-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
audit log does not contain dryRun (and other URL params) #117988
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
sig/auth
Categorizes an issue or PR as relevant to SIG Auth.
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
Comments
k8s-ci-robot
added
needs-sig
Indicates an issue or PR lacks a `sig/foo` label and requires one.
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
labels
May 13, 2023
karlkfi
changed the title
audit log should contain dryRun (and other URL params)
audit log does not contain dryRun (and other URL params)
May 13, 2023
/sig auth |
k8s-ci-robot
added
sig/auth
Categorizes an issue or PR as relevant to SIG Auth.
and removed
needs-sig
Indicates an issue or PR lacks a `sig/foo` label and requires one.
labels
May 15, 2023
/kind feature |
k8s-ci-robot
added
kind/feature
Categorizes issue or PR as related to a new feature.
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
and removed
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
labels
Jun 26, 2023
/remove-kind bug This is not a bug. You would need a KEP to change the existing audit functionality. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
sig/auth
Categorizes an issue or PR as relevant to SIG Auth.
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
What happened?
While debugging another issue, we saw patches in the audit log coming from a controller that we were sure shouldn't be making any changes. And when we watched with
kubectl get TYPE --watch -o yaml
, there weren't any changes observed.Eventually, we realized that the controller in question was making PATCH calls with dryRun=true to detect drift (and not finding any).
If the audit log reported the URL params, that would have saved us a bunch of time.
The patch handler writes to the audit log regardless:
What did you expect to happen?
I expected the audit log to either not log dry-run requests OR log them but have a field to say whether it was a dry-run or not.
How can we reproduce it (as minimally and precisely as possible)?
Perform any patch with dry-run and review that request in the audit logs.
Anything else we need to know?
No response
Kubernetes version
v1.25.7
Cloud provider
GKE
OS version
No response
Install tools
No response
Container runtime (CRI) and version (if applicable)
No response
Related plugins (CNI, CSI, ...) and versions (if applicable)
No response
The text was updated successfully, but these errors were encountered: