Merge pull request #11192 from soltysh/issue11037

Merged by openshift-bot

Author: OpenShift Bot

pkg/cmd/server/api/helpers.go

@@ -256,6 +256,8 @@ func GetMasterFileReferences(config *MasterConfig) []*string {
 		refs = append(refs, &config.ControllerConfig.ServiceServingCert.Signer.KeyFile)
 	}
 
+	refs = append(refs, &config.AuditConfig.AuditFilePath)
+
 	return refs
 }
 

pkg/cmd/server/api/types.go

@@ -325,6 +325,14 @@ type AuditConfig struct {
 	// If this flag is set, audit log will be printed in the logs.
 	// The logs contains, method, user and a requested URL.
 	Enabled bool
+	// All requests coming to the apiserver will be logged to this file.
+	AuditFilePath string
+	// Maximum number of days to retain old log files based on the timestamp encoded in their filename.
+	MaximumFileRetentionDays int
+	// Maximum number of old log files to retain.
+	MaximumRetainedFiles int
+	// Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB.
+	MaximumFileSizeMegabytes int
 }
 
 // JenkinsPipelineConfig holds configuration for the Jenkins pipeline strategy

pkg/cmd/server/api/v1/swagger_doc.go

@@ -75,8 +75,12 @@ func (AssetExtensionsConfig) SwaggerDoc() map[string]string {
 }
 
 var map_AuditConfig = map[string]string{
-	"":        "AuditConfig holds configuration for the audit capabilities",
-	"enabled": "If this flag is set, basic audit log will be printed in the logs. The logs contains, method, user and a requested URL.",
+	"":                         "AuditConfig holds configuration for the audit capabilities",
+	"enabled":                  "If this flag is set, audit log will be printed in the logs. The logs contains, method, user and a requested URL.",
+	"auditFilePath":            "All requests coming to the apiserver will be logged to this file.",
+	"maximumFileRetentionDays": "Maximum number of days to retain old log files based on the timestamp encoded in their filename.",
+	"maximumRetainedFiles":     "Maximum number of old log files to retain.",
+	"maximumFileSizeMegabytes": "Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB.",
 }
 
 func (AuditConfig) SwaggerDoc() map[string]string {

pkg/cmd/server/api/v1/types.go

@@ -248,9 +248,17 @@ type MasterConfig struct {
 
 // AuditConfig holds configuration for the audit capabilities
 type AuditConfig struct {
-	// If this flag is set, basic audit log will be printed in the logs.
+	// If this flag is set, audit log will be printed in the logs.
 	// The logs contains, method, user and a requested URL.
 	Enabled bool `json:"enabled"`
+	// All requests coming to the apiserver will be logged to this file.
+	AuditFilePath string `json:"auditFilePath"`
+	// Maximum number of days to retain old log files based on the timestamp encoded in their filename.
+	MaximumFileRetentionDays int `json:"maximumFileRetentionDays"`
+	// Maximum number of old log files to retain.
+	MaximumRetainedFiles int `json:"maximumRetainedFiles"`
+	// Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB.
+	MaximumFileSizeMegabytes int `json:"maximumFileSizeMegabytes"`
 }
 
 // JenkinsPipelineConfig holds configuration for the Jenkins pipeline strategy

pkg/cmd/server/api/v1/types_test.go

@@ -105,7 +105,11 @@ assetConfig:
     namedCertificates: null
     requestTimeoutSeconds: 0
 auditConfig:
+  auditFilePath: ""
   enabled: false
+  maximumFileRetentionDays: 0
+  maximumFileSizeMegabytes: 0
+  maximumRetainedFiles: 0
 controllerConfig:
   serviceServingCert:
     signer: null

pkg/cmd/server/api/validation/master.go

@@ -191,6 +191,28 @@ func ValidateMasterConfig(config *api.MasterConfig, fldPath *field.Path) Validat
 
 	validationResults.Append(ValidateControllerConfig(config.ControllerConfig, fldPath.Child("controllerConfig")))
 
+	validationResults.Append(ValidateAuditConfig(config.AuditConfig, fldPath.Child("auditConfig")))
+
+	return validationResults
+}
+
+func ValidateAuditConfig(config api.AuditConfig, fldPath *field.Path) ValidationResults {
+	validationResults := ValidationResults{}
+
+	if len(config.AuditFilePath) == 0 {
+		// for backwards compatibility reasons we can't error this out
+		validationResults.AddWarnings(field.Required(fldPath.Child("auditFilePath"), "audit can now be logged to a separate file"))
+	}
+	if config.MaximumFileRetentionDays < 0 {
+		validationResults.AddErrors(field.Invalid(fldPath.Child("maximumFileRetentionDays"), config.MaximumFileRetentionDays, "must be greater than or equal to 0"))
+	}
+	if config.MaximumRetainedFiles < 0 {
+		validationResults.AddErrors(field.Invalid(fldPath.Child("maximumRetainedFiles"), config.MaximumRetainedFiles, "must be greater than or equal to 0"))
+	}
+	if config.MaximumFileSizeMegabytes < 0 {
+		validationResults.AddErrors(field.Invalid(fldPath.Child("maximumFileSizeMegabytes"), config.MaximumFileSizeMegabytes, "must be greater than or equal to 0"))
+	}
+
 	return validationResults
 }
 

pkg/cmd/server/api/validation/master_test.go

@@ -383,7 +383,7 @@ func TestValidateAdmissionPluginConfigConflicts(t *testing.T) {
 	// these fields have warnings in the empty case
 	defaultWarningFields := sets.NewString(
 		"serviceAccountConfig.managedNames", "serviceAccountConfig.publicKeyFiles", "serviceAccountConfig.privateKeyFile", "serviceAccountConfig.masterCA",
-		"projectConfig.securityAllocator", "kubernetesMasterConfig.proxyClientInfo")
+		"projectConfig.securityAllocator", "kubernetesMasterConfig.proxyClientInfo", "auditConfig.auditFilePath")
 
 	for _, tc := range testCases {
 		results := ValidateMasterConfig(&tc.options, nil)

pkg/cmd/server/origin/audit.go

@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"os"
 	"regexp"
@@ -16,6 +17,7 @@ import (
 	"github.com/go-openapi/spec"
 	"github.com/golang/glog"
 	"github.com/prometheus/client_golang/prometheus"
+	"gopkg.in/natefinch/lumberjack.v2"
 
 	kapi "k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/meta"
@@ -25,6 +27,7 @@ import (
 	"k8s.io/kubernetes/pkg/apimachinery/registered"
 	v1beta1extensions "k8s.io/kubernetes/pkg/apis/extensions/v1beta1"
 	"k8s.io/kubernetes/pkg/apiserver"
+	"k8s.io/kubernetes/pkg/apiserver/audit"
 	"k8s.io/kubernetes/pkg/client/restclient"
 	kclient "k8s.io/kubernetes/pkg/client/unversioned"
 	clientadapter "k8s.io/kubernetes/pkg/client/unversioned/adapters/internalclientset"
@@ -185,7 +188,22 @@ func (c *MasterConfig) Run(protected []APIInstaller, unprotected []APIInstaller)
 	handler = c.authorizationFilter(handler)
 	handler = c.impersonationFilter(handler)
 	// audit handler must comes before the impersonationFilter to read the original user
-	handler = c.auditHandler(handler)
+	if c.Options.AuditConfig.Enabled {
+		attributeGetter := apiserver.NewRequestAttributeGetter(c.getRequestContextMapper(), c.getRequestInfoResolver())
+		var writer io.Writer
+		if len(c.Options.AuditConfig.AuditFilePath) > 0 {
+			writer = &lumberjack.Logger{
+				Filename:   c.Options.AuditConfig.AuditFilePath,
+				MaxAge:     c.Options.AuditConfig.MaximumFileRetentionDays,
+				MaxBackups: c.Options.AuditConfig.MaximumRetainedFiles,
+				MaxSize:    c.Options.AuditConfig.MaximumFileSizeMegabytes,
+			}
+		} else {
+			// backwards compatible writer to regular log
+			writer = cmdutil.NewGLogWriterV(0)
+		}
+		handler = audit.WithAudit(handler, attributeGetter, writer)
+	}
 	handler = authenticationHandlerFilter(handler, c.Authenticator, c.getRequestContextMapper())
 	handler = namespacingFilter(handler, c.getRequestContextMapper())
 	handler = cacheControlFilter(handler, "no-store") // protected endpoints should not be cached
@@ -915,6 +933,23 @@ func (c *MasterConfig) getRequestContextMapper() kapi.RequestContextMapper {
 	return c.RequestContextMapper
 }
 
+// getRequestInfoResolver returns a request resolver.
+func (c *MasterConfig) getRequestInfoResolver() *apiserver.RequestInfoResolver {
+	if c.RequestInfoResolver == nil {
+		c.RequestInfoResolver = &apiserver.RequestInfoResolver{
+			APIPrefixes: sets.NewString(strings.Trim(LegacyOpenShiftAPIPrefix, "/"),
+				strings.Trim(OpenShiftAPIPrefix, "/"),
+				strings.Trim(KubernetesAPIPrefix, "/"),
+				strings.Trim(KubernetesAPIGroupPrefix, "/")), // all possible API prefixes
+			GrouplessAPIPrefixes: sets.NewString(strings.Trim(LegacyOpenShiftAPIPrefix, "/"),
+				strings.Trim(OpenShiftAPIPrefix, "/"),
+				strings.Trim(KubernetesAPIPrefix, "/"),
+			), // APIPrefixes that won't have groups (legacy)
+		}
+	}
+	return c.RequestInfoResolver
+}
+
 // RouteAllocator returns a route allocation controller.
 func (c *MasterConfig) RouteAllocator() *routeallocationcontroller.RouteAllocationController {
 	osclient, kclient := c.RouteAllocatorClients()

pkg/cmd/server/origin/audit_test.go

@@ -111,6 +111,8 @@ type MasterConfig struct {
 
 	// RequestContextMapper maps requests to contexts
 	RequestContextMapper kapi.RequestContextMapper
+	// RequestInfoResolver is responsible for reading request attributes
+	RequestInfoResolver *apiserver.RequestInfoResolver
 
 	AdmissionControl admission.Interface