Upgrade k8s package verison (#5358)

* upgrade k8s package version Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io> * Script upgrade and code formatting. Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io> Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io>
2022-11-15 14:56:38 +08:00
parent 5f91c1663a
commit 44167aa47a
3106 changed files with 321340 additions and 172080 deletions
--- a/vendor/k8s.io/apiserver/pkg/audit/policy/checker.go
+++ b/vendor/k8s.io/apiserver/pkg/audit/policy/checker.go
@@ -20,6 +20,7 @@ import (
 	"strings"

 	"k8s.io/apiserver/pkg/apis/audit"
+	auditinternal "k8s.io/apiserver/pkg/audit"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 )

@@ -28,18 +29,12 @@ const (
 	DefaultAuditLevel = audit.LevelNone
 )

-// Checker exposes methods for checking the policy rules.
-type Checker interface {
-	// Check the audit level for a request with the given authorizer attributes.
-	LevelAndStages(authorizer.Attributes) (audit.Level, []audit.Stage)
-}
-
-// NewChecker creates a new policy checker.
-func NewChecker(policy *audit.Policy) Checker {
+// NewPolicyRuleEvaluator creates a new policy rule evaluator.
+func NewPolicyRuleEvaluator(policy *audit.Policy) auditinternal.PolicyRuleEvaluator {
 	for i, rule := range policy.Rules {
 		policy.Rules[i].OmitStages = unionStages(policy.OmitStages, rule.OmitStages)
 	}
-	return &policyChecker{*policy}
+	return &policyRuleEvaluator{*policy}
 }

 func unionStages(stageLists ...[]audit.Stage) []audit.Stage {
@@ -56,22 +51,48 @@ func unionStages(stageLists ...[]audit.Stage) []audit.Stage {
 	return result
 }

-// FakeChecker creates a checker that returns a constant level for all requests (for testing).
-func FakeChecker(level audit.Level, stage []audit.Stage) Checker {
-	return &fakeChecker{level, stage}
+// NewFakePolicyRuleEvaluator creates a fake policy rule evaluator that returns
+// a constant level for all requests (for testing).
+func NewFakePolicyRuleEvaluator(level audit.Level, stage []audit.Stage) auditinternal.PolicyRuleEvaluator {
+	return &fakePolicyRuleEvaluator{level, stage}
 }

-type policyChecker struct {
+type policyRuleEvaluator struct {
 	audit.Policy
 }

-func (p *policyChecker) LevelAndStages(attrs authorizer.Attributes) (audit.Level, []audit.Stage) {
+func (p *policyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) auditinternal.RequestAuditConfigWithLevel {
 	for _, rule := range p.Rules {
 		if ruleMatches(&rule, attrs) {
-			return rule.Level, rule.OmitStages
+			return auditinternal.RequestAuditConfigWithLevel{
+				Level: rule.Level,
+				RequestAuditConfig: auditinternal.RequestAuditConfig{
+					OmitStages:        rule.OmitStages,
+					OmitManagedFields: isOmitManagedFields(&rule, p.OmitManagedFields),
+				},
+			}
 		}
 	}
-	return DefaultAuditLevel, p.OmitStages
+
+	return auditinternal.RequestAuditConfigWithLevel{
+		Level: DefaultAuditLevel,
+		RequestAuditConfig: auditinternal.RequestAuditConfig{
+			OmitStages:        p.OmitStages,
+			OmitManagedFields: p.OmitManagedFields,
+		},
+	}
+}
+
+// isOmitManagedFields returns whether to omit managed fields from the request
+// and response bodies from being written to the API audit log.
+// If a user specifies OmitManagedFields inside a policy rule, that overrides
+// the global policy default in Policy.OmitManagedFields.
+func isOmitManagedFields(policyRule *audit.PolicyRule, policyDefault bool) bool {
+	if policyRule.OmitManagedFields == nil {
+		return policyDefault
+	}
+
+	return *policyRule.OmitManagedFields
 }

 // Check whether the rule matches the request attrs.
@@ -209,11 +230,16 @@ func hasString(slice []string, value string) bool {
 	return false
 }

-type fakeChecker struct {
+type fakePolicyRuleEvaluator struct {
 	level audit.Level
 	stage []audit.Stage
 }

-func (f *fakeChecker) LevelAndStages(_ authorizer.Attributes) (audit.Level, []audit.Stage) {
-	return f.level, f.stage
+func (f *fakePolicyRuleEvaluator) EvaluatePolicyRule(_ authorizer.Attributes) auditinternal.RequestAuditConfigWithLevel {
+	return auditinternal.RequestAuditConfigWithLevel{
+		Level: f.level,
+		RequestAuditConfig: auditinternal.RequestAuditConfig{
+			OmitStages: f.stage,
+		},
+	}
 }
--- a/vendor/k8s.io/apiserver/pkg/audit/policy/enforce.go
+++ b/vendor/k8s.io/apiserver/pkg/audit/policy/enforce.go
@@ -1,53 +0,0 @@
-/*
-Copyright 2018 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package policy
-
-import (
-	"fmt"
-
-	"k8s.io/apiserver/pkg/apis/audit"
-)
-
-// EnforcePolicy drops any part of the event that doesn't conform to a policy level
-// or omitStages and sets the event level accordingly
-func EnforcePolicy(event *audit.Event, level audit.Level, omitStages []audit.Stage) (*audit.Event, error) {
-	for _, stage := range omitStages {
-		if event.Stage == stage {
-			return nil, nil
-		}
-	}
-	return enforceLevel(event, level)
-}
-
-func enforceLevel(event *audit.Event, level audit.Level) (*audit.Event, error) {
-	switch level {
-	case audit.LevelMetadata:
-		event.Level = audit.LevelMetadata
-		event.ResponseObject = nil
-		event.RequestObject = nil
-	case audit.LevelRequest:
-		event.Level = audit.LevelRequest
-		event.ResponseObject = nil
-	case audit.LevelRequestResponse:
-		event.Level = audit.LevelRequestResponse
-	case audit.LevelNone:
-		return nil, nil
-	default:
-		return nil, fmt.Errorf("level unknown: %s", level)
-	}
-	return event, nil
-}
--- a/vendor/k8s.io/apiserver/pkg/audit/policy/reader.go
+++ b/vendor/k8s.io/apiserver/pkg/audit/policy/reader.go
@@ -23,8 +23,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
-	auditv1alpha1 "k8s.io/apiserver/pkg/apis/audit/v1alpha1"
-	auditv1beta1 "k8s.io/apiserver/pkg/apis/audit/v1beta1"
 	"k8s.io/apiserver/pkg/apis/audit/validation"
 	"k8s.io/apiserver/pkg/audit"

@@ -33,8 +31,6 @@ import (

 var (
 	apiGroupVersions = []schema.GroupVersion{
-		auditv1beta1.SchemeGroupVersion,
-		auditv1alpha1.SchemeGroupVersion,
 		auditv1.SchemeGroupVersion,
 	}
 	apiGroupVersionSet = map[schema.GroupVersion]bool{}
@@ -78,10 +74,6 @@ func LoadPolicyFromBytes(policyDef []byte) (*auditinternal.Policy, error) {
 		return nil, fmt.Errorf("unknown group version field %v in policy", gvk)
 	}

-	if gv != auditv1.SchemeGroupVersion {
-		klog.Warningf("%q is deprecated and will be removed in a future release, use %q instead", gv, auditv1.SchemeGroupVersion)
-	}
-
 	if err := validation.ValidatePolicy(policy); err != nil {
 		return nil, err.ToAggregate()
 	}
--- a/vendor/k8s.io/apiserver/pkg/audit/policy/util.go
+++ b/vendor/k8s.io/apiserver/pkg/audit/policy/util.go
@@ -24,10 +24,10 @@ import (
 // AllStages returns all possible stages
 func AllStages() sets.String {
 	return sets.NewString(
-		audit.StageRequestReceived,
-		audit.StageResponseStarted,
-		audit.StageResponseComplete,
-		audit.StagePanic,
+		string(audit.StageRequestReceived),
+		string(audit.StageResponseStarted),
+		string(audit.StageResponseComplete),
+		string(audit.StagePanic),
 	)
 }