Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apiserver/httplog: pretty up impersonation output #119795

Merged
merged 1 commit into from
Aug 16, 2023
Merged

apiserver/httplog: pretty up impersonation output #119795

merged 1 commit into from
Aug 16, 2023

Conversation

sttts
Copy link
Contributor

@sttts sttts commented Aug 7, 2023 

I0807 09:09:16.419239       1 httplog.go:132] "HTTP" verb="GET" URI="/apis/batch/v1?timeout=32s" latency="214.666µs" userAgent="kubernetes-provider/v0.0.0 (linux/arm64) kubernetes/$Format" audit-ID="948ef6b2-474d-45a7-ad5f-894ce93d05f7" srcIP="192.168.139.202:35542" apf_pl="exempt" apf_fs="exempt" apf_execution_time="129.5µs" resp=200 addedInfo=<

      &{kubernetes-admin  [system:masters system:authenticated] map[]} is acting as &{foo  [system:authenticated] map[]}
       >

to

I0807 09:09:16.419239       1 httplog.go:132] "HTTP" verb="GET" URI="/apis/batch/v1?timeout=32s" latency="214.666µs" userAgent="kubernetes-provider/v0.0.0 (linux/arm64) kubernetes/$Format" audit-ID="948ef6b2-474d-45a7-ad5f-894ce93d05f7" srcIP="192.168.139.202:35542" apf_pl="exempt" apf_fs="exempt" apf_execution_time="129.5µs" resp=200 addedInfo="kubernetes-admin[system:masters system:authenticated] is impersonating foo[system:authenticated]"

What type of PR is this?

/kind cleanup

Clean up kube-apiserver http logs for impersonated requests.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. labels Aug 7, 2023
@k8s-ci-robot
Copy link
Contributor

Please note that we're already in Test Freeze for the release-1.28 branch. This means every merged PR will be automatically fast-forwarded via the periodic ci-fast-forward job to the release branch of the upcoming v1.28.0 release.

Fast forwards are scheduled to happen every 6 hours, whereas the most recent run was: Mon Aug 7 04:30:46 UTC 2023.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. approved Indicates a PR has been approved by an approver from all required OWNERS files. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Aug 7, 2023
p0lyn0mial
p0lyn0mial reviewed Aug 7, 2023
View reviewed changes
staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go
@@ -183,6 +183,23 @@ func WithImpersonation(handler http.Handler, a authorizer.Authorizer, s runtime.
})
}

func userString(u user.Info) string {
if u == nil {
Copy link
Contributor

@p0lyn0mial p0lyn0mial Aug 7, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you sure u will be nil ? Maybe we could pass/use the second arg from the request.UserFrom ? (line 166).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's never nil in practice. So I think whatever we do here is fine.

@sttts sttts force-pushed the sttts-httplog-impersonation branch from fcc6fa4 to db9cbf9 Compare August 7, 2023 09:41
p0lyn0mial
p0lyn0mial reviewed Aug 7, 2023
View reviewed changes
staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go Outdated
return "<none>"
}
b := strings.Builder{}
b.WriteString(u.GetName())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we have to consider cases where a user name is empty?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

of course that's not documented in the struct :)

@sttts sttts force-pushed the sttts-httplog-impersonation branch from db9cbf9 to b1871cf Compare August 7, 2023 09:45
@p0lyn0mial
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 7, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 3340ca563d608d2f9dae6f631492df53bc6156d0

@sttts sttts added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Aug 7, 2023
@k8s-ci-robot k8s-ci-robot removed the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Aug 7, 2023
@sttts
apiserver/httplog: pretty up impersonation output
37730c0 
```
I0807 09:09:16.419239       1 httplog.go:132] "HTTP" verb="GET" URI="/apis/batch/v1?timeout=32s" latency="214.666µs" userAgent="kubernetes-provider/v0.0.0 (linux/arm64) kubernetes/$Format" audit-ID="948ef6b2-474d-45a7-ad5f-894ce93d05f7" srcIP="192.168.139.202:35542" apf_pl="exempt" apf_fs="exempt" apf_execution_time="129.5µs" resp=200 addedInfo=<

      &{kubernetes-admin  [system:masters system:authenticated] map[]} is acting as &{foo  [system:authenticated] map[]}
       >
```

to

```
I0807 09:09:16.419239       1 httplog.go:132] "HTTP" verb="GET" URI="/apis/batch/v1?timeout=32s" latency="214.666µs" userAgent="kubernetes-provider/v0.0.0 (linux/arm64) kubernetes/$Format" audit-ID="948ef6b2-474d-45a7-ad5f-894ce93d05f7" srcIP="192.168.139.202:35542" apf_pl="exempt" apf_fs="exempt" apf_execution_time="129.5µs" resp=200 addedInfo="kubernetes-admin[system:masters system:authenticated] is impersonating foo[system:authenticated]"
```

Signed-off-by: Dr. Stefan Schimanski <[email protected]>
@sttts sttts force-pushed the sttts-httplog-impersonation branch from b1871cf to 37730c0 Compare August 7, 2023 10:10
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 7, 2023
@p0lyn0mial
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 7, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 0cd7e02ac1368cd27bdc552f9bdf292c13ad48ce

@alexzielenski
Copy link
Contributor

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Aug 8, 2023
@k8s-ci-robot k8s-ci-robot merged commit 19f6d5b into kubernetes:master Aug 16, 2023
12 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.29 milestone Aug 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpbetz jpbetz Awaiting requested review from jpbetz

@soltysh soltysh Awaiting requested review from soltysh

@p0lyn0mial p0lyn0mial Awaiting requested review from p0lyn0mial

Assignees

@p0lyn0mial p0lyn0mial

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.29
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@sttts @k8s-ci-robot @p0lyn0mial @alexzielenski