dynamic audit configuration api #67547
Conversation
k8s-ci-robot
added
size/XXL
|
/ok-to-test /assign @kubernetes/api-reviewers |
k8s-ci-robot
added
kind/api-change
|
@kubernetes/sig-api-machinery-api-reviews |
k8s-ci-robot
added
the
sig/api-machinery
|
@tallclair would you like to see the storage and registration pieces for the api here or in the other PR? |
|
I think they belong here. |
| @@ -0,0 +1,81 @@ | |||
|
|
|||
| #!/usr/bin/env bash | |||
There was a problem hiding this comment.
Why are we copying hack scripts into staging repos? That doesn't seem like a good precedent.
There was a problem hiding this comment.
I copied the pattern from the sample api server, should this be placed elsewhere?
There was a problem hiding this comment.
It looks like we already do this: https://github.com/kubernetes/kubernetes/blob/master/hack/update-codegen.sh#L133
If you follow this pattern, this script should be called from there too.
There was a problem hiding this comment.
yeah thats the pattern I went with, if we theres a new pattern were shooting for I'm happy to change
|
|
||
| // +k8s:openapi-gen=true | ||
| // WebhookClientConfig contains the information to make a connection with the webhook | ||
| type WebhookClientConfig struct { |
There was a problem hiding this comment.
Copied from the admission webhook configuration?
There was a problem hiding this comment.
yeah, it essentially needs the same methods but there were incompatibilities with the admission implementation. Talking internally we decided to factor it into a common package. This PR doesn't look to refactor the admission pieces but does allow the owners of that package the ability to go that route in the future.
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | ||
|
|
||
| // Webhook describes a webhook and the resources and operations it applies to. | ||
| type Webhook struct { |
There was a problem hiding this comment.
I am confused about why this is a separate type from the backend configuration.
There was a problem hiding this comment.
yeah this may not be necessary, just wrapping the client configuration similar to the current admission package. We can scrap it
|
|
||
| // ClientConfig holds the connection parameters for the webhook | ||
| // required | ||
| ClientConfig apiv1alpha1.WebhookClientConfig |
There was a problem hiding this comment.
If this is supposed to be a reference to a webhook, shouldn't it be a name? OTOH if this is where the webhook configuration is stored, why is there a top level Webhook type?
There was a problem hiding this comment.
This is a nested webhook configuration, the top level webhook type was just to keep parity with the original design, it can be scrapped though
|
/assign |
|
Sounds good, please scrap the top-level webhook type :)
Unlike normal code, it's not problematic to copy the webhook configuration
API definition types instead of trying to reuse: you may want the
documentation to differ, for example.
…On Fri, Aug 17, 2018 at 1:13 PM Patrick Barker ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In staging/src/k8s.io/apiserver/hack/update-codegen.sh
<#67547 (comment)>
:
> @@ -0,0 +1,81 @@
+
+#!/usr/bin/env bash
I copied the pattern from the sample api server, should this be placed
elsewhere?
------------------------------
In staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go
<#67547 (comment)>
:
> + // The name of the webhook.
+ // Required.
+ Name string `json:"name" protobuf:"bytes,2,opt,name=name"`
+
+ // ClientConfig defines how to communicate with the hook.
+ // Required
+ ClientConfig WebhookClientConfig `json:"clientConfig" protobuf:"bytes,3,opt,name=clientConfig"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// +k8s:openapi-gen=true
+// WebhookClientConfig contains the information to make a connection with the webhook
+type WebhookClientConfig struct {
yeah, it essentially needs the same methods but there were
incompatibilities with the admission implementation. Talking internally we
decided to factor it into a common package. This PR doesn't look to
refactor the admission pieces but does allow the owners of that package the
ability to go that route in the future.
------------------------------
In staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go
<#67547 (comment)>
:
> @@ -48,3 +48,89 @@ type AdmissionPluginConfiguration struct {
// +optional
Configuration *runtime.Unknown
}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Webhook describes a webhook and the resources and operations it applies to.
+type Webhook struct {
yeah this may not be necessary, just wrapping the client configuration
similar to the current admission package. We can scrap it
------------------------------
In staging/src/k8s.io/apiserver/pkg/apis/audit/types.go
<#67547 (comment)>
:
> +
+ // ThrottleBurst is the maximum number of events sent at the same moment
+ // +optional
+ ThrottleBurst *int64
+
+ // ThrottleEnabled determines whether throttling is enabled
+ // +optional
+ ThrottleEnabled *bool
+
+ // ThrottleQPS maximum number of batches per second
+ // +optional
+ ThrottleQPS *float32
+
+ // ClientConfig holds the connection parameters for the webhook
+ // required
+ ClientConfig apiv1alpha1.WebhookClientConfig
This is a nested webhook configuration, the top level webhook type was
just to keep parity with the original design, it can be scrapped though
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#67547 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAngll8-hOOr8Ig9CiJKI3ZLmAXQcpk8ks5uRyPtgaJpZM4WB3h0>
.
|
k8s-ci-robot
added
the
needs-rebase
pbarker
force-pushed
the
audit-api
branch
2 times, most recently
from
d52579d to
a0b5315
Compare
k8s-ci-robot
removed
the
needs-rebase
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: pbarker, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
|
||
| var ( | ||
| // DefaultQPS is the default QPS value | ||
| DefaultQPS = func(i int64) *int64 { return &i }(int64(10)) |
There was a problem hiding this comment.
Something got scrambled, no doubt in a comment I gave :)
I suggest making these consts, declaring func intPtr(i int64) *int64 { return &i } somewhere, and calling intPtr(DefaultQPS) in the DefaultThrottle function.
Making these constant will prevent people from taking their address, which is the error I think it's important to avoid.
pbarker
force-pushed
the
audit-api
branch
2 times, most recently
from
0a03327 to
1c16ef6
Compare
| DefaultBurst = int64(15) | ||
| ) | ||
|
|
||
| func intPtr(i int64) *int64 { return &i } |
There was a problem hiding this comment.
nit: use
utilpointer "k8s.io/utils/pointer"
utilpointer.Int64Ptr
(of dubious value, but we favour consistency...)
|
@lavalamp - I just noticed these APIs are being added to Kubernetes ( |
|
@tallclair that was initially explored but there were issues with the scheme #67547 (comment) In order to do this properly there wound need to be some fundamental changes to the apiserver |
|
@pbarker Thanks, but I interpreted that comment as separating audit & auditregistration into 2 different API groups. IIUC, the auditregistration API group could still be part of the apiserver apis. I don't feel particularly strongly on the distinction, but I'd like an ACK from someone with more of a stake in the difference. |
|
Sorry @tallclair, couldn't remember where all the conversations happened, there is more context here #67547 (comment) |
|
/retest |
|
@pbarker: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| func DefaultThrottle() *auditregistrationv1alpha1.WebhookThrottleConfig { | ||
| return &auditregistrationv1alpha1.WebhookThrottleConfig{ | ||
| QPS: utilpointer.Int64Ptr(DefaultQPS), | ||
| Burst: utilpointer.Int64Ptr(DefaultBurst), |
There was a problem hiding this comment.
I argued so hard against making these library functions :( I just don't think it's worth the import dependency to avoid a 3 line function definition.
But this is tilting at windmills so I'm not asking for a change :(
There was a problem hiding this comment.
Yeah, sorry. To quote my original comment:
(of dubious value, but we favour consistency...)
|
Give me a minute to think about whether it now makes sense to put this in with the meta api. |
|
/milestone v1.13 |
|
/lgtm I don't want to block this any more. Likely it should go in a more general place. We can always move it later. |
k8s-ci-robot
added
the
lgtm
|
@pbarker In the design doc(https://github.com/kubernetes/community/blob/master/keps/sig-auth/0014-dynamic-audit-configuration.md), it is mentioned that the |
|
Hey @WanLinghao, this was a piece we iterated on in this PR. There was a desire to have the audit mechanism in the API be more composable and additive, so that as an app developer I could write audit rules and have them contained with the rest of my deployment configuration. So we temporarily slimmed down the audit policy so that we could do this rework as we head to beta. We'll be having some talks on this in the future. |
|
@pbarker So do we have any plan to push the Policy in dynamic audit feature into something similar with the one in legacy audit feature? |
|
@WanLinghao its not possible to delete fields from an API once you put them there. So we scoped down the policy object to the bare minimum until we have a clear direction, then it will be added to. |
What this PR does / why we need it:
Implements dynamic audit configuration api
Special notes for your reviewer:
This is just the api changes for the dynamic audit configuration feature. Part 2 of the implementation is here #67257
Release note: