Skip to content

Commit 58ead1c

Browse files
author
Kubernetes Submit Queue
authored
Merge pull request kubernetes#65862 from loburm/remove_basic_audit
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. Promote AdvancedAuditing to GA **What this PR does / why we need it**: Removes deprecated legacy code used for basic audit logging in favor of advanced audit logging. ```release-note Promote AdvancedAuditing to GA, replacing the previous (legacy) audit logging mechanisms. ```
2 parents 8aea674 + 3f730d4 commit 58ead1c

File tree

14 files changed

+43
-415
lines changed

14 files changed

+43
-415
lines changed

cluster/gce/config-default.sh

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -390,10 +390,6 @@ METADATA_CLOBBERS_CONFIG="${METADATA_CLOBBERS_CONFIG:-false}"
390390

391391
ENABLE_BIG_CLUSTER_SUBNETS="${ENABLE_BIG_CLUSTER_SUBNETS:-false}"
392392

393-
if [[ "${ENABLE_APISERVER_BASIC_AUDIT:-}" == "true" ]]; then
394-
echo "Warning: Basic audit logging is deprecated and will be removed. Please use advanced auditing instead."
395-
fi
396-
397393
if [[ -n "${LOGROTATE_FILES_MAX_COUNT:-}" ]]; then
398394
PROVIDER_VARS="${PROVIDER_VARS:-} LOGROTATE_FILES_MAX_COUNT"
399395
fi

cluster/gce/config-test.sh

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -404,10 +404,6 @@ ENABLE_LEGACY_ABAC="${ENABLE_LEGACY_ABAC:-false}" # true, false
404404
ENABLE_APISERVER_ADVANCED_AUDIT="${ENABLE_APISERVER_ADVANCED_AUDIT:-true}" # true, false
405405
ADVANCED_AUDIT_LOG_MODE="${ADVANCED_AUDIT_LOG_MODE:-batch}" # batch, blocking
406406

407-
if [[ "${ENABLE_APISERVER_BASIC_AUDIT:-}" == "true" ]]; then
408-
echo "Warning: Basic audit logging is deprecated and will be removed. Please use advanced auditing instead."
409-
fi
410-
411407
ENABLE_BIG_CLUSTER_SUBNETS="${ENABLE_BIG_CLUSTER_SUBNETS:-false}"
412408

413409
if [[ -n "${LOGROTATE_FILES_MAX_COUNT:-}" ]]; then

cluster/gce/gci/configure-helper.sh

Lines changed: 1 addition & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1528,26 +1528,7 @@ function start-kube-apiserver {
15281528
local audit_policy_config_volume=""
15291529
local audit_webhook_config_mount=""
15301530
local audit_webhook_config_volume=""
1531-
if [[ "${ENABLE_APISERVER_BASIC_AUDIT:-}" == "true" ]]; then
1532-
# We currently only support enabling with a fixed path and with built-in log
1533-
# rotation "disabled" (large value) so it behaves like kube-apiserver.log.
1534-
# External log rotation should be set up the same as for kube-apiserver.log.
1535-
params+=" --audit-log-path=/var/log/kube-apiserver-audit.log"
1536-
params+=" --audit-log-maxage=0"
1537-
params+=" --audit-log-maxbackup=0"
1538-
# Lumberjack doesn't offer any way to disable size-based rotation. It also
1539-
# has an in-memory counter that doesn't notice if you truncate the file.
1540-
# 2000000000 (in MiB) is a large number that fits in 31 bits. If the log
1541-
# grows at 10MiB/s (~30K QPS), it will rotate after ~6 years if apiserver
1542-
# never restarts. Please manually restart apiserver before this time.
1543-
params+=" --audit-log-maxsize=2000000000"
1544-
# Disable AdvancedAuditing enabled by default
1545-
if [[ -z "${FEATURE_GATES:-}" ]]; then
1546-
FEATURE_GATES="AdvancedAuditing=false"
1547-
else
1548-
FEATURE_GATES="${FEATURE_GATES},AdvancedAuditing=false"
1549-
fi
1550-
elif [[ "${ENABLE_APISERVER_ADVANCED_AUDIT:-}" == "true" ]]; then
1531+
if [[ "${ENABLE_APISERVER_ADVANCED_AUDIT:-}" == "true" ]]; then
15511532
local -r audit_policy_file="/etc/audit_policy.config"
15521533
params+=" --audit-policy-file=${audit_policy_file}"
15531534
# Create the audit policy file, and mount it into the apiserver pod.

cluster/gce/util.sh

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -872,7 +872,6 @@ KUBE_ADDON_REGISTRY: $(yaml-quote ${KUBE_ADDON_REGISTRY:-})
872872
MULTIZONE: $(yaml-quote ${MULTIZONE:-})
873873
NON_MASQUERADE_CIDR: $(yaml-quote ${NON_MASQUERADE_CIDR:-})
874874
ENABLE_DEFAULT_STORAGE_CLASS: $(yaml-quote ${ENABLE_DEFAULT_STORAGE_CLASS:-})
875-
ENABLE_APISERVER_BASIC_AUDIT: $(yaml-quote ${ENABLE_APISERVER_BASIC_AUDIT:-})
876875
ENABLE_APISERVER_ADVANCED_AUDIT: $(yaml-quote ${ENABLE_APISERVER_ADVANCED_AUDIT:-})
877876
ENABLE_CACHE_MUTATION_DETECTOR: $(yaml-quote ${ENABLE_CACHE_MUTATION_DETECTOR:-false})
878877
ENABLE_PATCH_CONVERSION_DETECTOR: $(yaml-quote ${ENABLE_PATCH_CONVERSION_DETECTOR:-false})

hack/local-up-cluster.sh

Lines changed: 1 addition & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -84,9 +84,6 @@ ENABLE_POD_PRIORITY_PREEMPTION=${ENABLE_POD_PRIORITY_PREEMPTION:-""}
8484
# enable kubernetes dashboard
8585
ENABLE_CLUSTER_DASHBOARD=${KUBE_ENABLE_CLUSTER_DASHBOARD:-false}
8686

87-
# enable audit log
88-
ENABLE_APISERVER_BASIC_AUDIT=${ENABLE_APISERVER_BASIC_AUDIT:-false}
89-
9087
# RBAC Mode options
9188
AUTHORIZATION_MODE=${AUTHORIZATION_MODE:-"Node,RBAC"}
9289
KUBECONFIG_TOKEN=${KUBECONFIG_TOKEN:-""}
@@ -477,24 +474,6 @@ function start_apiserver {
477474
# The order defined here dose not matter.
478475
ENABLE_ADMISSION_PLUGINS=LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,StorageObjectInUseProtection
479476

480-
audit_arg=""
481-
APISERVER_BASIC_AUDIT_LOG=""
482-
if [[ "${ENABLE_APISERVER_BASIC_AUDIT:-}" = true ]]; then
483-
# We currently only support enabling with a fixed path and with built-in log
484-
# rotation "disabled" (large value) so it behaves like kube-apiserver.log.
485-
# External log rotation should be set up the same as for kube-apiserver.log.
486-
APISERVER_BASIC_AUDIT_LOG=/tmp/kube-apiserver-audit.log
487-
audit_arg=" --audit-log-path=${APISERVER_BASIC_AUDIT_LOG}"
488-
audit_arg+=" --audit-log-maxage=0"
489-
audit_arg+=" --audit-log-maxbackup=0"
490-
# Lumberjack doesn't offer any way to disable size-based rotation. It also
491-
# has an in-memory counter that doesn't notice if you truncate the file.
492-
# 2000000000 (in MiB) is a large number that fits in 31 bits. If the log
493-
# grows at 10MiB/s (~30K QPS), it will rotate after ~6 years if apiserver
494-
# never restarts. Please manually restart apiserver before this time.
495-
audit_arg+=" --audit-log-maxsize=2000000000"
496-
fi
497-
498477
swagger_arg=""
499478
if [[ "${ENABLE_SWAGGER_UI}" = true ]]; then
500479
swagger_arg="--enable-swagger-ui=true "
@@ -572,7 +551,7 @@ function start_apiserver {
572551
fi
573552

574553
APISERVER_LOG=${LOG_DIR}/kube-apiserver.log
575-
${CONTROLPLANE_SUDO} "${GO_OUT}/hyperkube" apiserver ${swagger_arg} ${audit_arg} ${authorizer_arg} ${priv_arg} ${runtime_config} \
554+
${CONTROLPLANE_SUDO} "${GO_OUT}/hyperkube" apiserver ${swagger_arg} ${authorizer_arg} ${priv_arg} ${runtime_config} \
576555
${cloud_config_arg} \
577556
${advertise_address} \
578557
${node_port_range} \
@@ -969,10 +948,6 @@ Logs:
969948
EOF
970949
fi
971950

972-
if [[ "${ENABLE_APISERVER_BASIC_AUDIT:-}" = true ]]; then
973-
echo " ${APISERVER_BASIC_AUDIT_LOG}"
974-
fi
975-
976951
if [[ "${START_MODE}" == "all" ]]; then
977952
echo " ${KUBELET_LOG}"
978953
elif [[ "${START_MODE}" == "nokubelet" ]]; then

pkg/features/kube_features.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -428,7 +428,7 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS
428428
// inherited features from generic apiserver, relisted here to get a conflict if it is changed
429429
// unintentionally on either side:
430430
genericfeatures.StreamingProxyRedirects: {Default: true, PreRelease: utilfeature.Beta},
431-
genericfeatures.AdvancedAuditing: {Default: true, PreRelease: utilfeature.Beta},
431+
genericfeatures.AdvancedAuditing: {Default: true, PreRelease: utilfeature.GA},
432432
genericfeatures.APIResponseCompression: {Default: false, PreRelease: utilfeature.Alpha},
433433
genericfeatures.Initializers: {Default: false, PreRelease: utilfeature.Alpha},
434434
genericfeatures.APIListChunking: {Default: true, PreRelease: utilfeature.Beta},

pkg/kubeapiserver/server/BUILD

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,10 +12,8 @@ go_library(
1212
deps = [
1313
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
1414
"//staging/src/k8s.io/apiserver/pkg/endpoints/filters:go_default_library",
15-
"//staging/src/k8s.io/apiserver/pkg/features:go_default_library",
1615
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
1716
"//staging/src/k8s.io/apiserver/pkg/server/filters:go_default_library",
18-
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
1917
],
2018
)
2119

pkg/kubeapiserver/server/insecure_handler.go

Lines changed: 1 addition & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -21,10 +21,8 @@ import (
2121

2222
"k8s.io/apiserver/pkg/authentication/user"
2323
genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
24-
"k8s.io/apiserver/pkg/features"
2524
"k8s.io/apiserver/pkg/server"
2625
genericfilters "k8s.io/apiserver/pkg/server/filters"
27-
utilfeature "k8s.io/apiserver/pkg/util/feature"
2826
)
2927

3028
// DeprecatedInsecureServingInfo is required to serve http. HTTP does NOT include authentication or authorization.
@@ -33,11 +31,7 @@ import (
3331

3432
func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler {
3533
handler := apiHandler
36-
if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) {
37-
handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
38-
} else {
39-
handler = genericapifilters.WithLegacyAudit(handler, c.LegacyAuditWriter)
40-
}
34+
handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
4135
handler = genericapifilters.WithAuthentication(handler, insecureSuperuser{}, nil)
4236
handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
4337
handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)

staging/src/k8s.io/apiserver/pkg/endpoints/filters/BUILD

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,6 @@ go_test(
1414
"authn_audit_test.go",
1515
"authorization_test.go",
1616
"impersonation_test.go",
17-
"legacy_audit_test.go",
1817
"requestinfo_test.go",
1918
],
2019
embed = [":go_default_library"],
@@ -47,7 +46,6 @@ go_library(
4746
"authorization.go",
4847
"doc.go",
4948
"impersonation.go",
50-
"legacy_audit.go",
5149
"requestinfo.go",
5250
],
5351
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/endpoints/filters",
@@ -59,7 +57,6 @@ go_library(
5957
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
6058
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
6159
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
62-
"//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
6360
"//staging/src/k8s.io/apimachinery/pkg/util/runtime:go_default_library",
6461
"//staging/src/k8s.io/apiserver/pkg/apis/audit:go_default_library",
6562
"//staging/src/k8s.io/apiserver/pkg/audit:go_default_library",
@@ -72,7 +69,6 @@ go_library(
7269
"//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
7370
"//staging/src/k8s.io/apiserver/pkg/server/httplog:go_default_library",
7471
"//vendor/github.com/golang/glog:go_default_library",
75-
"//vendor/github.com/pborman/uuid:go_default_library",
7672
"//vendor/github.com/prometheus/client_golang/prometheus:go_default_library",
7773
],
7874
)

staging/src/k8s.io/apiserver/pkg/endpoints/filters/legacy_audit.go

Lines changed: 0 additions & 161 deletions
This file was deleted.

0 commit comments

Comments
 (0)