the context key for storing the audit context that is being
+// captured and the evaluated policy that applies to the given request.
+const auditKey key = iota

-	// auditKey is the context key for storing the audit event that is being
-	// captured and the evaluated policy that applies to the given request.
-	auditKey
+// AuditContext holds the information for constructing the audit events for the current request.
+type AuditContext struct {
+	// RequestAuditConfig is the audit configuration that applies to the request
+	RequestAuditConfig RequestAuditConfig

-	// auditAnnotationsMutexKey is the context key for the audit annotations mutex.
-	auditAnnotationsMutexKey
-)
+	// Event is the audit Event object that is being captured to be written in
+	// the API audit log. It is set to nil when the request is not being audited.
+	Event *auditinternal.Event

-// annotations = *[]annotation instead of a map to preserve order of insertions
-type annotation struct {
-	key, value string
+	// annotations holds audit annotations that are recorded before the event has been initialized.
+	// This is represented as a slice rather than a map to preserve order.
+	annotations []annotation
+	// annotationMutex guards annotations AND event.Annotations
+	annotationMutex sync.Mutex
+
+	// auditID is the Audit ID associated with this request.
+	auditID types.UID
 }

-// WithAuditAnnotations returns a new context that can store audit annotations
-// via the AddAuditAnnotation function.  This function is meant to be called from
-// an early request handler to allow all later layers to set audit annotations.
-// This is required to support flows where handlers that come before WithAudit
-// (such as WithAuthentication) wish to set audit annotations.
-func WithAuditAnnotations(parent context.Context) context.Context {
-	// this should never really happen, but prevent double registration of this slice
-	if _, ok := parent.Value(auditAnnotationsKey).(*[]annotation); ok {
-		return parent
-	}
-	parent = withAuditAnnotationsMutex(parent)
-
-	var annotations []annotation // avoid allocations until we actually need it
-	return genericapirequest.WithValue(parent, auditAnnotationsKey, &annotations)
+type annotation struct {
+	key, value string
 }

 // AddAuditAnnotation sets the audit annotation for the given key, value pair.
@@ -70,102 +64,79 @@ func WithAuditAnnotations(parent context.Context) context.Context {
 // Handlers that are unaware of their position in the overall request flow should
 // prefer AddAuditAnnotation over LogAnnotation to avoid dropping annotations.
 func AddAuditAnnotation(ctx context.Context, key, value string) {
-	mutex, ok := auditAnnotationsMutex(ctx)
-	if !ok {
+	ac := AuditContextFrom(ctx)
+	if ac == nil {
 		// auditing is not enabled
 		return
 	}

-	mutex.Lock()
-	defer mutex.Unlock()
+	ac.annotationMutex.Lock()
+	defer ac.annotationMutex.Unlock()

-	ae := AuditEventFrom(ctx)
-	var ctxAnnotations *[]annotation
-	if ae == nil {
-		ctxAnnotations, _ = ctx.Value(auditAnnotationsKey).(*[]annotation)
-	}
-
-	addAuditAnnotationLocked(ae, ctxAnnotations, key, value)
+	addAuditAnnotationLocked(ac, key, value)
 }

 // AddAuditAnnotations is a bulk version of AddAuditAnnotation. Refer to AddAuditAnnotation for
 // restrictions on when this can be called.
 // keysAndValues are the key-value pairs to add, and must have an even number of items.
 func AddAuditAnnotations(ctx context.Context, keysAndValues ...string) {
-	mutex, ok := auditAnnotationsMutex(ctx)
-	if !ok {
+	ac := AuditContextFrom(ctx)
+	if ac == nil {
 		// auditing is not enabled
 		return
 	}

-	mutex.Lock()
-	defer mutex.Unlock()
-
-	ae := AuditEventFrom(ctx)
-	var ctxAnnotations *[]annotation
-	if ae == nil {
-		ctxAnnotations, _ = ctx.Value(auditAnnotationsKey).(*[]annotation)
-	}
+	ac.annotationMutex.Lock()
+	defer ac.annotationMutex.Unlock()

 	if len(keysAndValues)%2 != 0 {
 		klog.Errorf("Dropping mismatched audit annotation %q", keysAndValues[len(keysAndValues)-1])
 	}
 	for i := 0; i < len(keysAndValues); i += 2 {
-		addAuditAnnotationLocked(ae, ctxAnnotations, keysAndValues[i], keysAndValues[i+1])
+		addAuditAnnotationLocked(ac, keysAndValues[i], keysAndValues[i+1])
 	}
 }

 // AddAuditAnnotationsMap is a bulk version of AddAuditAnnotation. Refer to AddAuditAnnotation for
 // restrictions on when this can be called.
 func AddAuditAnnotationsMap(ctx context.Context, annotations map[string]string) {
-	mutex, ok := auditAnnotationsMutex(ctx)
-	if !ok {
+	ac := AuditContextFrom(ctx)
+	if ac == nil {
 		// auditing is not enabled
 		return
 	}

-	mutex.Lock()
-	defer mutex.Unlock()
-
-	ae := AuditEventFrom(ctx)
-	var ctxAnnotations *[]annotation
-	if ae == nil {
-		ctxAnnotations, _ = ctx.Value(auditAnnotationsKey).(*[]annotation)
-	}
+	ac.annotationMutex.Lock()
+	defer ac.annotationMutex.Unlock()

 	for k, v := range annotations {
-		addAuditAnnotationLocked(ae, ctxAnnotations, k, v)
+		addAuditAnnotationLocked(ac, k, v)
 	}
 }

 // addAuditAnnotationLocked is the shared code for recording an audit annotation. This method should
 // only be called while the auditAnnotationsMutex is locked.
-func addAuditAnnotationLocked(ae *auditinternal.Event, annotations *[]annotation, key, value string) {
-	if ae != nil {
-		logAnnotation(ae, key, value)
-	} else if annotations != nil {
-		*annotations = append(*annotations, annotation{key: key, value: value})
+func addAuditAnnotationLocked(ac *AuditContext, key, value string) {
+	if ac.Event != nil {
+		logAnnotation(ac.Event, key, value)
+	} else {
+		ac.annotations = append(ac.annotations, annotation{key: key, value: value})
 	}
 }

 // This is private to prevent reads/write to the slice from outside of this package.
 // The audit event should be directly read to get access to the annotations.
 func addAuditAnnotationsFrom(ctx context.Context, ev *auditinternal.Event) {
-	mutex, ok := auditAnnotationsMutex(ctx)
-	if !ok {
+	ac := AuditContextFrom(ctx)
+	if ac == nil {
 		// auditing is not enabled
 		return
 	}

-	mutex.Lock()
-	defer mutex.Unlock()
+	ac.annotationMutex.Lock()
+	defer ac.annotationMutex.Unlock()

-	annotations, ok := ctx.Value(auditAnnotationsKey).(*[]annotation)
-	if !ok {
-		return // no annotations to copy
-	}
-
-	for _, kv := range *annotations {
+	for _, kv := range ac.annotations {
 		logAnnotation(ev, kv.key, kv.value)
 	}
 }
@@ -185,12 +156,13 @@ func logAnnotation(ae *auditinternal.Event, key, value string) {
 	ae.Annotations[key] = value
 }

-// WithAuditContext returns a new context that stores the pair of the audit
-// configuration object that applies to the given request and
-// the audit event that is going to be written to the API audit log.
-func WithAuditContext(parent context.Context, ev *AuditContext) context.Context {
-	parent = withAuditAnnotationsMutex(parent)
-	return genericapirequest.WithValue(parent, auditKey, ev)
+// WithAuditContext returns a new context that stores the AuditContext.
+func WithAuditContext(parent context.Context) context.Context {
+	if AuditContextFrom(parent) != nil {
+		return parent // Avoid double registering.
+	}
+
+	return genericapirequest.WithValue(parent, auditKey, &AuditContext{})
 }

 // AuditEventFrom returns the audit event struct on the ctx
@@ -209,17 +181,46 @@ func AuditContextFrom(ctx context.Context) *AuditContext {
 	return ev
 }

-// WithAuditAnnotationMutex adds a mutex for guarding context.AddAuditAnnotation.
-func withAuditAnnotationsMutex(parent context.Context) context.Context {
-	if _, ok := parent.Value(auditAnnotationsMutexKey).(*sync.Mutex); ok {
-		return parent
+// WithAuditID sets the AuditID on the AuditContext. The AuditContext must already be present in the
+// request context. If the specified auditID is empty, no value is set.
+func WithAuditID(ctx context.Context, auditID types.UID) {
+	if auditID == "" {
+		return
+	}
+	ac := AuditContextFrom(ctx)
+	if ac == nil {
+		return
+	}
+	ac.auditID = auditID
+	if ac.Event != nil {
+		ac.Event.AuditID = auditID
 	}
-	var mutex sync.Mutex
-	return genericapirequest.WithValue(parent, auditAnnotationsMutexKey, &mutex)
 }

-// AuditAnnotationsMutex returns the audit annotations mutex from the context.
-func auditAnnotationsMutex(ctx context.Context) (*sync.Mutex, bool) {
-	mutex, ok := ctx.Value(auditAnnotationsMutexKey).(*sync.Mutex)
-	return mutex, ok
+// AuditIDFrom returns the value of the audit ID from the request context.
+func AuditIDFrom(ctx context.Context) (types.UID, bool) {
+	if ac := AuditContextFrom(ctx); ac != nil {
+		return ac.auditID, ac.auditID != ""
+	}
+	return "", false
+}
+
+// GetAuditIDTruncated returns the audit ID (truncated) from the request context.
+// If the length of the Audit-ID value exceeds the limit, we truncate it to keep
+// the first N (maxAuditIDLength) characters.
+// This is intended to be used in logging only.
+func GetAuditIDTruncated(ctx context.Context) string {
+	auditID, ok := AuditIDFrom(ctx)
+	if !ok {
+		return ""
+	}
+
+	// if the user has specified a very long audit ID then we will use the first N characters
+	// Note: assuming Audit-ID header is in ASCII
+	const maxAuditIDLength = 64
+	if len(auditID) > maxAuditIDLength {
+		auditID = auditID[:maxAuditIDLength]
+	}
+
+	return string(auditID)
 }
--- a/vendor/k8s.io/apiserver/pkg/audit/evaluator.go
+++ b/vendor/k8s.io/apiserver/pkg/audit/evaluator.go
@@ -21,18 +21,6 @@ import (
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 )

-// AuditContext is a pair of the audit configuration object that applies to
-// a given request and the audit Event object that is being captured.
-// It's a convenient placeholder to store both these objects in the request context.
-type AuditContext struct {
-	// RequestAuditConfig is the audit configuration that applies to the request
-	RequestAuditConfig RequestAuditConfig
-
-	// Event is the audit Event object that is being captured to be written in
-	// the API audit log. It is set to nil when the request is not being audited.
-	Event *audit.Event
-}
-
 // RequestAuditConfig is the evaluated audit configuration that is applicable to
 // a given request. PolicyRuleEvaluator evaluates the audit policy against the
 // authorizer attributes and returns a RequestAuditConfig that applies to the request.
--- a/vendor/k8s.io/apiserver/pkg/audit/policy/reader.go
+++ b/vendor/k8s.io/apiserver/pkg/audit/policy/reader.go
@@ -20,12 +20,13 @@ import (
 	"fmt"
 	"io/ioutil"

+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
 	"k8s.io/apiserver/pkg/apis/audit/validation"
 	"k8s.io/apiserver/pkg/audit"
-
 	"k8s.io/klog/v2"
 )

@@ -61,11 +62,23 @@ func LoadPolicyFromFile(filePath string) (*auditinternal.Policy, error) {

 func LoadPolicyFromBytes(policyDef []byte) (*auditinternal.Policy, error) {
 	policy := &auditinternal.Policy{}
-	decoder := audit.Codecs.UniversalDecoder(apiGroupVersions...)
+	strictDecoder := serializer.NewCodecFactory(audit.Scheme, serializer.EnableStrict).UniversalDecoder()

-	_, gvk, err := decoder.Decode(policyDef, nil, policy)
+	// Try strict decoding first.
+	_, gvk, err := strictDecoder.Decode(policyDef, nil, policy)
 	if err != nil {
-		return nil, fmt.Errorf("failed decoding: %v", err)
+		if !runtime.IsStrictDecodingError(err) {
+			return nil, fmt.Errorf("failed decoding: %w", err)
+		}
+		var (
+			lenientDecoder = audit.Codecs.UniversalDecoder(apiGroupVersions...)
+			lenientErr     error
+		)
+		_, gvk, lenientErr = lenientDecoder.Decode(policyDef, nil, policy)
+		if lenientErr != nil {
+			return nil, fmt.Errorf("failed lenient decoding: %w", lenientErr)
+		}
+		klog.Warningf("Audit policy contains errors, falling back to lenient decoding: %v", err)
 	}

 	// Ensure the policy file contained an apiVersion and kind.
--- a/vendor/k8s.io/apiserver/pkg/audit/request.go
+++ b/vendor/k8s.io/apiserver/pkg/audit/request.go
@@ -21,7 +21,6 @@ import (
 	"context"
 	"fmt"
 	"net/http"
-	"reflect"
 	"time"

 	authnv1 "k8s.io/api/authentication/v1"
@@ -34,7 +33,6 @@ import (
 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
-	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/klog/v2"

 	"github.com/google/uuid"
@@ -54,7 +52,7 @@ func NewEventFromRequest(req *http.Request, requestReceivedTimestamp time.Time,
 		Level:                    level,
 	}

-	auditID, found := request.AuditIDFrom(req.Context())
+	auditID, found := AuditIDFrom(req.Context())
 	if !found {
 		auditID = types.UID(uuid.New().String())
 	}
@@ -154,7 +152,7 @@ func LogRequestObject(ctx context.Context, obj runtime.Object, objGV schema.Grou
 	if shouldOmitManagedFields(ctx) {
 		copy, ok, err := copyWithoutManagedFields(obj)
 		if err != nil {
-			klog.Warningf("error while dropping managed fields from the request for %q error: %v", reflect.TypeOf(obj).Name(), err)
+			klog.ErrorS(err, "Error while dropping managed fields from the request", "auditID", ae.AuditID)
 		}
 		if ok {
 			obj = copy
@@ -166,7 +164,7 @@ func LogRequestObject(ctx context.Context, obj runtime.Object, objGV schema.Grou
 	ae.RequestObject, err = encodeObject(obj, objGV, s)
 	if err != nil {
 		// TODO(audit): add error slice to audit event struct
-		klog.Warningf("Auditing failed of %v request: %v", reflect.TypeOf(obj).Name(), err)
+		klog.ErrorS(err, "Encoding failed of request object", "auditID", ae.AuditID, "gvr", gvr.String(), "obj", obj)
 		return
 	}
 }
@@ -209,7 +207,7 @@ func LogResponseObject(ctx context.Context, obj runtime.Object, gv schema.GroupV
 	if shouldOmitManagedFields(ctx) {
 		copy, ok, err := copyWithoutManagedFields(obj)
 		if err != nil {
-			klog.Warningf("error while dropping managed fields from the response for %q error: %v", reflect.TypeOf(obj).Name(), err)
+			klog.ErrorS(err, "Error while dropping managed fields from the response", "auditID", ae.AuditID)
 		}
 		if ok {
 			obj = copy
@@ -220,7 +218,7 @@ func LogResponseObject(ctx context.Context, obj runtime.Object, gv schema.GroupV
 	var err error
 	ae.ResponseObject, err = encodeObject(obj, gv, s)
 	if err != nil {
-		klog.Warningf("Audit failed for %q response: %v", reflect.TypeOf(obj).Name(), err)
+		klog.ErrorS(err, "Encoding failed of response object", "auditID", ae.AuditID, "obj", obj)
 	}
 }