Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix issue that Audit Server could not correctly encode metav1.DeleteOption #110110

Merged
merged 1 commit into from Jun 13, 2022
Merged

Fix issue that Audit Server could not correctly encode metav1.DeleteOption #110110

merged 1 commit into from Jun 13, 2022

Conversation

sxllwx
Copy link
Member

@sxllwx sxllwx commented May 18, 2022
edited by wojtek-t

What type of PR is this?

What this PR does / why we need it:

When using kube-apiserver audit webhook, the following logs were found:

W0518 20:34:43.069379   20982 request.go:169] Auditing failed of  request: encoding failed: v1.DeleteOptions is not suitable for converting to "meta.k8s.io/v1" in scheme "pkg/api/legacyscheme/scheme.go:30"
W0518 20:34:49.597520   20982 request.go:169] Auditing failed of  request: encoding failed: request to convert CR to an invalid group/version: v1
W0518 20:34:49.600364   20982 request.go:169] Auditing failed of  request: encoding failed: request to convert CR to an invalid group/version: v1
W0518 20:34:49.614399   20982 request.go:169] Auditing failed of  request: encoding failed: request to convert CR to an invalid group/version: v1
W0518 20:34:49.625765   20982 request.go:169] Auditing failed of  request: encoding failed: request to convert CR to an invalid group/version: v1
W0518 20:34:49.628741   20982 request.go:169] Auditing failed of  request: encoding failed: request to convert CR to an invalid group/version: v1
W0518 20:34:49.648162   20982 request.go:169] Auditing failed of  request: encoding failed: request to convert CR to an invalid group/version: v1
W0518 20:34:49.661601   20982 request.go:169] Auditing failed of  request: encoding failed: request to convert CR to an invalid group/version: v1
W0518 20:34:49.669906   20982 request.go:169] Auditing failed of  request: encoding failed: request to convert CR to an invalid group/version: v1
W0518 20:34:49.686909   20982 request.go:169] Auditing failed of  request: encoding failed: request to convert CR to an invalid group/version: v1
W0518 20:34:49.689894   20982 request.go:169] Auditing failed of  request: encoding failed: request to convert CR to an invalid group/version: v1

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

The first log is triggered by Delete Namespace, and the rest can be triggered by installing any CRD and Delete Namespace.

Does this PR introduce a user-facing change?

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels May 18, 2022
@sxllwx
Copy link
Member Author

sxllwx commented May 19, 2022

@wojtek-t @sttts PTAL, thx~

@leilajal
Copy link
Contributor

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels May 19, 2022
wojtek-t
wojtek-t reviewed May 19, 2022
View reviewed changes
staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete.go
@@ -103,7 +103,7 @@ func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope *RequestSc
trace.Step("Decoded delete options")

objGV := gvk.GroupVersion()
audit.LogRequestObject(req.Context(), obj, objGV, scope.Resource, scope.Subresource, scope.Serializer)
audit.LogRequestObject(req.Context(), obj, objGV, scope.Resource, scope.Subresource, metainternalversionscheme.Codecs)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please add some unit test for these?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your suggestion, I have added Unit test to this modification. PTAL, thx~

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ping @wojtek-t

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test you added doesn't verify the fix you're making in this PR.

I would like to see some test that fails before this change and is passing with this change...

@sxllwx sxllwx force-pushed the fix/audit-webhook-delete-codec branch from 943ec09 to 16a9dbc Compare May 20, 2022 07:54
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels May 20, 2022
@sxllwx
Copy link
Member Author

sxllwx commented May 20, 2022

/retest-required

@sxllwx sxllwx force-pushed the fix/audit-webhook-delete-codec branch from 16a9dbc to 18aed16 Compare May 20, 2022 08:43
wojtek-t
wojtek-t reviewed May 24, 2022
View reviewed changes
staging/src/k8s.io/apiserver/pkg/audit/request_test.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/audit/request_test.go Outdated
serializer: metainternalversionscheme.Codecs,
},
{
name: "encode v1 DeleteOptions",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand the difference between those two cases (TypeMeta shouldn't really matter here...)

Copy link
Member Author

@sxllwx sxllwx May 25, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok..., I have a wrong understanding of Codec here, and the redundant tests have been deleted.

staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete.go
@@ -103,7 +103,7 @@ func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope *RequestSc
trace.Step("Decoded delete options")

objGV := gvk.GroupVersion()
audit.LogRequestObject(req.Context(), obj, objGV, scope.Resource, scope.Subresource, scope.Serializer)
audit.LogRequestObject(req.Context(), obj, objGV, scope.Resource, scope.Subresource, metainternalversionscheme.Codecs)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test you added doesn't verify the fix you're making in this PR.

I would like to see some test that fails before this change and is passing with this change...

@sxllwx sxllwx force-pushed the fix/audit-webhook-delete-codec branch 2 times, most recently from 12287ad to 4b1445f Compare May 25, 2022 09:18
@sxllwx
Copy link
Member Author

sxllwx commented May 25, 2022
edited

re: #110110 (comment)

I've added test cases for encoding v1.DeleteOptions without using metainternalversionscheme.Codecs. This use case will only output a line of log output after a failure.
like...

$ go test . -v --run=TestEncodeDeleteOptions
=== RUN   TestEncodeDeleteOptions
=== RUN   TestEncodeDeleteOptions/meta_built-in_Codec_encode_v1.DeleteOptions
=== RUN   TestEncodeDeleteOptions/fake_corev1_registerd_codec_encode_v1_DeleteOptions
    request_test.go:278: encode object: encoding failed: v1.DeleteOptions is not suitable for converting to "meta.k8s.io/v1" in scheme "k8s.io/apiserver/pkg/audit/request_test.go:240"
--- PASS: TestEncodeDeleteOptions (0.00s)
    --- PASS: TestEncodeDeleteOptions/meta_built-in_Codec_encode_v1.DeleteOptions (0.00s)
    --- PASS: TestEncodeDeleteOptions/fake_corev1_registerd_codec_encode_v1_DeleteOptions (0.00s)
PASS
ok      k8s.io/apiserver/pkg/audit      0.822s

Please take a look. thank you for your time. /ping @wojtek-t

@sxllwx sxllwx force-pushed the fix/audit-webhook-delete-codec branch from 4b1445f to a40110a Compare May 25, 2022 12:08
@sxllwx
Copy link
Member Author

sxllwx commented May 25, 2022

/retest-required

@sxllwx
Copy link
Member Author

sxllwx commented May 31, 2022

/ping @wojtek-t PTAL thx~

@sxllwx
Copy link
Member Author

sxllwx commented Jun 6, 2022
edited

#110110 (comment) wasn't addressed

The test was passing also before this PR, right?

Please correct me if I understand wrong.

  1. audit.LogRequestObject

    kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete.go

    Lines 104 to 107 in 2d7dcf9

    objGV := gvk.GroupVersion()
    audit.LogRequestObject(req.Context(), obj, objGV, scope.Resource, scope.Subresource, scope.Serializer)
    trace.Step("Recorded the audit event")
    The function itself will not generate any errors, so whether the PR is merged or not will not affect it. But inside the function will call encodeObject.
  2. encodeObject

    kubernetes/staging/src/k8s.io/apiserver/pkg/audit/request.go

    Lines 166 to 171 in 2d7dcf9

    ae.RequestObject, err = encodeObject(obj, objGV, s)
    if err != nil {
    // TODO(audit): add error slice to audit event struct
    klog.Warningf("Auditing failed of %v request: %v", reflect.TypeOf(obj).Name(), err)
    return
    }
    A Warning log appears when encoding fails.

Based on the above situation, I added a unit test for encodeObject, in the unit test, describe two situations

  1. Without this PR, encodeObject will fail https://github.com/sxllwx/kubernetes/blob/fix/audit-webhook-delete-codec/staging/src/k8s.io/apiserver/pkg/audit/request_test.go#L262-L270
  2. Using this PR, encodeObject will succeed https://github.com/sxllwx/kubernetes/blob/fix/audit-webhook-delete-codec/staging/src/k8s.io/apiserver/pkg/audit/request_test.go#L251-L260

@wojtek-t
Copy link
Member

wojtek-t commented Jun 6, 2022

Based on the above situation, I added a unit test for encodeObject, in the unit test, describe two situations

But the same test is passing without the big being done in this PR.
Yes - encocdeObject was failing, but the problem isn't in the encodeObject, but in the parameters that are passed to it.

I would like to test the fix that you're doing [so whether the right parameters are passed].

@enj enj added this to Needs Triage in SIG Auth Old Jun 6, 2022
@sxllwx sxllwx force-pushed the fix/audit-webhook-delete-codec branch from a40110a to a47c94d Compare June 7, 2022 03:54
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jun 7, 2022
@sxllwx
Copy link
Member Author

sxllwx commented Jun 7, 2022

Based on the above situation, I added a unit test for encodeObject, in the unit test, describe two situations

But the same test is passing without the big being done in this PR. Yes - encocdeObject was failing, but the problem isn't in the encodeObject, but in the parameters that are passed to it.

I would like to test the fix that you're doing [so whether the right parameters are passed].

I see what you mean. In response to your suggestion, I have revised the unit test again, please take a look at it, thank you for your time. @wojtek-t

@sxllwx sxllwx force-pushed the fix/audit-webhook-delete-codec branch from a47c94d to 286a67d Compare June 7, 2022 03:57
@sxllwx
Copy link
Member Author

sxllwx commented Jun 8, 2022
edited

/ping @wojtek-t PTAL thx.

@sxllwx
Copy link
Member Author

sxllwx commented Jun 13, 2022

What do you need my help to do to move this thing forward? @wojtek-t

@wojtek-t
Copy link
Member

OK - this looks fine - thanks!

/release-note none
/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 13, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sxllwx, wojtek-t

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 13, 2022
@sxllwx
Copy link
Member Author

sxllwx commented Jun 13, 2022

OK - this looks fine - thanks!

/release-note none /lgtm /approve

thx~

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jun 13, 2022
@k8s-ci-robot k8s-ci-robot merged commit 90834e0 into kubernetes:master Jun 13, 2022
SIG Auth Old automation moved this from Needs Triage to Closed / Done Jun 13, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.25 milestone Jun 13, 2022
@tallclair tallclair mentioned this pull request Aug 4, 2022
Merged
@Jefftree Jefftree mentioned this pull request Sep 19, 2022
Closed
@fusida
Copy link
Contributor

fusida commented Nov 15, 2022

@sxllwx @wojtek-t did this commit will cherry pick 1.24? i meet in 1.24

@sxllwx sxllwx mentioned this pull request Nov 15, 2022
Merged
@sxllwx
Copy link
Member Author

sxllwx commented Nov 15, 2022

@sxllwx @wojtek-t did this commit will cherry pick 1.24? i meet in 1.24

I have submitted a PR #113918 to try to fix this issue for release-1.24.

@sxllwx sxllwx mentioned this pull request Nov 17, 2022
Merged
k8s-ci-robot added a commit that referenced this pull request Jan 17, 2023
@k8s-ci-robot
Merge pull request #113918 from sxllwx/automated-cherry-pick-of-#1101…
badcd03 
…10-upstream-release-1.24

Automated cherry pick of #110110: Fix issue that Audit Server could not correctly encode
k8s-ci-robot added a commit that referenced this pull request Jan 17, 2023
@k8s-ci-robot
Merge pull request #113965 from sxllwx/automated-cherry-pick-of-#1101…
c8e9642 
…10-upstream-release-1.23

Automated cherry pick of #110110: Fix issue that Audit Server could not correctly encode
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wojtek-t wojtek-t wojtek-t left review comments

@sttts sttts Awaiting requested review from sttts

Assignees

@wojtek-t wojtek-t

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
SIG Auth Old
Closed / Done
Milestone
v1.25
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@sxllwx @leilajal @aojea @wojtek-t @k8s-ci-robot @fusida