Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

audit log does not contain dryRun (and other URL params) #117988

Open
karlkfi opened this issue May 13, 2023 · 3 comments
Open

audit log does not contain dryRun (and other URL params) #117988

karlkfi opened this issue May 13, 2023 · 3 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@karlkfi
Copy link
Contributor

karlkfi commented May 13, 2023

What happened?

While debugging another issue, we saw patches in the audit log coming from a controller that we were sure shouldn't be making any changes. And when we watched with kubectl get TYPE --watch -o yaml, there weren't any changes observed.

Eventually, we realized that the controller in question was making PATCH calls with dryRun=true to detect drift (and not finding any).

If the audit log reported the URL params, that would have saved us a bunch of time.

The patch handler writes to the audit log regardless:

What did you expect to happen?

I expected the audit log to either not log dry-run requests OR log them but have a field to say whether it was a dry-run or not.

How can we reproduce it (as minimally and precisely as possible)?

Perform any patch with dry-run and review that request in the audit logs.

Anything else we need to know?

No response

Kubernetes version

v1.25.7

Cloud provider

GKE

OS version

No response

Install tools

No response

Container runtime (CRI) and version (if applicable)

No response

Related plugins (CNI, CSI, ...) and versions (if applicable)

No response
@karlkfi karlkfi added the kind/bug Categorizes issue or PR as related to a bug. label May 13, 2023
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels May 13, 2023
@karlkfi karlkfi changed the title audit log should contain dryRun (and other URL params) audit log does not contain dryRun (and other URL params) May 13, 2023
@pacoxu
Copy link
Member

pacoxu commented May 15, 2023

/sig auth

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels May 15, 2023
@ibihim
Copy link
Contributor

ibihim commented Jun 26, 2023

/kind feature
/triage accepted

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jun 26, 2023
@ibihim
Copy link
Contributor

ibihim commented Jun 26, 2023
edited

/remove-kind bug

This is not a bug. You would need a KEP to change the existing audit functionality.

@k8s-ci-robot k8s-ci-robot removed the kind/bug Categorizes issue or PR as related to a bug. label Jun 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Status: Needs KEP
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pacoxu @karlkfi @ibihim @k8s-ci-robot