Merge pull request #18893 from openshift-cherrypick-robot/cherry-pick-18811-to-release-3.9

[release-3.9] Register audit/v1beta1 for master config

Author: openshift-merge-robot

pkg/cmd/server/apis/config/install/install.go

@@ -10,6 +10,7 @@ import (
 	apiserverv1alpha1 "k8s.io/apiserver/pkg/apis/apiserver/v1alpha1"
 	"k8s.io/apiserver/pkg/apis/audit"
 	auditv1alpha1 "k8s.io/apiserver/pkg/apis/audit/v1alpha1"
+	auditv1beta1 "k8s.io/apiserver/pkg/apis/audit/v1beta1"
 
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
 	configapiv1 "github.com/openshift/origin/pkg/cmd/server/apis/config/v1"
@@ -40,6 +41,7 @@ func AddToScheme(scheme *runtime.Scheme) {
 	// policy file inside master-config.yaml
 	audit.AddToScheme(scheme)
 	auditv1alpha1.AddToScheme(scheme)
+	auditv1beta1.AddToScheme(scheme)
 	apiserver.AddToScheme(scheme)
 	apiserverv1alpha1.AddToScheme(scheme)
 }

pkg/cmd/server/apis/config/validation/master.go

@@ -247,7 +247,7 @@ func ValidateAuditConfig(config configapi.AuditConfig, fldPath *field.Path) Vali
 		} else {
 			policyConfiguration, ok := config.PolicyConfiguration.(*auditinternal.Policy)
 			if !ok {
-				validationResults.AddErrors(field.Invalid(fldPath.Child("policyConfiguration"), config.PolicyConfiguration, "must be of type audit/v1alpha1.Policy"))
+				validationResults.AddErrors(field.Invalid(fldPath.Child("policyConfiguration"), config.PolicyConfiguration, "must be of type audit/v1beta1.Policy"))
 			} else {
 				if err := auditvalidation.ValidatePolicy(policyConfiguration); err != nil {
 					validationResults.AddErrors(field.Invalid(fldPath.Child("policyConfiguration"), config.PolicyConfiguration, err.ToAggregate().Error()))

test/integration/audit_test.go

@@ -1,21 +1,25 @@
 package integration
 
 import (
+	"io/ioutil"
+	"os"
 	"testing"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apiserver/pkg/apis/audit"
 	kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 
+	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
 	testutil "github.com/openshift/origin/test/util"
 	testserver "github.com/openshift/origin/test/util/server"
 )
 
-func setupAuditTest(t *testing.T) (kclientset.Interface, func()) {
+func setupAudit(t *testing.T, auditConfig configapi.AuditConfig) (kclientset.Interface, func()) {
 	masterConfig, err := testserver.DefaultMasterOptions()
 	if err != nil {
 		t.Fatalf("error creating config: %v", err)
 	}
-	masterConfig.AuditConfig.Enabled = true
+	masterConfig.AuditConfig = auditConfig
 	kubeConfigFile, err := testserver.StartConfiguredMasterAPI(masterConfig)
 	if err != nil {
 		t.Fatalf("error starting server: %v", err)
@@ -30,7 +34,7 @@ func setupAuditTest(t *testing.T) (kclientset.Interface, func()) {
 }
 
 func TestBasicFunctionalityWithAudit(t *testing.T) {
-	kubeClient, fn := setupAuditTest(t)
+	kubeClient, fn := setupAudit(t, configapi.AuditConfig{Enabled: true})
 	defer fn()
 
 	if _, err := kubeClient.Core().Pods(metav1.NamespaceDefault).Watch(metav1.ListOptions{}); err != nil {
@@ -39,3 +43,62 @@ func TestBasicFunctionalityWithAudit(t *testing.T) {
 
 	// TODO: test oc debug, exec, rsh, port-forward
 }
+
+func TestAuditConfigEmbeded(t *testing.T) {
+	auditConfig := configapi.AuditConfig{
+		Enabled: true,
+		PolicyConfiguration: &audit.Policy{
+			Rules: []audit.PolicyRule{
+				{Level: audit.LevelMetadata},
+			},
+		},
+	}
+	kubeClient, fn := setupAudit(t, auditConfig)
+	defer fn()
+
+	if _, err := kubeClient.Core().Pods(metav1.NamespaceDefault).Watch(metav1.ListOptions{}); err != nil {
+		t.Errorf("Unexpected error watching pods: %v", err)
+	}
+}
+
+func TestAuditConfigV1Alpha1File(t *testing.T) {
+	testAuditConfigFile(t, []byte(`
+apiVersion: audit.k8s.io/v1alpha1
+kind: Policy
+rules:
+- level: Metadata
+`))
+}
+
+func TestAuditConfigV1Beta1File(t *testing.T) {
+	testAuditConfigFile(t, []byte(`
+apiVersion: audit.k8s.io/v1beta1
+kind: Policy
+rules:
+- level: Metadata
+`))
+}
+
+func testAuditConfigFile(t *testing.T, policy []byte) {
+	tmp, err := ioutil.TempFile("", "audit-policy")
+	if err != nil {
+		t.Fatalf("Cannot create a temporary file: %v", err)
+	}
+	defer os.Remove(tmp.Name())
+	if _, err := tmp.Write(policy); err != nil {
+		t.Fatalf("Cannot write to a temporary file: %v", err)
+	}
+	if err := tmp.Close(); err != nil {
+		t.Fatalf("Cannot close a temporary file: %v", err)
+	}
+	auditConfig := configapi.AuditConfig{
+		Enabled:    true,
+		PolicyFile: tmp.Name(),
+	}
+	kubeClient, fn := setupAudit(t, auditConfig)
+	defer fn()
+
+	if _, err := kubeClient.Core().Pods(metav1.NamespaceDefault).Watch(metav1.ListOptions{}); err != nil {
+		t.Errorf("Unexpected error watching pods: %v", err)
+	}
+}