发生了什么?
在使用服务器端应用创建对象时,仅在审计日志中记录了一个补丁事件,没有记录创建事件。
cc @liggitt
你期望会发生什么?
审计日志中应该记录一个创建事件。
我们如何尽可能精确地重现它?
- 有一个启用了审计日志的集群
- 创建一个示例yaml文件
cat <<EOF > sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: test-ssa
namespace: default
EOF- 使用服务器端应用应用清单
kubectl apply -f sa.yaml --server-side- 检索审计日志
- 找到与此新服务帐户相关的事件
cat audit.log | grep "test-ssa"我们需要了解其他信息吗?
审计日志中的输出示例:
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"42ce8e59-f4f4-471e-9054-9b95556252f5","stage":"RequestReceived","requestURI":"/api/v1/namespaces/default/serviceaccounts/test-ssa?fieldManager=kubectl\u0026force=false","verb":"patch","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["172.18.0.1"],"userAgent":"kubectl/v1.22.4 (linux/amd64) kubernetes/b695d79","objectRef":{"resource":"serviceaccounts","namespace":"default","name":"test-ssa","apiVersion":"v1"},"requestReceivedTimestamp":"2023-02-08T18:25:15.132116Z","stageTimestamp":"2023-02-08T18:25:15.132116Z"}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"42ce8e59-f4f4-471e-9054-9b95556252f5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/serviceaccounts/test-ssa?fieldManager=kubectl\u0026force=false","verb":"patch","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["172.18.0.1"],"userAgent":"kubectl/v1.22.4 (linux/amd64) kubernetes/b695d79","objectRef":{"resource":"serviceaccounts","namespace":"default","name":"test-ssa","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2023-02-08T18:25:15.132116Z","stageTimestamp":"2023-02-08T18:25:15.134778Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}Kubernetes版本
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.4", GitCommit:"872a965c6c6526caa949f0c6ac028ef7aff3fb78", GitTreeState:"clean", BuildDate:"2022-11-09T13:28:30Z", GoVersion:"go1.19.3", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.3", GitCommit:"434bfd82814af038ad94d62ebe59b133fcb50506", GitTreeState:"clean", BuildDate:"2022-10-25T19:35:11Z", GoVersion:"go1.19.2", Compiler:"gc", Platform:"linux/amd64"}云提供商
类型
OS版本
# On Linux:
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.3 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.3 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
$ uname -a
Linux tce-admin-vm 5.4.0-132-generic #148-Ubuntu SMP Mon Oct 17 16:02:06 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here
5条答案
按热度按时间46qrfjad1#
/sig api-machinery
xcitsw882#
有趣的是,我们似乎在成功的通过补丁创建流程中更改了状态码,这出现在RequestCompleted阶段审计事件(
"responseStatus":{"metadata":{},"code":201})中,但这是非常微妙的,只显示成功请求。在补丁处理流程中有两个相关的地方,我们可以用更明确的注解装饰审计事件:
kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/update.go
第277行 468ce59
| | authorizerDecision, authorizerReason, authorizerErr=a.Authorize(ctx, attributes) |
kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/patch.go
第236行 468ce59
| | status=http.StatusCreated |
htzpubme3#
1szpjjfi4#
这个问题已经超过一年没有更新了,应该重新进行优先级评估。
你可以:
/triage accepted(仅组织成员)相关/close关闭这个问题有关优先级评估过程的更多详细信息,请参见 https://www.kubernetes.dev/docs/guide/issue-triage/
已接受移除优先级评估
roqulrg35#
/triage accepted