Upgrade k8s package verison (#5358)
* upgrade k8s package version Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io> * Script upgrade and code formatting. Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io> Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io>
This commit is contained in:
hongzhouzi
64
vendor/k8s.io/apiserver/pkg/audit/policy/checker.go
generated
vendored
64
vendor/k8s.io/apiserver/pkg/audit/policy/checker.go
generated
vendored
@@ -20,6 +20,7 @@ import (
|
||||
"strings"
|
||||
|
||||
"k8s.io/apiserver/pkg/apis/audit"
|
||||
auditinternal "k8s.io/apiserver/pkg/audit"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||
)
|
||||
|
||||
@@ -28,18 +29,12 @@ const (
|
||||
DefaultAuditLevel = audit.LevelNone
|
||||
)
|
||||
|
||||
// Checker exposes methods for checking the policy rules.
|
||||
type Checker interface {
|
||||
// Check the audit level for a request with the given authorizer attributes.
|
||||
LevelAndStages(authorizer.Attributes) (audit.Level, []audit.Stage)
|
||||
}
|
||||
|
||||
// NewChecker creates a new policy checker.
|
||||
func NewChecker(policy *audit.Policy) Checker {
|
||||
// NewPolicyRuleEvaluator creates a new policy rule evaluator.
|
||||
func NewPolicyRuleEvaluator(policy *audit.Policy) auditinternal.PolicyRuleEvaluator {
|
||||
for i, rule := range policy.Rules {
|
||||
policy.Rules[i].OmitStages = unionStages(policy.OmitStages, rule.OmitStages)
|
||||
}
|
||||
return &policyChecker{*policy}
|
||||
return &policyRuleEvaluator{*policy}
|
||||
}
|
||||
|
||||
func unionStages(stageLists ...[]audit.Stage) []audit.Stage {
|
||||
@@ -56,22 +51,48 @@ func unionStages(stageLists ...[]audit.Stage) []audit.Stage {
|
||||
return result
|
||||
}
|
||||
|
||||
// FakeChecker creates a checker that returns a constant level for all requests (for testing).
|
||||
func FakeChecker(level audit.Level, stage []audit.Stage) Checker {
|
||||
return &fakeChecker{level, stage}
|
||||
// NewFakePolicyRuleEvaluator creates a fake policy rule evaluator that returns
|
||||
// a constant level for all requests (for testing).
|
||||
func NewFakePolicyRuleEvaluator(level audit.Level, stage []audit.Stage) auditinternal.PolicyRuleEvaluator {
|
||||
return &fakePolicyRuleEvaluator{level, stage}
|
||||
}
|
||||
|
||||
type policyChecker struct {
|
||||
type policyRuleEvaluator struct {
|
||||
audit.Policy
|
||||
}
|
||||
|
||||
func (p *policyChecker) LevelAndStages(attrs authorizer.Attributes) (audit.Level, []audit.Stage) {
|
||||
func (p *policyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) auditinternal.RequestAuditConfigWithLevel {
|
||||
for _, rule := range p.Rules {
|
||||
if ruleMatches(&rule, attrs) {
|
||||
return rule.Level, rule.OmitStages
|
||||
return auditinternal.RequestAuditConfigWithLevel{
|
||||
Level: rule.Level,
|
||||
RequestAuditConfig: auditinternal.RequestAuditConfig{
|
||||
OmitStages: rule.OmitStages,
|
||||
OmitManagedFields: isOmitManagedFields(&rule, p.OmitManagedFields),
|
||||
},
|
||||
}
|
||||
}
|
||||
}
|
||||
return DefaultAuditLevel, p.OmitStages
|
||||
|
||||
return auditinternal.RequestAuditConfigWithLevel{
|
||||
Level: DefaultAuditLevel,
|
||||
RequestAuditConfig: auditinternal.RequestAuditConfig{
|
||||
OmitStages: p.OmitStages,
|
||||
OmitManagedFields: p.OmitManagedFields,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// isOmitManagedFields returns whether to omit managed fields from the request
|
||||
// and response bodies from being written to the API audit log.
|
||||
// If a user specifies OmitManagedFields inside a policy rule, that overrides
|
||||
// the global policy default in Policy.OmitManagedFields.
|
||||
func isOmitManagedFields(policyRule *audit.PolicyRule, policyDefault bool) bool {
|
||||
if policyRule.OmitManagedFields == nil {
|
||||
return policyDefault
|
||||
}
|
||||
|
||||
return *policyRule.OmitManagedFields
|
||||
}
|
||||
|
||||
// Check whether the rule matches the request attrs.
|
||||
@@ -209,11 +230,16 @@ func hasString(slice []string, value string) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
type fakeChecker struct {
|
||||
type fakePolicyRuleEvaluator struct {
|
||||
level audit.Level
|
||||
stage []audit.Stage
|
||||
}
|
||||
|
||||
func (f *fakeChecker) LevelAndStages(_ authorizer.Attributes) (audit.Level, []audit.Stage) {
|
||||
return f.level, f.stage
|
||||
func (f *fakePolicyRuleEvaluator) EvaluatePolicyRule(_ authorizer.Attributes) auditinternal.RequestAuditConfigWithLevel {
|
||||
return auditinternal.RequestAuditConfigWithLevel{
|
||||
Level: f.level,
|
||||
RequestAuditConfig: auditinternal.RequestAuditConfig{
|
||||
OmitStages: f.stage,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user