diff --git a/pkg/apiserver/auditing/types.go b/pkg/apiserver/auditing/types.go index 41df70fe7..07b9c19f4 100644 --- a/pkg/apiserver/auditing/types.go +++ b/pkg/apiserver/auditing/types.go @@ -33,7 +33,7 @@ type Auditing interface { Enabled() bool K8sAuditingEnabled() bool LogRequestObject(req *http.Request, info *request.RequestInfo) *auditv1alpha1.Event - LogResponseObject(e *auditv1alpha1.Event, resp *ResponseCapture, info *request.RequestInfo) + LogResponseObject(e *auditv1alpha1.Event, resp *ResponseCapture) } type auditing struct { @@ -96,6 +96,17 @@ func (a *auditing) K8sAuditingEnabled() bool { // func (a *auditing) LogRequestObject(req *http.Request, info *request.RequestInfo) *auditv1alpha1.Event { + // Ignore the dryRun k8s request. + if info.IsKubernetesRequest { + values := req.URL.Query() + if v, ok := values["dryRun"]; ok { + if len(v) > 0 && v[0] == v1.DryRunAll { + klog.V(6).Infof("ignore dryRun request %s", req.URL.Path) + return nil + } + } + } + e := &auditv1alpha1.Event{ Workspace: info.Workspace, Cluster: info.Cluster, @@ -175,7 +186,7 @@ func (a *auditing) LogRequestObject(req *http.Request, info *request.RequestInfo return e } -func (a *auditing) LogResponseObject(e *auditv1alpha1.Event, resp *ResponseCapture, info *request.RequestInfo) { +func (a *auditing) LogResponseObject(e *auditv1alpha1.Event, resp *ResponseCapture) { e.StageTimestamp = v1.NewMicroTime(time.Now()) e.ResponseStatus = &v1.Status{Code: int32(resp.StatusCode())} diff --git a/pkg/apiserver/auditing/types_test.go b/pkg/apiserver/auditing/types_test.go index 85ccf8f37..ffd87f27d 100644 --- a/pkg/apiserver/auditing/types_test.go +++ b/pkg/apiserver/auditing/types_test.go @@ -252,7 +252,7 @@ func TestAuditing_LogResponseObject(t *testing.T) { resp := NewResponseCapture(httptest.NewRecorder()) resp.WriteHeader(200) - a.LogResponseObject(e, resp, info) + a.LogResponseObject(e, resp) expectedEvent := &v1alpha12.Event{ Event: audit.Event{ diff --git a/pkg/apiserver/filters/auditing.go b/pkg/apiserver/filters/auditing.go index e17d84de0..8c80ad53a 100644 --- a/pkg/apiserver/filters/auditing.go +++ b/pkg/apiserver/filters/auditing.go @@ -33,10 +33,13 @@ func WithAuditing(handler http.Handler, a auditing.Auditing) http.Handler { } e := a.LogRequestObject(req, info) - req = req.WithContext(request.WithAuditEvent(req.Context(), e)) - resp := auditing.NewResponseCapture(w) - handler.ServeHTTP(resp, req) + if e != nil { + resp := auditing.NewResponseCapture(w) + handler.ServeHTTP(resp, req) - go a.LogResponseObject(e, resp, info) + go a.LogResponseObject(e, resp) + } else { + handler.ServeHTTP(w, req) + } }) } diff --git a/pkg/apiserver/request/context.go b/pkg/apiserver/request/context.go index 41154176c..d65b11309 100644 --- a/pkg/apiserver/request/context.go +++ b/pkg/apiserver/request/context.go @@ -18,9 +18,8 @@ package request import ( "context" - "kubesphere.io/kubesphere/pkg/apiserver/auditing/v1alpha1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apiserver/pkg/apis/audit" "k8s.io/apiserver/pkg/authentication/user" ) @@ -87,12 +86,12 @@ func UserFrom(ctx context.Context) (user.Info, bool) { } // WithAuditEvent returns set audit event struct. -func WithAuditEvent(parent context.Context, ev *v1alpha1.Event) context.Context { +func WithAuditEvent(parent context.Context, ev *audit.Event) context.Context { return WithValue(parent, auditKey, ev) } // AuditEventFrom returns the audit event struct on the ctx -func AuditEventFrom(ctx context.Context) *v1alpha1.Event { - ev, _ := ctx.Value(auditKey).(*v1alpha1.Event) +func AuditEventFrom(ctx context.Context) *audit.Event { + ev, _ := ctx.Value(auditKey).(*audit.Event) return ev }