ignore dryRun k8s request when auditing

Signed-off-by: wanjunlei <wanjunlei@yunify.com>

pkg/apiserver/auditing/types.go

@@ -33,7 +33,7 @@ type Auditing interface {
 	Enabled() bool
 	K8sAuditingEnabled() bool
 	LogRequestObject(req *http.Request, info *request.RequestInfo) *auditv1alpha1.Event
-	LogResponseObject(e *auditv1alpha1.Event, resp *ResponseCapture, info *request.RequestInfo)
+	LogResponseObject(e *auditv1alpha1.Event, resp *ResponseCapture)
 }
 
 type auditing struct {
@@ -96,6 +96,17 @@ func (a *auditing) K8sAuditingEnabled() bool {
 //
 func (a *auditing) LogRequestObject(req *http.Request, info *request.RequestInfo) *auditv1alpha1.Event {
 
+	// Ignore the dryRun k8s request.
+	if info.IsKubernetesRequest {
+		values := req.URL.Query()
+		if v, ok := values["dryRun"]; ok {
+			if len(v) > 0 && v[0] == v1.DryRunAll {
+				klog.V(6).Infof("ignore dryRun request %s", req.URL.Path)
+				return nil
+			}
+		}
+	}
+
 	e := &auditv1alpha1.Event{
 		Workspace: info.Workspace,
 		Cluster:   info.Cluster,
@@ -175,7 +186,7 @@ func (a *auditing) LogRequestObject(req *http.Request, info *request.RequestInfo
 	return e
 }
 
-func (a *auditing) LogResponseObject(e *auditv1alpha1.Event, resp *ResponseCapture, info *request.RequestInfo) {
+func (a *auditing) LogResponseObject(e *auditv1alpha1.Event, resp *ResponseCapture) {
 
 	e.StageTimestamp = v1.NewMicroTime(time.Now())
 	e.ResponseStatus = &v1.Status{Code: int32(resp.StatusCode())}

pkg/apiserver/auditing/types_test.go

@@ -252,7 +252,7 @@ func TestAuditing_LogResponseObject(t *testing.T) {
 	resp := NewResponseCapture(httptest.NewRecorder())
 	resp.WriteHeader(200)
 
-	a.LogResponseObject(e, resp, info)
+	a.LogResponseObject(e, resp)
 
 	expectedEvent := &v1alpha12.Event{
 		Event: audit.Event{

pkg/apiserver/filters/auditing.go

@@ -33,10 +33,13 @@ func WithAuditing(handler http.Handler, a auditing.Auditing) http.Handler {
 		}
 
 		e := a.LogRequestObject(req, info)
-		req = req.WithContext(request.WithAuditEvent(req.Context(), e))
+		if e != nil {
-		resp := auditing.NewResponseCapture(w)
+			resp := auditing.NewResponseCapture(w)
-		handler.ServeHTTP(resp, req)
+			handler.ServeHTTP(resp, req)
 
-		go a.LogResponseObject(e, resp, info)
+			go a.LogResponseObject(e, resp)
+		} else {
+			handler.ServeHTTP(w, req)
+		}
 	})
 }

pkg/apiserver/request/context.go

@@ -18,9 +18,8 @@ package request
 
 import (
 	"context"
-	"kubesphere.io/kubesphere/pkg/apiserver/auditing/v1alpha1"
-
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/authentication/user"
 )
 
@@ -87,12 +86,12 @@ func UserFrom(ctx context.Context) (user.Info, bool) {
 }
 
 // WithAuditEvent returns set audit event struct.
-func WithAuditEvent(parent context.Context, ev *v1alpha1.Event) context.Context {
+func WithAuditEvent(parent context.Context, ev *audit.Event) context.Context {
 	return WithValue(parent, auditKey, ev)
 }
 
 // AuditEventFrom returns the audit event struct on the ctx
-func AuditEventFrom(ctx context.Context) *v1alpha1.Event {
+func AuditEventFrom(ctx context.Context) *audit.Event {
-	ev, _ := ctx.Value(auditKey).(*v1alpha1.Event)
+	ev, _ := ctx.Value(auditKey).(*audit.Event)
 	return ev
 }