diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go index e94a60093fd2..596e0220260c 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go @@ -172,6 +172,15 @@ type Policy struct { // be specified per rule in which case the union of both are omitted. // +optional OmitStages []Stage + + // OmitManagedFields indicates whether to omit the managed fields of the request + // and response bodies from being written to the API audit log. + // This is used as a global default - a value of 'true' will omit the managed fileds, + // otherwise the managed fields will be included in the API audit log. + // Note that this can also be specified per rule in which case the value specified + // in a rule will override the global default. + // +optional + OmitManagedFields bool } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -232,6 +241,17 @@ type PolicyRule struct { // An empty list means no restrictions will apply. // +optional OmitStages []Stage + + // OmitManagedFields indicates whether to omit the managed fields of the request + // and response bodies from being written to the API audit log. + // - a value of 'true' will drop the managed fields from the API audit log + // - a value of 'false' indicates that the managed fileds should be included + // in the API audit log + // Note that the value, if specified, in this rule will override the global default + // If a value is not specified then the global default specified in + // Policy.OmitManagedFields will stand. + // +optional + OmitManagedFields *bool } // GroupResources represents resource kinds in an API group. diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.pb.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.pb.go index c569f506811b..32b1e98e2ca8 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.pb.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.pb.go @@ -261,85 +261,88 @@ func init() { } var fileDescriptor_4982ac40a460d730 = []byte{ - // 1243 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0xcd, 0x8e, 0x1b, 0x45, - 0x10, 0xde, 0x59, 0xaf, 0xb3, 0x76, 0x3b, 0xeb, 0x75, 0x3a, 0x11, 0x19, 0xed, 0xc1, 0x36, 0x46, - 0x42, 0x06, 0x96, 0x99, 0xec, 0x12, 0x48, 0x14, 0x09, 0x24, 0x5b, 0x89, 0xc0, 0x22, 0xd9, 0xac, - 0xda, 0x38, 0x07, 0xc4, 0x21, 0xe3, 0x71, 0xc5, 0x1e, 0x6c, 0xcf, 0x4c, 0xba, 0x7b, 0x8c, 0xf6, - 0xc6, 0x0b, 0x20, 0x71, 0xe7, 0x2d, 0xb8, 0x45, 0xbc, 0x40, 0x8e, 0x39, 0xe6, 0x64, 0x11, 0xc3, - 0x43, 0xa0, 0x9c, 0x50, 0xff, 0xcc, 0x8f, 0xbd, 0x6b, 0xc5, 0xcb, 0x81, 0xdb, 0x74, 0xd5, 0xf7, - 0x7d, 0x55, 0x5d, 0xd3, 0x55, 0xdd, 0xe8, 0xdb, 0xf1, 0x5d, 0x66, 0x79, 0x81, 0x3d, 0x8e, 0xfa, - 0x40, 0x7d, 0xe0, 0xc0, 0xec, 0x19, 0xf8, 0x83, 0x80, 0xda, 0xda, 0xe1, 0x84, 0x1e, 0x03, 0x3a, - 0x03, 0x6a, 0x87, 0xe3, 0xa1, 0x5c, 0xd9, 0x4e, 0x34, 0xf0, 0xb8, 0x3d, 0x3b, 0xb2, 0x87, 0xe0, - 0x03, 0x75, 0x38, 0x0c, 0xac, 0x90, 0x06, 0x3c, 0xc0, 0x0d, 0xc5, 0xb1, 0x12, 0x8e, 0x15, 0x8e, - 0x87, 0x72, 0x65, 0x49, 0x8e, 0x35, 0x3b, 0x3a, 0xf8, 0x74, 0xe8, 0xf1, 0x51, 0xd4, 0xb7, 0xdc, - 0x60, 0x6a, 0x0f, 0x83, 0x61, 0x60, 0x4b, 0x6a, 0x3f, 0x7a, 0x26, 0x57, 0x72, 0x21, 0xbf, 0x94, - 0xe4, 0xc1, 0x61, 0x9a, 0x86, 0xed, 0x44, 0x7c, 0x04, 0x3e, 0xf7, 0x5c, 0x87, 0x7b, 0x81, 0x7f, - 0x41, 0x02, 0x07, 0xb7, 0x53, 0xf4, 0xd4, 0x71, 0x47, 0x9e, 0x0f, 0xf4, 0x2c, 0xcd, 0x7b, 0x0a, - 0xdc, 0xb9, 0x88, 0x65, 0xaf, 0x63, 0xd1, 0xc8, 0xe7, 0xde, 0x14, 0xce, 0x11, 0xbe, 0x78, 0x17, - 0x81, 0xb9, 0x23, 0x98, 0x3a, 0xab, 0xbc, 0xc6, 0xdf, 0x08, 0xe5, 0x1f, 0xcc, 0xc0, 0xe7, 0xf8, - 0x10, 0xe5, 0x27, 0x30, 0x83, 0x89, 0x69, 0xd4, 0x8d, 0x66, 0xb1, 0xfd, 0xde, 0xcb, 0x79, 0x6d, - 0x6b, 0x31, 0xaf, 0xe5, 0x1f, 0x0a, 0xe3, 0xdb, 0xf8, 0x83, 0x28, 0x10, 0x3e, 0x41, 0xbb, 0xb2, - 0x7e, 0x9d, 0xfb, 0xe6, 0xb6, 0xc4, 0xdf, 0xd6, 0xf8, 0xdd, 0x96, 0x32, 0xbf, 0x9d, 0xd7, 0xde, - 0x5f, 0x97, 0x13, 0x3f, 0x0b, 0x81, 0x59, 0xbd, 0xce, 0x7d, 0x12, 0x8b, 0x88, 0xe8, 0x8c, 0x3b, - 0x43, 0x30, 0x73, 0xcb, 0xd1, 0xbb, 0xc2, 0xf8, 0x36, 0xfe, 0x20, 0x0a, 0x84, 0x8f, 0x11, 0xa2, - 0xf0, 0x3c, 0x02, 0xc6, 0x7b, 0xa4, 0x63, 0xee, 0x48, 0x0a, 0xd6, 0x14, 0x44, 0x12, 0x0f, 0xc9, - 0xa0, 0x70, 0x1d, 0xed, 0xcc, 0x80, 0xf6, 0xcd, 0xbc, 0x44, 0x5f, 0xd5, 0xe8, 0x9d, 0x27, 0x40, - 0xfb, 0x44, 0x7a, 0xf0, 0x37, 0x68, 0x27, 0x62, 0x40, 0xcd, 0x2b, 0x75, 0xa3, 0x59, 0x3a, 0xfe, - 0xd0, 0x4a, 0x8f, 0x8e, 0xb5, 0xfc, 0x9f, 0xad, 0xd9, 0x91, 0xd5, 0x63, 0x40, 0x3b, 0xfe, 0xb3, - 0x20, 0x55, 0x12, 0x16, 0x22, 0x15, 0xf0, 0x08, 0x55, 0xbc, 0x69, 0x08, 0x94, 0x05, 0xbe, 0xa8, - 0xb5, 0xf0, 0x98, 0xbb, 0x97, 0x52, 0xbd, 0xb1, 0x98, 0xd7, 0x2a, 0x9d, 0x15, 0x0d, 0x72, 0x4e, - 0x15, 0x7f, 0x82, 0x8a, 0x2c, 0x88, 0xa8, 0x0b, 0x9d, 0x53, 0x66, 0x16, 0xea, 0xb9, 0x66, 0xb1, - 0xbd, 0xb7, 0x98, 0xd7, 0x8a, 0xdd, 0xd8, 0x48, 0x52, 0x3f, 0xb6, 0x51, 0x51, 0xa4, 0xd7, 0x1a, - 0x82, 0xcf, 0xcd, 0x8a, 0xac, 0xc3, 0x35, 0x9d, 0x7d, 0xb1, 0x17, 0x3b, 0x48, 0x8a, 0xc1, 0x4f, - 0x51, 0x31, 0xe8, 0xff, 0x08, 0x2e, 0x27, 0xf0, 0xcc, 0x2c, 0xca, 0x0d, 0x7c, 0x66, 0xbd, 0xbb, - 0xa3, 0xac, 0xc7, 0x31, 0x09, 0x28, 0xf8, 0x2e, 0xa8, 0x94, 0x12, 0x23, 0x49, 0x45, 0xf1, 0x08, - 0x95, 0x29, 0xb0, 0x30, 0xf0, 0x19, 0x74, 0xb9, 0xc3, 0x23, 0x66, 0x22, 0x19, 0xe6, 0x30, 0x13, - 0x26, 0x39, 0x3c, 0x69, 0x24, 0xd1, 0x37, 0x22, 0x90, 0xe2, 0xb4, 0xf1, 0x62, 0x5e, 0x2b, 0x93, - 0x25, 0x1d, 0xb2, 0xa2, 0x8b, 0x1d, 0xb4, 0xa7, 0x4f, 0x83, 0x4a, 0xc4, 0x2c, 0xc9, 0x40, 0xcd, - 0xb5, 0x81, 0x74, 0xe7, 0x58, 0x3d, 0x7f, 0xec, 0x07, 0x3f, 0xf9, 0xed, 0x6b, 0x8b, 0x79, 0x6d, - 0x8f, 0x64, 0x25, 0xc8, 0xb2, 0x22, 0x1e, 0xa4, 0x9b, 0xd1, 0x31, 0xae, 0x5e, 0x32, 0xc6, 0xd2, - 0x46, 0x74, 0x90, 0x15, 0x4d, 0xfc, 0x8b, 0x81, 0x4c, 0x1d, 0x97, 0x80, 0x0b, 0xde, 0x0c, 0x06, - 0xdf, 0x79, 0x53, 0x60, 0xdc, 0x99, 0x86, 0xe6, 0x9e, 0x0c, 0x68, 0x6f, 0x56, 0xbd, 0x47, 0x9e, - 0x4b, 0x03, 0xc1, 0x6d, 0xd7, 0xf5, 0x31, 0x30, 0xc9, 0x1a, 0x61, 0xb2, 0x36, 0x24, 0x0e, 0x50, - 0x59, 0x76, 0x65, 0x9a, 0x44, 0xf9, 0xbf, 0x25, 0x11, 0x37, 0x7d, 0xb9, 0xbb, 0x24, 0x47, 0x56, - 0xe4, 0xf1, 0x73, 0x54, 0x72, 0x7c, 0x3f, 0xe0, 0xb2, 0x6b, 0x98, 0xb9, 0x5f, 0xcf, 0x35, 0x4b, - 0xc7, 0xf7, 0x36, 0x39, 0x97, 0x72, 0xd2, 0x59, 0xad, 0x94, 0xfc, 0xc0, 0xe7, 0xf4, 0xac, 0x7d, - 0x5d, 0x07, 0x2e, 0x65, 0x3c, 0x24, 0x1b, 0xe3, 0xe0, 0x2b, 0x54, 0x59, 0x65, 0xe1, 0x0a, 0xca, - 0x8d, 0xe1, 0x4c, 0x8d, 0x4b, 0x22, 0x3e, 0xf1, 0x0d, 0x94, 0x9f, 0x39, 0x93, 0x08, 0xd4, 0x48, - 0x24, 0x6a, 0x71, 0x6f, 0xfb, 0xae, 0xd1, 0x78, 0x61, 0xa0, 0xa2, 0x0c, 0xfe, 0xd0, 0x63, 0x1c, - 0xff, 0x80, 0x0a, 0x62, 0xf7, 0x03, 0x87, 0x3b, 0x92, 0x5e, 0x3a, 0xb6, 0x36, 0xab, 0x95, 0x60, - 0x3f, 0x02, 0xee, 0xb4, 0x2b, 0x3a, 0xe3, 0x42, 0x6c, 0x21, 0x89, 0x22, 0x3e, 0x41, 0x79, 0x8f, - 0xc3, 0x94, 0x99, 0xdb, 0xb2, 0x30, 0x1f, 0x6d, 0x5c, 0x98, 0xf6, 0x5e, 0x3c, 0x75, 0x3b, 0x82, - 0x4f, 0x94, 0x4c, 0xe3, 0x37, 0x03, 0x95, 0xbf, 0xa6, 0x41, 0x14, 0x12, 0x50, 0xa3, 0x84, 0xe1, - 0x0f, 0x50, 0x7e, 0x28, 0x2c, 0xfa, 0xae, 0x48, 0x78, 0x0a, 0xa6, 0x7c, 0x62, 0x34, 0xd1, 0x98, - 0x21, 0x73, 0xd1, 0xa3, 0x29, 0x91, 0x21, 0xa9, 0x1f, 0xdf, 0x11, 0xdd, 0xa9, 0x16, 0x27, 0xce, - 0x14, 0x98, 0x99, 0x93, 0x04, 0xdd, 0x73, 0x19, 0x07, 0x59, 0xc6, 0x35, 0x7e, 0xcf, 0xa1, 0xfd, - 0x95, 0x71, 0x83, 0x0f, 0x51, 0x21, 0x06, 0xe9, 0x0c, 0x93, 0x7a, 0xc5, 0x5a, 0x24, 0x41, 0x88, - 0xa9, 0xe8, 0x0b, 0xa9, 0xd0, 0x71, 0xf5, 0x9f, 0x4b, 0xa7, 0xe2, 0x49, 0xec, 0x20, 0x29, 0x46, - 0xdc, 0x24, 0x62, 0xa1, 0xaf, 0xaa, 0x64, 0xfe, 0x0b, 0x2c, 0x91, 0x1e, 0xdc, 0x46, 0xb9, 0xc8, - 0x1b, 0xe8, 0x8b, 0xe9, 0x96, 0x06, 0xe4, 0x7a, 0x9b, 0xde, 0x8a, 0x82, 0x2c, 0x36, 0xe1, 0x84, - 0x9e, 0xac, 0xa8, 0xbe, 0xb3, 0x92, 0x4d, 0xb4, 0x4e, 0x3b, 0xaa, 0xd2, 0x09, 0x42, 0xdc, 0x88, - 0x4e, 0xe8, 0x3d, 0x01, 0xca, 0xbc, 0xc0, 0x97, 0x37, 0x58, 0xe6, 0x46, 0x6c, 0x9d, 0x76, 0xb4, - 0x87, 0x64, 0x50, 0xb8, 0x85, 0xf6, 0xe3, 0x22, 0xc4, 0xc4, 0x5d, 0x49, 0xbc, 0xa9, 0x89, 0xfb, - 0x64, 0xd9, 0x4d, 0x56, 0xf1, 0xf8, 0x73, 0x54, 0x62, 0x51, 0x3f, 0x29, 0x76, 0x41, 0xd2, 0x93, - 0x76, 0xea, 0xa6, 0x2e, 0x92, 0xc5, 0x35, 0xfe, 0x31, 0xd0, 0x95, 0xd3, 0x60, 0xe2, 0xb9, 0x67, - 0xf8, 0xe9, 0xb9, 0x5e, 0xb8, 0xb5, 0x59, 0x2f, 0xa8, 0x9f, 0x2e, 0xbb, 0x21, 0xd9, 0x68, 0x6a, - 0xcb, 0xf4, 0x43, 0x17, 0xe5, 0x69, 0x34, 0x81, 0xb8, 0x1f, 0xac, 0x4d, 0xfa, 0x41, 0x25, 0x47, - 0xa2, 0x09, 0xa4, 0x87, 0x5b, 0xac, 0x18, 0x51, 0x5a, 0xf8, 0x0e, 0x42, 0xc1, 0xd4, 0xe3, 0x72, - 0x52, 0xc5, 0x87, 0xf5, 0xa6, 0x4c, 0x21, 0xb1, 0xa6, 0xaf, 0x96, 0x0c, 0xb4, 0xf1, 0x87, 0x81, - 0x90, 0x52, 0xff, 0x1f, 0x46, 0xc1, 0xe3, 0xe5, 0x51, 0xf0, 0xf1, 0xe6, 0x5b, 0x5f, 0x33, 0x0b, - 0x5e, 0xe4, 0xe2, 0xec, 0x45, 0x35, 0x2e, 0xf9, 0x66, 0xac, 0xa1, 0xbc, 0x78, 0x5a, 0xc4, 0xc3, - 0xa0, 0x28, 0x90, 0xe2, 0xd9, 0xc1, 0x88, 0xb2, 0x63, 0x0b, 0x21, 0xf1, 0x21, 0x4f, 0x74, 0x5c, - 0xd4, 0xb2, 0x28, 0x6a, 0x2f, 0xb1, 0x92, 0x0c, 0x42, 0x08, 0x8a, 0x87, 0x1b, 0x33, 0x77, 0x52, - 0x41, 0xf1, 0x9e, 0x63, 0x44, 0xd9, 0xb1, 0x9b, 0x1d, 0x41, 0x79, 0x59, 0x83, 0xe3, 0x4d, 0x6a, - 0xb0, 0x3c, 0xee, 0xd2, 0x71, 0x70, 0xe1, 0xe8, 0xb2, 0x10, 0x4a, 0x66, 0x03, 0x33, 0xaf, 0xa4, - 0x59, 0x27, 0xc3, 0x83, 0x91, 0x0c, 0x02, 0x7f, 0x89, 0xf6, 0xfd, 0xc0, 0x8f, 0xa5, 0x7a, 0xe4, - 0x21, 0x33, 0x77, 0x25, 0xe9, 0xba, 0x68, 0xb9, 0x93, 0x65, 0x17, 0x59, 0xc5, 0xae, 0x9c, 0xbc, - 0xc2, 0xc6, 0x27, 0xaf, 0xdd, 0x7c, 0xf9, 0xa6, 0xba, 0xf5, 0xea, 0x4d, 0x75, 0xeb, 0xf5, 0x9b, - 0xea, 0xd6, 0xcf, 0x8b, 0xaa, 0xf1, 0x72, 0x51, 0x35, 0x5e, 0x2d, 0xaa, 0xc6, 0xeb, 0x45, 0xd5, - 0xf8, 0x73, 0x51, 0x35, 0x7e, 0xfd, 0xab, 0xba, 0xf5, 0xfd, 0xf6, 0xec, 0xe8, 0xdf, 0x00, 0x00, - 0x00, 0xff, 0xff, 0x33, 0x6e, 0xcf, 0xc7, 0x82, 0x0d, 0x00, 0x00, + // 1287 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0xcf, 0x6f, 0x1b, 0xc5, + 0x17, 0xcf, 0xc6, 0x71, 0x63, 0x8f, 0x1b, 0xc7, 0x99, 0xf6, 0xfb, 0xed, 0x92, 0x83, 0x6d, 0x8c, + 0x84, 0x0c, 0x84, 0xdd, 0x26, 0x14, 0x5a, 0x55, 0x02, 0xc9, 0xa6, 0xa5, 0x58, 0xb4, 0x49, 0x34, + 0xc6, 0x3d, 0x20, 0x0e, 0x5d, 0xaf, 0x5f, 0xec, 0xc5, 0xf6, 0xec, 0x76, 0x67, 0xd6, 0x28, 0x37, + 0xfe, 0x01, 0x24, 0xee, 0xfc, 0x17, 0xdc, 0x10, 0x27, 0x6e, 0x39, 0xf6, 0xd8, 0x93, 0x45, 0x0c, + 0x7f, 0x45, 0x0e, 0x08, 0xcd, 0xec, 0xec, 0x0f, 0x3b, 0xb1, 0xea, 0x70, 0xe0, 0xb6, 0xf3, 0xde, + 0xe7, 0xf3, 0x79, 0x6f, 0xdf, 0xbe, 0xf7, 0x66, 0xd1, 0x57, 0xc3, 0x07, 0xcc, 0x70, 0x5c, 0x73, + 0x18, 0x74, 0xc1, 0xa7, 0xc0, 0x81, 0x99, 0x13, 0xa0, 0x3d, 0xd7, 0x37, 0x95, 0xc3, 0xf2, 0x1c, + 0x06, 0xfe, 0x04, 0x7c, 0xd3, 0x1b, 0xf6, 0xe5, 0xc9, 0xb4, 0x82, 0x9e, 0xc3, 0xcd, 0xc9, 0xbe, + 0xd9, 0x07, 0x0a, 0xbe, 0xc5, 0xa1, 0x67, 0x78, 0xbe, 0xcb, 0x5d, 0x5c, 0x0b, 0x39, 0x46, 0xcc, + 0x31, 0xbc, 0x61, 0x5f, 0x9e, 0x0c, 0xc9, 0x31, 0x26, 0xfb, 0xbb, 0x1f, 0xf6, 0x1d, 0x3e, 0x08, + 0xba, 0x86, 0xed, 0x8e, 0xcd, 0xbe, 0xdb, 0x77, 0x4d, 0x49, 0xed, 0x06, 0x27, 0xf2, 0x24, 0x0f, + 0xf2, 0x29, 0x94, 0xdc, 0xdd, 0x4b, 0xd2, 0x30, 0xad, 0x80, 0x0f, 0x80, 0x72, 0xc7, 0xb6, 0xb8, + 0xe3, 0xd2, 0x2b, 0x12, 0xd8, 0xbd, 0x97, 0xa0, 0xc7, 0x96, 0x3d, 0x70, 0x28, 0xf8, 0xa7, 0x49, + 0xde, 0x63, 0xe0, 0xd6, 0x55, 0x2c, 0x73, 0x19, 0xcb, 0x0f, 0x28, 0x77, 0xc6, 0x70, 0x89, 0xf0, + 0xc9, 0x9b, 0x08, 0xcc, 0x1e, 0xc0, 0xd8, 0x5a, 0xe4, 0xd5, 0xfe, 0x42, 0x28, 0xfb, 0x78, 0x02, + 0x94, 0xe3, 0x3d, 0x94, 0x1d, 0xc1, 0x04, 0x46, 0xba, 0x56, 0xd5, 0xea, 0xf9, 0xe6, 0xff, 0xcf, + 0xa6, 0x95, 0xb5, 0xd9, 0xb4, 0x92, 0x7d, 0x2a, 0x8c, 0x17, 0xd1, 0x03, 0x09, 0x41, 0xf8, 0x10, + 0x6d, 0xca, 0xfa, 0xb5, 0x1e, 0xe9, 0xeb, 0x12, 0x7f, 0x4f, 0xe1, 0x37, 0x1b, 0xa1, 0xf9, 0x62, + 0x5a, 0x79, 0x7b, 0x59, 0x4e, 0xfc, 0xd4, 0x03, 0x66, 0x74, 0x5a, 0x8f, 0x48, 0x24, 0x22, 0xa2, + 0x33, 0x6e, 0xf5, 0x41, 0xcf, 0xcc, 0x47, 0x6f, 0x0b, 0xe3, 0x45, 0xf4, 0x40, 0x42, 0x10, 0x3e, + 0x40, 0xc8, 0x87, 0x97, 0x01, 0x30, 0xde, 0x21, 0x2d, 0x7d, 0x43, 0x52, 0xb0, 0xa2, 0x20, 0x12, + 0x7b, 0x48, 0x0a, 0x85, 0xab, 0x68, 0x63, 0x02, 0x7e, 0x57, 0xcf, 0x4a, 0xf4, 0x4d, 0x85, 0xde, + 0x78, 0x0e, 0x7e, 0x97, 0x48, 0x0f, 0xfe, 0x12, 0x6d, 0x04, 0x0c, 0x7c, 0xfd, 0x46, 0x55, 0xab, + 0x17, 0x0e, 0xde, 0x35, 0x92, 0xd6, 0x31, 0xe6, 0xbf, 0xb3, 0x31, 0xd9, 0x37, 0x3a, 0x0c, 0xfc, + 0x16, 0x3d, 0x71, 0x13, 0x25, 0x61, 0x21, 0x52, 0x01, 0x0f, 0x50, 0xc9, 0x19, 0x7b, 0xe0, 0x33, + 0x97, 0x8a, 0x5a, 0x0b, 0x8f, 0xbe, 0x79, 0x2d, 0xd5, 0xdb, 0xb3, 0x69, 0xa5, 0xd4, 0x5a, 0xd0, + 0x20, 0x97, 0x54, 0xf1, 0x07, 0x28, 0xcf, 0xdc, 0xc0, 0xb7, 0xa1, 0x75, 0xcc, 0xf4, 0x5c, 0x35, + 0x53, 0xcf, 0x37, 0xb7, 0x66, 0xd3, 0x4a, 0xbe, 0x1d, 0x19, 0x49, 0xe2, 0xc7, 0x26, 0xca, 0x8b, + 0xf4, 0x1a, 0x7d, 0xa0, 0x5c, 0x2f, 0xc9, 0x3a, 0xec, 0xa8, 0xec, 0xf3, 0x9d, 0xc8, 0x41, 0x12, + 0x0c, 0x7e, 0x81, 0xf2, 0x6e, 0xf7, 0x3b, 0xb0, 0x39, 0x81, 0x13, 0x3d, 0x2f, 0x5f, 0xe0, 0x23, + 0xe3, 0xcd, 0x13, 0x65, 0x1c, 0x45, 0x24, 0xf0, 0x81, 0xda, 0x10, 0xa6, 0x14, 0x1b, 0x49, 0x22, + 0x8a, 0x07, 0xa8, 0xe8, 0x03, 0xf3, 0x5c, 0xca, 0xa0, 0xcd, 0x2d, 0x1e, 0x30, 0x1d, 0xc9, 0x30, + 0x7b, 0xa9, 0x30, 0x71, 0xf3, 0x24, 0x91, 0xc4, 0xdc, 0x88, 0x40, 0x21, 0xa7, 0x89, 0x67, 0xd3, + 0x4a, 0x91, 0xcc, 0xe9, 0x90, 0x05, 0x5d, 0x6c, 0xa1, 0x2d, 0xd5, 0x0d, 0x61, 0x22, 0x7a, 0x41, + 0x06, 0xaa, 0x2f, 0x0d, 0xa4, 0x26, 0xc7, 0xe8, 0xd0, 0x21, 0x75, 0xbf, 0xa7, 0xcd, 0x9d, 0xd9, + 0xb4, 0xb2, 0x45, 0xd2, 0x12, 0x64, 0x5e, 0x11, 0xf7, 0x92, 0x97, 0x51, 0x31, 0x6e, 0x5e, 0x33, + 0xc6, 0xdc, 0x8b, 0xa8, 0x20, 0x0b, 0x9a, 0xf8, 0x47, 0x0d, 0xe9, 0x2a, 0x2e, 0x01, 0x1b, 0x9c, + 0x09, 0xf4, 0xbe, 0x76, 0xc6, 0xc0, 0xb8, 0x35, 0xf6, 0xf4, 0x2d, 0x19, 0xd0, 0x5c, 0xad, 0x7a, + 0xcf, 0x1c, 0xdb, 0x77, 0x05, 0xb7, 0x59, 0x55, 0x6d, 0xa0, 0x93, 0x25, 0xc2, 0x64, 0x69, 0x48, + 0xec, 0xa2, 0xa2, 0x9c, 0xca, 0x24, 0x89, 0xe2, 0xbf, 0x4b, 0x22, 0x1a, 0xfa, 0x62, 0x7b, 0x4e, + 0x8e, 0x2c, 0xc8, 0xe3, 0x97, 0xa8, 0x60, 0x51, 0xea, 0x72, 0x39, 0x35, 0x4c, 0xdf, 0xae, 0x66, + 0xea, 0x85, 0x83, 0x87, 0xab, 0xf4, 0xa5, 0xdc, 0x74, 0x46, 0x23, 0x21, 0x3f, 0xa6, 0xdc, 0x3f, + 0x6d, 0xde, 0x52, 0x81, 0x0b, 0x29, 0x0f, 0x49, 0xc7, 0xd8, 0xfd, 0x0c, 0x95, 0x16, 0x59, 0xb8, + 0x84, 0x32, 0x43, 0x38, 0x0d, 0xd7, 0x25, 0x11, 0x8f, 0xf8, 0x36, 0xca, 0x4e, 0xac, 0x51, 0x00, + 0xe1, 0x4a, 0x24, 0xe1, 0xe1, 0xe1, 0xfa, 0x03, 0xad, 0xf6, 0xab, 0x86, 0xf2, 0x32, 0xf8, 0x53, + 0x87, 0x71, 0xfc, 0x2d, 0xca, 0x89, 0xb7, 0xef, 0x59, 0xdc, 0x92, 0xf4, 0xc2, 0x81, 0xb1, 0x5a, + 0xad, 0x04, 0xfb, 0x19, 0x70, 0xab, 0x59, 0x52, 0x19, 0xe7, 0x22, 0x0b, 0x89, 0x15, 0xf1, 0x21, + 0xca, 0x3a, 0x1c, 0xc6, 0x4c, 0x5f, 0x97, 0x85, 0x79, 0x6f, 0xe5, 0xc2, 0x34, 0xb7, 0xa2, 0xad, + 0xdb, 0x12, 0x7c, 0x12, 0xca, 0xd4, 0x7e, 0xd6, 0x50, 0xf1, 0x89, 0xef, 0x06, 0x1e, 0x81, 0x70, + 0x95, 0x30, 0xfc, 0x0e, 0xca, 0xf6, 0x85, 0x45, 0xdd, 0x15, 0x31, 0x2f, 0x84, 0x85, 0x3e, 0xb1, + 0x9a, 0xfc, 0x88, 0x21, 0x73, 0x51, 0xab, 0x29, 0x96, 0x21, 0x89, 0x1f, 0xdf, 0x17, 0xd3, 0x19, + 0x1e, 0x0e, 0xad, 0x31, 0x30, 0x3d, 0x23, 0x09, 0x6a, 0xe6, 0x52, 0x0e, 0x32, 0x8f, 0xab, 0xfd, + 0x92, 0x41, 0xdb, 0x0b, 0xeb, 0x06, 0xef, 0xa1, 0x5c, 0x04, 0x52, 0x19, 0xc6, 0xf5, 0x8a, 0xb4, + 0x48, 0x8c, 0x10, 0x5b, 0x91, 0x0a, 0x29, 0xcf, 0xb2, 0xd5, 0x97, 0x4b, 0xb6, 0xe2, 0x61, 0xe4, + 0x20, 0x09, 0x46, 0xdc, 0x24, 0xe2, 0xa0, 0xae, 0xaa, 0x78, 0xff, 0x0b, 0x2c, 0x91, 0x1e, 0xdc, + 0x44, 0x99, 0xc0, 0xe9, 0xa9, 0x8b, 0xe9, 0xae, 0x02, 0x64, 0x3a, 0xab, 0xde, 0x8a, 0x82, 0x2c, + 0x5e, 0xc2, 0xf2, 0x1c, 0x59, 0x51, 0x75, 0x67, 0xc5, 0x2f, 0xd1, 0x38, 0x6e, 0x85, 0x95, 0x8e, + 0x11, 0xe2, 0x46, 0xb4, 0x3c, 0xe7, 0x39, 0xf8, 0xcc, 0x71, 0xa9, 0xbc, 0xc1, 0x52, 0x37, 0x62, + 0xe3, 0xb8, 0xa5, 0x3c, 0x24, 0x85, 0xc2, 0x0d, 0xb4, 0x1d, 0x15, 0x21, 0x22, 0x6e, 0x4a, 0xe2, + 0x1d, 0x45, 0xdc, 0x26, 0xf3, 0x6e, 0xb2, 0x88, 0xc7, 0x1f, 0xa3, 0x02, 0x0b, 0xba, 0x71, 0xb1, + 0x73, 0x92, 0x1e, 0x8f, 0x53, 0x3b, 0x71, 0x91, 0x34, 0xae, 0xf6, 0xfb, 0x3a, 0xba, 0x71, 0xec, + 0x8e, 0x1c, 0xfb, 0x14, 0xbf, 0xb8, 0x34, 0x0b, 0x77, 0x57, 0x9b, 0x85, 0xf0, 0xa3, 0xcb, 0x69, + 0x88, 0x5f, 0x34, 0xb1, 0xa5, 0xe6, 0xa1, 0x8d, 0xb2, 0x7e, 0x30, 0x82, 0x68, 0x1e, 0x8c, 0x55, + 0xe6, 0x21, 0x4c, 0x8e, 0x04, 0x23, 0x48, 0x9a, 0x5b, 0x9c, 0x18, 0x09, 0xb5, 0xf0, 0x7d, 0x84, + 0xdc, 0xb1, 0xc3, 0xe5, 0xa6, 0x8a, 0x9a, 0xf5, 0x8e, 0x4c, 0x21, 0xb6, 0x26, 0x7f, 0x2d, 0x29, + 0x28, 0x7e, 0x82, 0x76, 0xc4, 0xe9, 0x99, 0x45, 0xad, 0x3e, 0xf4, 0xbe, 0x70, 0x60, 0xd4, 0x63, + 0xb2, 0x51, 0x72, 0xcd, 0xb7, 0x54, 0xa4, 0x9d, 0xa3, 0x45, 0x00, 0xb9, 0xcc, 0xa9, 0xfd, 0xa6, + 0x21, 0x14, 0xa6, 0xf9, 0x1f, 0xec, 0x94, 0xa3, 0xf9, 0x9d, 0xf2, 0xfe, 0xea, 0x35, 0x5c, 0xb2, + 0x54, 0xfe, 0xce, 0x44, 0xd9, 0x8b, 0xb2, 0x5e, 0xf3, 0xe7, 0xb3, 0x82, 0xb2, 0xe2, 0x1f, 0x25, + 0xda, 0x2a, 0x79, 0x81, 0x14, 0xff, 0x2f, 0x8c, 0x84, 0x76, 0x6c, 0x20, 0x24, 0x1e, 0xe4, 0x68, + 0x44, 0x5f, 0xa7, 0x28, 0xbe, 0x4e, 0x27, 0xb6, 0x92, 0x14, 0x42, 0x08, 0x8a, 0x3f, 0x40, 0xf1, + 0x21, 0x62, 0x41, 0xf1, 0x63, 0xc8, 0x48, 0x68, 0xc7, 0x76, 0x7a, 0x97, 0x65, 0x65, 0x0d, 0x0e, + 0x56, 0xa9, 0xc1, 0xfc, 0xde, 0x4c, 0xf6, 0xca, 0x95, 0x3b, 0xd0, 0x40, 0x28, 0x5e, 0x32, 0x4c, + 0xbf, 0x91, 0x64, 0x1d, 0x6f, 0x21, 0x46, 0x52, 0x08, 0xfc, 0x29, 0xda, 0xa6, 0x2e, 0x8d, 0xa4, + 0x3a, 0xe4, 0x29, 0xd3, 0x37, 0x25, 0xe9, 0x96, 0x98, 0xdd, 0xc3, 0x79, 0x17, 0x59, 0xc4, 0x2e, + 0xb4, 0x70, 0x6e, 0xf5, 0x16, 0xfe, 0xfc, 0xaa, 0x16, 0xce, 0xcb, 0x16, 0xfe, 0xdf, 0xaa, 0xed, + 0xdb, 0xac, 0x9f, 0x9d, 0x97, 0xd7, 0x5e, 0x9d, 0x97, 0xd7, 0x5e, 0x9f, 0x97, 0xd7, 0x7e, 0x98, + 0x95, 0xb5, 0xb3, 0x59, 0x59, 0x7b, 0x35, 0x2b, 0x6b, 0xaf, 0x67, 0x65, 0xed, 0x8f, 0x59, 0x59, + 0xfb, 0xe9, 0xcf, 0xf2, 0xda, 0x37, 0xeb, 0x93, 0xfd, 0x7f, 0x02, 0x00, 0x00, 0xff, 0xff, 0x6a, + 0x8e, 0x8a, 0xae, 0x10, 0x0e, 0x00, 0x00, } func (m *Event) Marshal() (dAtA []byte, err error) { @@ -696,6 +699,14 @@ func (m *Policy) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + i-- + if m.OmitManagedFields { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x20 if len(m.OmitStages) > 0 { for iNdEx := len(m.OmitStages) - 1; iNdEx >= 0; iNdEx-- { i -= len(m.OmitStages[iNdEx]) @@ -799,6 +810,16 @@ func (m *PolicyRule) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + if m.OmitManagedFields != nil { + i-- + if *m.OmitManagedFields { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x48 + } if len(m.OmitStages) > 0 { for iNdEx := len(m.OmitStages) - 1; iNdEx >= 0; iNdEx-- { i -= len(m.OmitStages[iNdEx]) @@ -1032,6 +1053,7 @@ func (m *Policy) Size() (n int) { n += 1 + l + sovGenerated(uint64(l)) } } + n += 2 return n } @@ -1102,6 +1124,9 @@ func (m *PolicyRule) Size() (n int) { n += 1 + l + sovGenerated(uint64(l)) } } + if m.OmitManagedFields != nil { + n += 2 + } return n } @@ -1204,6 +1229,7 @@ func (this *Policy) String() string { `ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v11.ObjectMeta", 1), `&`, ``, 1) + `,`, `Rules:` + repeatedStringForRules + `,`, `OmitStages:` + fmt.Sprintf("%v", this.OmitStages) + `,`, + `OmitManagedFields:` + fmt.Sprintf("%v", this.OmitManagedFields) + `,`, `}`, }, "") return s @@ -1242,6 +1268,7 @@ func (this *PolicyRule) String() string { `Namespaces:` + fmt.Sprintf("%v", this.Namespaces) + `,`, `NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`, `OmitStages:` + fmt.Sprintf("%v", this.OmitStages) + `,`, + `OmitManagedFields:` + valueToStringGenerated(this.OmitManagedFields) + `,`, `}`, }, "") return s @@ -2631,6 +2658,26 @@ func (m *Policy) Unmarshal(dAtA []byte) error { } m.OmitStages = append(m.OmitStages, Stage(dAtA[iNdEx:postIndex])) iNdEx = postIndex + case 4: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field OmitManagedFields", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.OmitManagedFields = bool(v != 0) default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) @@ -3056,6 +3103,27 @@ func (m *PolicyRule) Unmarshal(dAtA []byte) error { } m.OmitStages = append(m.OmitStages, Stage(dAtA[iNdEx:postIndex])) iNdEx = postIndex + case 9: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field OmitManagedFields", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + b := bool(v != 0) + m.OmitManagedFields = &b default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto index d142ee7e4973..0c20506501a4 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto @@ -190,6 +190,15 @@ message Policy { // be specified per rule in which case the union of both are omitted. // +optional repeated string omitStages = 3; + + // OmitManagedFields indicates whether to omit the managed fields of the request + // and response bodies from being written to the API audit log. + // This is used as a global default - a value of 'true' will omit the managed fileds, + // otherwise the managed fields will be included in the API audit log. + // Note that this can also be specified per rule in which case the value specified + // in a rule will override the global default. + // +optional + optional bool omitManagedFields = 4; } // PolicyList is a list of audit Policies. @@ -245,5 +254,16 @@ message PolicyRule { // An empty list means no restrictions will apply. // +optional repeated string omitStages = 8; + + // OmitManagedFields indicates whether to omit the managed fields of the request + // and response bodies from being written to the API audit log. + // - a value of 'true' will drop the managed fields from the API audit log + // - a value of 'false' indicates that the managed fileds should be included + // in the API audit log + // Note that the value, if specified, in this rule will override the global default + // If a value is not specified then the global default specified in + // Policy.OmitManagedFields will stand. + // +optional + optional bool omitManagedFields = 9; } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go index dace73ed9514..3f70ebaa5167 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go @@ -166,6 +166,15 @@ type Policy struct { // be specified per rule in which case the union of both are omitted. // +optional OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,3,rep,name=omitStages"` + + // OmitManagedFields indicates whether to omit the managed fields of the request + // and response bodies from being written to the API audit log. + // This is used as a global default - a value of 'true' will omit the managed fileds, + // otherwise the managed fields will be included in the API audit log. + // Note that this can also be specified per rule in which case the value specified + // in a rule will override the global default. + // +optional + OmitManagedFields bool `json:"omitManagedFields,omitempty" protobuf:"varint,4,opt,name=omitManagedFields"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -226,6 +235,17 @@ type PolicyRule struct { // An empty list means no restrictions will apply. // +optional OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,8,rep,name=omitStages"` + + // OmitManagedFields indicates whether to omit the managed fields of the request + // and response bodies from being written to the API audit log. + // - a value of 'true' will drop the managed fields from the API audit log + // - a value of 'false' indicates that the managed fileds should be included + // in the API audit log + // Note that the value, if specified, in this rule will override the global default + // If a value is not specified then the global default specified in + // Policy.OmitManagedFields will stand. + // +optional + OmitManagedFields *bool `json:"omitManagedFields,omitempty" protobuf:"varint,9,opt,name=omitManagedFields"` } // GroupResources represents resource kinds in an API group. diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.conversion.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.conversion.go index ba72698e619e..53cbb02084ef 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.conversion.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.conversion.go @@ -246,6 +246,7 @@ func autoConvert_v1_Policy_To_audit_Policy(in *Policy, out *audit.Policy, s conv out.ObjectMeta = in.ObjectMeta out.Rules = *(*[]audit.PolicyRule)(unsafe.Pointer(&in.Rules)) out.OmitStages = *(*[]audit.Stage)(unsafe.Pointer(&in.OmitStages)) + out.OmitManagedFields = in.OmitManagedFields return nil } @@ -258,6 +259,7 @@ func autoConvert_audit_Policy_To_v1_Policy(in *audit.Policy, out *Policy, s conv out.ObjectMeta = in.ObjectMeta out.Rules = *(*[]PolicyRule)(unsafe.Pointer(&in.Rules)) out.OmitStages = *(*[]Stage)(unsafe.Pointer(&in.OmitStages)) + out.OmitManagedFields = in.OmitManagedFields return nil } @@ -297,6 +299,7 @@ func autoConvert_v1_PolicyRule_To_audit_PolicyRule(in *PolicyRule, out *audit.Po out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs)) out.OmitStages = *(*[]audit.Stage)(unsafe.Pointer(&in.OmitStages)) + out.OmitManagedFields = (*bool)(unsafe.Pointer(in.OmitManagedFields)) return nil } @@ -314,6 +317,7 @@ func autoConvert_audit_PolicyRule_To_v1_PolicyRule(in *audit.PolicyRule, out *Po out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs)) out.OmitStages = *(*[]Stage)(unsafe.Pointer(&in.OmitStages)) + out.OmitManagedFields = (*bool)(unsafe.Pointer(in.OmitManagedFields)) return nil } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.deepcopy.go index b333fd0077a3..0b1b0052d587 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.deepcopy.go @@ -278,6 +278,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) { *out = make([]Stage, len(*in)) copy(*out, *in) } + if in.OmitManagedFields != nil { + in, out := &in.OmitManagedFields, &out.OmitManagedFields + *out = new(bool) + **out = **in + } return } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.pb.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.pb.go index 4af2810f08b9..84ceca0b7b30 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.pb.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.pb.go @@ -261,86 +261,89 @@ func init() { } var fileDescriptor_46c0b2c8ea67b187 = []byte{ - // 1263 bytes of a gzipped FileDescriptorProto + // 1306 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0x4f, 0x6f, 0x1b, 0x45, - 0x14, 0xcf, 0xd6, 0x71, 0x63, 0x8f, 0x1b, 0xc7, 0x99, 0x56, 0x74, 0x95, 0x83, 0x6d, 0x8c, 0x84, - 0x2c, 0x08, 0xbb, 0x49, 0x14, 0x68, 0x40, 0x02, 0x11, 0xab, 0x15, 0x58, 0x4a, 0x43, 0x78, 0x89, - 0x2b, 0xf1, 0xe7, 0xc0, 0xda, 0x7e, 0xb1, 0x17, 0xdb, 0xbb, 0xcb, 0xce, 0xac, 0xab, 0xdc, 0x38, - 0x70, 0x45, 0xe2, 0xce, 0x87, 0xe0, 0x23, 0x54, 0xdc, 0x72, 0xec, 0xb1, 0x27, 0x8b, 0x98, 0x6f, - 0x91, 0x03, 0x42, 0x33, 0xfb, 0x67, 0xd6, 0x4e, 0x2d, 0x1c, 0x0e, 0xbd, 0xed, 0xbc, 0xf7, 0x7b, - 0xbf, 0xf7, 0xe6, 0xed, 0xfb, 0x33, 0xe4, 0xeb, 0xc1, 0x01, 0x33, 0x6c, 0xd7, 0x1c, 0x04, 0x6d, - 0xf4, 0x1d, 0xe4, 0xc8, 0xcc, 0x31, 0x3a, 0x5d, 0xd7, 0x37, 0x23, 0x85, 0xe5, 0xd9, 0x0c, 0xfd, - 0x31, 0xfa, 0xa6, 0x37, 0xe8, 0xc9, 0x93, 0x69, 0x05, 0x5d, 0x9b, 0x9b, 0xe3, 0x5d, 0x6b, 0xe8, - 0xf5, 0xad, 0x5d, 0xb3, 0x87, 0x0e, 0xfa, 0x16, 0xc7, 0xae, 0xe1, 0xf9, 0x2e, 0x77, 0x69, 0x3d, - 0xb4, 0x34, 0x12, 0x4b, 0xc3, 0x1b, 0xf4, 0xe4, 0xc9, 0x90, 0x96, 0x46, 0x6c, 0xb9, 0xf5, 0x41, - 0xcf, 0xe6, 0xfd, 0xa0, 0x6d, 0x74, 0xdc, 0x91, 0xd9, 0x73, 0x7b, 0xae, 0x29, 0x09, 0xda, 0xc1, - 0xb9, 0x3c, 0xc9, 0x83, 0xfc, 0x0a, 0x89, 0xb7, 0xb6, 0x55, 0x48, 0xa6, 0x15, 0xf0, 0x3e, 0x3a, - 0xdc, 0xee, 0x58, 0xdc, 0x76, 0x1d, 0x73, 0x7c, 0x23, 0x8c, 0xad, 0x7d, 0x85, 0x1e, 0x59, 0x9d, - 0xbe, 0xed, 0xa0, 0x7f, 0xa1, 0xee, 0x30, 0x42, 0x6e, 0xbd, 0xce, 0xca, 0x5c, 0x64, 0xe5, 0x07, - 0x0e, 0xb7, 0x47, 0x78, 0xc3, 0xe0, 0xa3, 0xff, 0x32, 0x60, 0x9d, 0x3e, 0x8e, 0xac, 0x79, 0xbb, - 0xda, 0x1f, 0xf7, 0x48, 0xf6, 0xc9, 0x18, 0x1d, 0x4e, 0x7f, 0x20, 0x39, 0x11, 0x4d, 0xd7, 0xe2, - 0x96, 0xae, 0x55, 0xb5, 0x7a, 0x61, 0x6f, 0xc7, 0x50, 0x29, 0x4c, 0x48, 0x55, 0x16, 0x05, 0xda, - 0x18, 0xef, 0x1a, 0x5f, 0xb5, 0x7f, 0xc4, 0x0e, 0x7f, 0x8a, 0xdc, 0x6a, 0xd0, 0xcb, 0x49, 0x65, - 0x65, 0x3a, 0xa9, 0x10, 0x25, 0x83, 0x84, 0x95, 0x6e, 0x93, 0xec, 0x10, 0xc7, 0x38, 0xd4, 0xef, - 0x54, 0xb5, 0x7a, 0xbe, 0xf1, 0x56, 0x04, 0xce, 0x1e, 0x09, 0xe1, 0x75, 0xfc, 0x01, 0x21, 0x88, - 0x7e, 0x47, 0xf2, 0x22, 0x70, 0xc6, 0xad, 0x91, 0xa7, 0x67, 0x64, 0x40, 0xef, 0x2d, 0x17, 0xd0, - 0x99, 0x3d, 0xc2, 0xc6, 0x66, 0xc4, 0x9e, 0x3f, 0x8b, 0x49, 0x40, 0xf1, 0xd1, 0x63, 0xb2, 0x26, - 0x8b, 0xa0, 0xf9, 0x58, 0x5f, 0x95, 0xc1, 0xec, 0x47, 0xf0, 0xb5, 0xc3, 0x50, 0x7c, 0x3d, 0xa9, - 0xbc, 0xbd, 0x28, 0xa5, 0xfc, 0xc2, 0x43, 0x66, 0xb4, 0x9a, 0x8f, 0x21, 0x26, 0x11, 0x57, 0x63, - 0xdc, 0xea, 0xa1, 0x9e, 0x9d, 0xbd, 0xda, 0xa9, 0x10, 0x5e, 0xc7, 0x1f, 0x10, 0x82, 0xe8, 0x1e, - 0x21, 0x3e, 0xfe, 0x14, 0x20, 0xe3, 0x2d, 0x68, 0xea, 0x77, 0xa5, 0x49, 0x92, 0x3a, 0x48, 0x34, - 0x90, 0x42, 0xd1, 0x2a, 0x59, 0x1d, 0xa3, 0xdf, 0xd6, 0xd7, 0x24, 0xfa, 0x5e, 0x84, 0x5e, 0x7d, - 0x86, 0x7e, 0x1b, 0xa4, 0x86, 0x7e, 0x49, 0x56, 0x03, 0x86, 0xbe, 0x9e, 0x93, 0xb9, 0x7a, 0x37, - 0x95, 0x2b, 0x63, 0xb6, 0x4c, 0x45, 0x8e, 0x5a, 0x0c, 0xfd, 0xa6, 0x73, 0xee, 0x2a, 0x26, 0x21, - 0x01, 0xc9, 0x40, 0xfb, 0xa4, 0x64, 0x8f, 0x3c, 0xf4, 0x99, 0xeb, 0x88, 0x52, 0x11, 0x1a, 0x3d, - 0x7f, 0x2b, 0xd6, 0x07, 0xd3, 0x49, 0xa5, 0xd4, 0x9c, 0xe3, 0x80, 0x1b, 0xac, 0xf4, 0x7d, 0x92, - 0x67, 0x6e, 0xe0, 0x77, 0xb0, 0x79, 0xc2, 0x74, 0x52, 0xcd, 0xd4, 0xf3, 0x8d, 0x75, 0xf1, 0xd3, - 0x4e, 0x63, 0x21, 0x28, 0x3d, 0x35, 0x49, 0x5e, 0x84, 0x77, 0xd8, 0x43, 0x87, 0xeb, 0x54, 0xe6, - 0x21, 0xf9, 0xcb, 0xad, 0x58, 0x01, 0x0a, 0x43, 0xcf, 0x49, 0xde, 0x95, 0x85, 0x08, 0x78, 0xae, - 0x17, 0xe4, 0x05, 0x3e, 0x36, 0x96, 0x1d, 0x0b, 0x51, 0x5d, 0x03, 0x9e, 0xa3, 0x8f, 0x4e, 0x07, - 0xc3, 0xc0, 0x12, 0x21, 0x28, 0x6a, 0xda, 0x27, 0x45, 0x1f, 0x99, 0xe7, 0x3a, 0x0c, 0x4f, 0xb9, - 0xc5, 0x03, 0xa6, 0xdf, 0x93, 0xce, 0xb6, 0x97, 0xab, 0xd7, 0xd0, 0xa6, 0x41, 0xa7, 0x93, 0x4a, - 0x11, 0x66, 0x78, 0x60, 0x8e, 0x97, 0x5a, 0x64, 0x3d, 0xaa, 0x89, 0x30, 0x10, 0x7d, 0x5d, 0x3a, - 0xaa, 0x2f, 0x74, 0x14, 0xb5, 0xbf, 0xd1, 0x72, 0x06, 0x8e, 0xfb, 0xdc, 0x69, 0x6c, 0x4e, 0x27, - 0x95, 0x75, 0x48, 0x53, 0xc0, 0x2c, 0x23, 0xed, 0xaa, 0xcb, 0x44, 0x3e, 0x8a, 0xb7, 0xf4, 0x31, - 0x73, 0x91, 0xc8, 0xc9, 0x1c, 0x27, 0xfd, 0x55, 0x23, 0x7a, 0xe4, 0x17, 0xb0, 0x83, 0xf6, 0x18, - 0xbb, 0x49, 0xa3, 0xea, 0x1b, 0xd2, 0xa1, 0xb9, 0x5c, 0xf6, 0x9e, 0xda, 0x1d, 0xdf, 0x95, 0x2d, - 0x5f, 0x8d, 0x8a, 0x41, 0x87, 0x05, 0xc4, 0xb0, 0xd0, 0x25, 0x75, 0x49, 0x51, 0xf6, 0xa6, 0x0a, - 0xa2, 0xf4, 0xff, 0x82, 0x88, 0x5b, 0xbf, 0x78, 0x3a, 0x43, 0x07, 0x73, 0xf4, 0xf4, 0x39, 0x29, - 0x58, 0x8e, 0xe3, 0x72, 0xd9, 0x3b, 0x4c, 0xdf, 0xac, 0x66, 0xea, 0x85, 0xbd, 0xcf, 0x97, 0xaf, - 0x4e, 0x39, 0xb4, 0x8d, 0x43, 0x45, 0xf1, 0xc4, 0xe1, 0xfe, 0x45, 0xe3, 0x7e, 0xe4, 0xbe, 0x90, - 0xd2, 0x40, 0xda, 0xd3, 0xd6, 0x67, 0xa4, 0x34, 0x6f, 0x45, 0x4b, 0x24, 0x33, 0xc0, 0x0b, 0x39, - 0xf6, 0xf3, 0x20, 0x3e, 0xe9, 0x03, 0x92, 0x1d, 0x5b, 0xc3, 0x00, 0xc3, 0x59, 0x0d, 0xe1, 0xe1, - 0x93, 0x3b, 0x07, 0x5a, 0xed, 0x85, 0x46, 0xf2, 0xd2, 0xf9, 0x91, 0xcd, 0x38, 0xfd, 0xfe, 0xc6, - 0xd6, 0x30, 0x96, 0xcb, 0x98, 0xb0, 0x96, 0x3b, 0xa3, 0x14, 0x45, 0x9c, 0x8b, 0x25, 0xa9, 0x8d, - 0x71, 0x46, 0xb2, 0x36, 0xc7, 0x11, 0xd3, 0xef, 0xc8, 0xf4, 0x98, 0xb7, 0x4c, 0x4f, 0x63, 0x3d, - 0x9e, 0xc3, 0x4d, 0xc1, 0x02, 0x21, 0x59, 0xed, 0x77, 0x8d, 0x14, 0xbf, 0xf0, 0xdd, 0xc0, 0x03, - 0x0c, 0x87, 0x0b, 0xa3, 0xef, 0x90, 0x6c, 0x4f, 0x48, 0xc2, 0x14, 0x28, 0xbb, 0x10, 0x16, 0xea, - 0xc4, 0xb0, 0xf2, 0x63, 0x0b, 0x19, 0x51, 0x34, 0xac, 0x12, 0x1a, 0x50, 0x7a, 0xfa, 0x48, 0x74, - 0x6a, 0x78, 0x38, 0xb6, 0x46, 0xc8, 0xf4, 0x8c, 0x34, 0x88, 0xfa, 0x2f, 0xa5, 0x80, 0x59, 0x5c, - 0xed, 0x97, 0x0c, 0xd9, 0x98, 0x1b, 0x3d, 0x74, 0x9b, 0xe4, 0x62, 0x50, 0x14, 0x61, 0x92, 0xb5, - 0x98, 0x0b, 0x12, 0x84, 0x98, 0x93, 0x8e, 0xa0, 0xf2, 0xac, 0x4e, 0xf4, 0xff, 0xd4, 0x9c, 0x3c, - 0x8e, 0x15, 0xa0, 0x30, 0x62, 0xb7, 0x88, 0x83, 0xdc, 0xb2, 0xa9, 0xdd, 0x22, 0xb0, 0x20, 0x35, - 0xb4, 0x41, 0x32, 0x81, 0xdd, 0x8d, 0x76, 0xe5, 0x4e, 0x04, 0xc8, 0xb4, 0x96, 0xdd, 0x93, 0xc2, - 0x58, 0x6c, 0x3d, 0xcb, 0xb3, 0x9f, 0xa1, 0xcf, 0x6c, 0xd7, 0x89, 0x16, 0x65, 0xb2, 0xf5, 0x0e, - 0x4f, 0x9a, 0x91, 0x06, 0x52, 0x28, 0x7a, 0x48, 0x36, 0xe2, 0x6b, 0xc5, 0x86, 0xe1, 0xba, 0x7c, - 0x18, 0x19, 0x6e, 0xc0, 0xac, 0x1a, 0xe6, 0xf1, 0xf4, 0x43, 0x52, 0x60, 0x41, 0x3b, 0x49, 0x5f, - 0xb8, 0x3f, 0x93, 0x36, 0x39, 0x55, 0x2a, 0x48, 0xe3, 0x6a, 0xff, 0x68, 0xe4, 0xee, 0x89, 0x3b, - 0xb4, 0x3b, 0x17, 0x6f, 0xe0, 0x65, 0xf4, 0x0d, 0xc9, 0xfa, 0xc1, 0x10, 0xe3, 0x3a, 0xdf, 0x5f, - 0xbe, 0xce, 0xc3, 0x10, 0x21, 0x18, 0xa2, 0x2a, 0x5a, 0x71, 0x62, 0x10, 0x32, 0xd2, 0x47, 0x84, - 0xb8, 0x23, 0x9b, 0xcb, 0x69, 0x14, 0x17, 0xe1, 0x43, 0x19, 0x48, 0x22, 0x55, 0xef, 0x93, 0x14, - 0xb4, 0xf6, 0xa7, 0x46, 0x48, 0xc8, 0xfe, 0x06, 0x1a, 0xbd, 0x35, 0xdb, 0xe8, 0x3b, 0xb7, 0x4d, - 0xc0, 0x82, 0x4e, 0x7f, 0x91, 0x89, 0xef, 0x20, 0x72, 0xa2, 0x1e, 0xa0, 0xda, 0x32, 0x0f, 0xd0, - 0x0a, 0xc9, 0x8a, 0xa7, 0x44, 0xdc, 0xea, 0x79, 0x81, 0x14, 0xcf, 0x0c, 0x06, 0xa1, 0x9c, 0x1a, - 0x84, 0x88, 0x0f, 0x39, 0x23, 0xe2, 0xd4, 0x16, 0x45, 0x6a, 0x5b, 0x89, 0x14, 0x52, 0x08, 0x41, - 0x28, 0x1e, 0x6a, 0x4c, 0x5f, 0x55, 0x84, 0xe2, 0xfd, 0xc6, 0x20, 0x94, 0x53, 0x3b, 0x3d, 0x60, - 0xb2, 0x32, 0x13, 0x07, 0xcb, 0x67, 0x62, 0x76, 0xa4, 0xa9, 0x96, 0x7f, 0xed, 0x78, 0x32, 0x08, - 0x49, 0xfa, 0x9f, 0xe9, 0x77, 0x55, 0xec, 0xc9, 0x80, 0x60, 0x90, 0x42, 0xd0, 0x4f, 0xc9, 0x86, - 0xe3, 0x3a, 0x31, 0x55, 0x0b, 0x8e, 0x98, 0xbe, 0x26, 0x8d, 0xee, 0x8b, 0x26, 0x3c, 0x9e, 0x55, - 0xc1, 0x3c, 0x76, 0xae, 0x0a, 0x73, 0x4b, 0x57, 0x61, 0xc3, 0xb8, 0xbc, 0x2a, 0xaf, 0xbc, 0xbc, - 0x2a, 0xaf, 0xbc, 0xba, 0x2a, 0xaf, 0xfc, 0x3c, 0x2d, 0x6b, 0x97, 0xd3, 0xb2, 0xf6, 0x72, 0x5a, - 0xd6, 0x5e, 0x4d, 0xcb, 0xda, 0x5f, 0xd3, 0xb2, 0xf6, 0xdb, 0xdf, 0xe5, 0x95, 0x6f, 0x73, 0x71, - 0x12, 0xfe, 0x0d, 0x00, 0x00, 0xff, 0xff, 0x19, 0xf8, 0xf6, 0xd0, 0x49, 0x0e, 0x00, 0x00, + 0x14, 0xcf, 0xc6, 0x71, 0xe3, 0x9d, 0x34, 0x4e, 0x32, 0x2d, 0x74, 0xc9, 0xc1, 0x0e, 0x41, 0x42, + 0x11, 0x84, 0xdd, 0xb6, 0x2a, 0xb4, 0x20, 0x81, 0x88, 0x69, 0x29, 0x96, 0xda, 0xb4, 0x4c, 0xea, + 0x4a, 0xfc, 0x39, 0x30, 0xb6, 0x5f, 0xec, 0xc5, 0xf6, 0xec, 0xb2, 0x33, 0xeb, 0x2a, 0x37, 0x0e, + 0xbd, 0x22, 0x71, 0xe7, 0x43, 0xf0, 0x11, 0x10, 0x27, 0x7a, 0xec, 0xb1, 0x27, 0x8b, 0x9a, 0x6f, + 0xd1, 0x13, 0x9a, 0xd9, 0xd9, 0x9d, 0xb5, 0x13, 0x8b, 0x0d, 0x87, 0xde, 0x66, 0xde, 0xfb, 0xbd, + 0xdf, 0x7b, 0xf3, 0xe6, 0xcd, 0x7b, 0x83, 0xbe, 0x1e, 0xdc, 0xe2, 0xae, 0x1f, 0x78, 0x83, 0xb8, + 0x0d, 0x11, 0x03, 0x01, 0xdc, 0x1b, 0x03, 0xeb, 0x06, 0x91, 0xa7, 0x15, 0x34, 0xf4, 0x39, 0x44, + 0x63, 0x88, 0xbc, 0x70, 0xd0, 0x53, 0x3b, 0x8f, 0xc6, 0x5d, 0x5f, 0x78, 0xe3, 0x6b, 0x74, 0x18, + 0xf6, 0xe9, 0x35, 0xaf, 0x07, 0x0c, 0x22, 0x2a, 0xa0, 0xeb, 0x86, 0x51, 0x20, 0x02, 0xbc, 0x97, + 0x58, 0xba, 0x99, 0xa5, 0x1b, 0x0e, 0x7a, 0x6a, 0xe7, 0x2a, 0x4b, 0x37, 0xb5, 0xdc, 0xfe, 0xa0, + 0xe7, 0x8b, 0x7e, 0xdc, 0x76, 0x3b, 0xc1, 0xc8, 0xeb, 0x05, 0xbd, 0xc0, 0x53, 0x04, 0xed, 0xf8, + 0x58, 0xed, 0xd4, 0x46, 0xad, 0x12, 0xe2, 0xed, 0x7d, 0x13, 0x92, 0x47, 0x63, 0xd1, 0x07, 0x26, + 0xfc, 0x0e, 0x15, 0x7e, 0xc0, 0xbc, 0xf1, 0xa9, 0x30, 0xb6, 0x6f, 0x18, 0xf4, 0x88, 0x76, 0xfa, + 0x3e, 0x83, 0xe8, 0xc4, 0x9c, 0x61, 0x04, 0x82, 0x9e, 0x65, 0xe5, 0x2d, 0xb2, 0x8a, 0x62, 0x26, + 0xfc, 0x11, 0x9c, 0x32, 0xf8, 0xe8, 0xbf, 0x0c, 0x78, 0xa7, 0x0f, 0x23, 0x3a, 0x6f, 0xb7, 0xfb, + 0xfb, 0x45, 0x54, 0xbe, 0x33, 0x06, 0x26, 0xf0, 0x0f, 0xa8, 0x22, 0xa3, 0xe9, 0x52, 0x41, 0x1d, + 0x6b, 0xc7, 0xda, 0x5b, 0xbb, 0x7e, 0xd5, 0x35, 0x29, 0xcc, 0x48, 0x4d, 0x16, 0x25, 0xda, 0x1d, + 0x5f, 0x73, 0x1f, 0xb4, 0x7f, 0x84, 0x8e, 0xb8, 0x0f, 0x82, 0x36, 0xf0, 0xb3, 0x49, 0x7d, 0x69, + 0x3a, 0xa9, 0x23, 0x23, 0x23, 0x19, 0x2b, 0xde, 0x47, 0xe5, 0x21, 0x8c, 0x61, 0xe8, 0x2c, 0xef, + 0x58, 0x7b, 0x76, 0xe3, 0x4d, 0x0d, 0x2e, 0xdf, 0x93, 0xc2, 0x57, 0xe9, 0x82, 0x24, 0x20, 0xfc, + 0x1d, 0xb2, 0x65, 0xe0, 0x5c, 0xd0, 0x51, 0xe8, 0x94, 0x54, 0x40, 0xef, 0x15, 0x0b, 0xe8, 0x91, + 0x3f, 0x82, 0xc6, 0x96, 0x66, 0xb7, 0x1f, 0xa5, 0x24, 0xc4, 0xf0, 0xe1, 0x43, 0xb4, 0xaa, 0x8a, + 0xa0, 0x79, 0xdb, 0x59, 0x51, 0xc1, 0xdc, 0xd0, 0xf0, 0xd5, 0x83, 0x44, 0xfc, 0x6a, 0x52, 0x7f, + 0x7b, 0x51, 0x4a, 0xc5, 0x49, 0x08, 0xdc, 0x6d, 0x35, 0x6f, 0x93, 0x94, 0x44, 0x1e, 0x8d, 0x0b, + 0xda, 0x03, 0xa7, 0x3c, 0x7b, 0xb4, 0x23, 0x29, 0x7c, 0x95, 0x2e, 0x48, 0x02, 0xc2, 0xd7, 0x11, + 0x8a, 0xe0, 0xa7, 0x18, 0xb8, 0x68, 0x91, 0xa6, 0x73, 0x41, 0x99, 0x64, 0xa9, 0x23, 0x99, 0x86, + 0xe4, 0x50, 0x78, 0x07, 0xad, 0x8c, 0x21, 0x6a, 0x3b, 0xab, 0x0a, 0x7d, 0x51, 0xa3, 0x57, 0x1e, + 0x43, 0xd4, 0x26, 0x4a, 0x83, 0xbf, 0x42, 0x2b, 0x31, 0x87, 0xc8, 0xa9, 0xa8, 0x5c, 0xbd, 0x9b, + 0xcb, 0x95, 0x3b, 0x5b, 0xa6, 0x32, 0x47, 0x2d, 0x0e, 0x51, 0x93, 0x1d, 0x07, 0x86, 0x49, 0x4a, + 0x88, 0x62, 0xc0, 0x7d, 0xb4, 0xe9, 0x8f, 0x42, 0x88, 0x78, 0xc0, 0x64, 0xa9, 0x48, 0x8d, 0x63, + 0x9f, 0x8b, 0xf5, 0xf2, 0x74, 0x52, 0xdf, 0x6c, 0xce, 0x71, 0x90, 0x53, 0xac, 0xf8, 0x7d, 0x64, + 0xf3, 0x20, 0x8e, 0x3a, 0xd0, 0x7c, 0xc8, 0x1d, 0xb4, 0x53, 0xda, 0xb3, 0x1b, 0xeb, 0xf2, 0xd2, + 0x8e, 0x52, 0x21, 0x31, 0x7a, 0xec, 0x21, 0x5b, 0x86, 0x77, 0xd0, 0x03, 0x26, 0x1c, 0xac, 0xf2, + 0x90, 0xdd, 0x72, 0x2b, 0x55, 0x10, 0x83, 0xc1, 0xc7, 0xc8, 0x0e, 0x54, 0x21, 0x12, 0x38, 0x76, + 0xd6, 0xd4, 0x01, 0x3e, 0x76, 0x8b, 0xb6, 0x05, 0x5d, 0xd7, 0x04, 0x8e, 0x21, 0x02, 0xd6, 0x81, + 0x24, 0xb0, 0x4c, 0x48, 0x0c, 0x35, 0xee, 0xa3, 0x6a, 0x04, 0x3c, 0x0c, 0x18, 0x87, 0x23, 0x41, + 0x45, 0xcc, 0x9d, 0x8b, 0xca, 0xd9, 0x7e, 0xb1, 0x7a, 0x4d, 0x6c, 0x1a, 0x78, 0x3a, 0xa9, 0x57, + 0xc9, 0x0c, 0x0f, 0x99, 0xe3, 0xc5, 0x14, 0xad, 0xeb, 0x9a, 0x48, 0x02, 0x71, 0xd6, 0x95, 0xa3, + 0xbd, 0x85, 0x8e, 0xf4, 0xf3, 0x77, 0x5b, 0x6c, 0xc0, 0x82, 0x27, 0xac, 0xb1, 0x35, 0x9d, 0xd4, + 0xd7, 0x49, 0x9e, 0x82, 0xcc, 0x32, 0xe2, 0xae, 0x39, 0x8c, 0xf6, 0x51, 0x3d, 0xa7, 0x8f, 0x99, + 0x83, 0x68, 0x27, 0x73, 0x9c, 0xf8, 0x17, 0x0b, 0x39, 0xda, 0x2f, 0x81, 0x0e, 0xf8, 0x63, 0xe8, + 0x66, 0x0f, 0xd5, 0xd9, 0x50, 0x0e, 0xbd, 0x62, 0xd9, 0xbb, 0xef, 0x77, 0xa2, 0x40, 0x3d, 0xf9, + 0x1d, 0x5d, 0x0c, 0x0e, 0x59, 0x40, 0x4c, 0x16, 0xba, 0xc4, 0x01, 0xaa, 0xaa, 0xb7, 0x69, 0x82, + 0xd8, 0xfc, 0x7f, 0x41, 0xa4, 0x4f, 0xbf, 0x7a, 0x34, 0x43, 0x47, 0xe6, 0xe8, 0xf1, 0x13, 0xb4, + 0x46, 0x19, 0x0b, 0x84, 0x7a, 0x3b, 0xdc, 0xd9, 0xda, 0x29, 0xed, 0xad, 0x5d, 0xff, 0xbc, 0x78, + 0x75, 0xaa, 0xa6, 0xed, 0x1e, 0x18, 0x8a, 0x3b, 0x4c, 0x44, 0x27, 0x8d, 0x4b, 0xda, 0xfd, 0x5a, + 0x4e, 0x43, 0xf2, 0x9e, 0xb6, 0x3f, 0x43, 0x9b, 0xf3, 0x56, 0x78, 0x13, 0x95, 0x06, 0x70, 0xa2, + 0xda, 0xbe, 0x4d, 0xe4, 0x12, 0x5f, 0x46, 0xe5, 0x31, 0x1d, 0xc6, 0x90, 0xf4, 0x6a, 0x92, 0x6c, + 0x3e, 0x59, 0xbe, 0x65, 0xed, 0xfe, 0x61, 0x21, 0x5b, 0x39, 0xbf, 0xe7, 0x73, 0x81, 0xbf, 0x3f, + 0x35, 0x35, 0xdc, 0x62, 0x19, 0x93, 0xd6, 0x6a, 0x66, 0x6c, 0xea, 0x88, 0x2b, 0xa9, 0x24, 0x37, + 0x31, 0x1e, 0xa1, 0xb2, 0x2f, 0x60, 0xc4, 0x9d, 0x65, 0x95, 0x1e, 0xef, 0x9c, 0xe9, 0x69, 0xac, + 0xa7, 0x7d, 0xb8, 0x29, 0x59, 0x48, 0x42, 0xb6, 0xfb, 0x9b, 0x85, 0xaa, 0x77, 0xa3, 0x20, 0x0e, + 0x09, 0x24, 0xcd, 0x85, 0xe3, 0x77, 0x50, 0xb9, 0x27, 0x25, 0x49, 0x0a, 0x8c, 0x5d, 0x02, 0x4b, + 0x74, 0xb2, 0x59, 0x45, 0xa9, 0x85, 0x8a, 0x48, 0x37, 0xab, 0x8c, 0x86, 0x18, 0x3d, 0xbe, 0x29, + 0x5f, 0x6a, 0xb2, 0x39, 0xa4, 0x23, 0xe0, 0x4e, 0x49, 0x19, 0xe8, 0xf7, 0x97, 0x53, 0x90, 0x59, + 0xdc, 0xee, 0xd3, 0x12, 0xda, 0x98, 0x6b, 0x3d, 0x78, 0x1f, 0x55, 0x52, 0x90, 0x8e, 0x30, 0xcb, + 0x5a, 0xca, 0x45, 0x32, 0x84, 0xec, 0x93, 0x4c, 0x52, 0x85, 0xb4, 0xa3, 0xef, 0xcf, 0xf4, 0xc9, + 0xc3, 0x54, 0x41, 0x0c, 0x46, 0xce, 0x16, 0xb9, 0x51, 0x53, 0x36, 0x37, 0x5b, 0x24, 0x96, 0x28, + 0x0d, 0x6e, 0xa0, 0x52, 0xec, 0x77, 0xf5, 0xac, 0xbc, 0xaa, 0x01, 0xa5, 0x56, 0xd1, 0x39, 0x29, + 0x8d, 0xe5, 0xd4, 0xa3, 0xa1, 0xff, 0x18, 0x22, 0xee, 0x07, 0x4c, 0x0f, 0xca, 0x6c, 0xea, 0x1d, + 0x3c, 0x6c, 0x6a, 0x0d, 0xc9, 0xa1, 0xf0, 0x01, 0xda, 0x48, 0x8f, 0x95, 0x1a, 0x26, 0xe3, 0xf2, + 0x8a, 0x36, 0xdc, 0x20, 0xb3, 0x6a, 0x32, 0x8f, 0xc7, 0x1f, 0xa2, 0x35, 0x1e, 0xb7, 0xb3, 0xf4, + 0x25, 0xf3, 0x33, 0x7b, 0x26, 0x47, 0x46, 0x45, 0xf2, 0xb8, 0xdd, 0xbf, 0x96, 0xd1, 0x85, 0x87, + 0xc1, 0xd0, 0xef, 0x9c, 0xbc, 0x86, 0x9f, 0xd1, 0x37, 0xa8, 0x1c, 0xc5, 0x43, 0x48, 0xeb, 0xfc, + 0x46, 0xf1, 0x3a, 0x4f, 0x42, 0x24, 0xf1, 0x10, 0x4c, 0xd1, 0xca, 0x1d, 0x27, 0x09, 0x23, 0xbe, + 0x89, 0x50, 0x30, 0xf2, 0x85, 0xea, 0x46, 0x69, 0x11, 0x5e, 0x51, 0x81, 0x64, 0x52, 0xf3, 0x3f, + 0xc9, 0x41, 0xf1, 0x5d, 0xb4, 0x25, 0x77, 0xf7, 0x29, 0xa3, 0x3d, 0xe8, 0x7e, 0xe9, 0xc3, 0xb0, + 0xcb, 0x55, 0x01, 0x54, 0x1a, 0x6f, 0x69, 0x4f, 0x5b, 0x0f, 0xe6, 0x01, 0xe4, 0xb4, 0xcd, 0xee, + 0x9f, 0x16, 0x42, 0x49, 0x98, 0xaf, 0xa1, 0x63, 0xb4, 0x66, 0x3b, 0xc6, 0xd5, 0xf3, 0x66, 0x72, + 0x41, 0xcb, 0x78, 0xba, 0x92, 0x9e, 0x41, 0x26, 0xd7, 0xfc, 0x64, 0xad, 0x22, 0x3f, 0xd9, 0x3a, + 0x2a, 0xcb, 0x3f, 0x49, 0xda, 0x33, 0x6c, 0x89, 0x94, 0xff, 0x15, 0x4e, 0x12, 0x39, 0x76, 0x11, + 0x92, 0x0b, 0xd5, 0x6c, 0xd2, 0x3b, 0xaa, 0xca, 0x3b, 0x6a, 0x65, 0x52, 0x92, 0x43, 0x48, 0x42, + 0xf9, 0xe3, 0x93, 0xd7, 0x91, 0x11, 0xca, 0x8f, 0x20, 0x27, 0x89, 0x1c, 0xfb, 0xf9, 0x4e, 0x55, + 0x56, 0x99, 0xb8, 0x55, 0x3c, 0x13, 0xb3, 0xbd, 0xd1, 0xf4, 0x8e, 0x33, 0xfb, 0x9c, 0x8b, 0x50, + 0xd6, 0x48, 0xb8, 0x73, 0xc1, 0xc4, 0x9e, 0x75, 0x1a, 0x4e, 0x72, 0x08, 0xfc, 0x29, 0xda, 0x60, + 0x01, 0x4b, 0xa9, 0x5a, 0xe4, 0x1e, 0x77, 0x56, 0x95, 0xd1, 0x25, 0xf9, 0x9a, 0x0f, 0x67, 0x55, + 0x64, 0x1e, 0x3b, 0x57, 0xce, 0x95, 0xe2, 0xe5, 0xfc, 0xc5, 0x59, 0xe5, 0x6c, 0xab, 0x72, 0x7e, + 0xa3, 0x68, 0x29, 0x37, 0xdc, 0x67, 0x2f, 0x6b, 0x4b, 0xcf, 0x5f, 0xd6, 0x96, 0x5e, 0xbc, 0xac, + 0x2d, 0xfd, 0x3c, 0xad, 0x59, 0xcf, 0xa6, 0x35, 0xeb, 0xf9, 0xb4, 0x66, 0xbd, 0x98, 0xd6, 0xac, + 0xbf, 0xa7, 0x35, 0xeb, 0xd7, 0x7f, 0x6a, 0x4b, 0xdf, 0x56, 0xd2, 0x4c, 0xfe, 0x1b, 0x00, 0x00, + 0xff, 0xff, 0x3a, 0xc5, 0x5b, 0x91, 0xd7, 0x0e, 0x00, 0x00, } func (m *Event) Marshal() (dAtA []byte, err error) { @@ -716,6 +719,14 @@ func (m *Policy) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + i-- + if m.OmitManagedFields { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x20 if len(m.OmitStages) > 0 { for iNdEx := len(m.OmitStages) - 1; iNdEx >= 0; iNdEx-- { i -= len(m.OmitStages[iNdEx]) @@ -819,6 +830,16 @@ func (m *PolicyRule) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + if m.OmitManagedFields != nil { + i-- + if *m.OmitManagedFields { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x48 + } if len(m.OmitStages) > 0 { for iNdEx := len(m.OmitStages) - 1; iNdEx >= 0; iNdEx-- { i -= len(m.OmitStages[iNdEx]) @@ -1054,6 +1075,7 @@ func (m *Policy) Size() (n int) { n += 1 + l + sovGenerated(uint64(l)) } } + n += 2 return n } @@ -1124,6 +1146,9 @@ func (m *PolicyRule) Size() (n int) { n += 1 + l + sovGenerated(uint64(l)) } } + if m.OmitManagedFields != nil { + n += 2 + } return n } @@ -1227,6 +1252,7 @@ func (this *Policy) String() string { `ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`, `Rules:` + repeatedStringForRules + `,`, `OmitStages:` + fmt.Sprintf("%v", this.OmitStages) + `,`, + `OmitManagedFields:` + fmt.Sprintf("%v", this.OmitManagedFields) + `,`, `}`, }, "") return s @@ -1265,6 +1291,7 @@ func (this *PolicyRule) String() string { `Namespaces:` + fmt.Sprintf("%v", this.Namespaces) + `,`, `NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`, `OmitStages:` + fmt.Sprintf("%v", this.OmitStages) + `,`, + `OmitManagedFields:` + valueToStringGenerated(this.OmitManagedFields) + `,`, `}`, }, "") return s @@ -2688,6 +2715,26 @@ func (m *Policy) Unmarshal(dAtA []byte) error { } m.OmitStages = append(m.OmitStages, Stage(dAtA[iNdEx:postIndex])) iNdEx = postIndex + case 4: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field OmitManagedFields", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.OmitManagedFields = bool(v != 0) default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) @@ -3113,6 +3160,27 @@ func (m *PolicyRule) Unmarshal(dAtA []byte) error { } m.OmitStages = append(m.OmitStages, Stage(dAtA[iNdEx:postIndex])) iNdEx = postIndex + case 9: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field OmitManagedFields", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + b := bool(v != 0) + m.OmitManagedFields = &b default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.proto b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.proto index 9b5138ea5465..5c457e381dbd 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.proto +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.proto @@ -195,6 +195,15 @@ message Policy { // be specified per rule in which case the union of both are omitted. // +optional repeated string omitStages = 3; + + // OmitManagedFields indicates whether to omit the managed fields of the request + // and response bodies from being written to the API audit log. + // This is used as a global default - a value of 'true' will omit the managed fileds, + // otherwise the managed fields will be included in the API audit log. + // Note that this can also be specified per rule in which case the value specified + // in a rule will override the global default. + // +optional + optional bool omitManagedFields = 4; } // PolicyList is a list of audit Policies. @@ -250,5 +259,16 @@ message PolicyRule { // An empty list means no restrictions will apply. // +optional repeated string omitStages = 8; + + // OmitManagedFields indicates whether to omit the managed fields of the request + // and response bodies from being written to the API audit log. + // - a value of 'true' will drop the managed fields from the API audit log + // - a value of 'false' indicates that the managed fileds should be included + // in the API audit log + // Note that the value, if specified, in this rule will override the global default + // If a value is not specified then the global default specified in + // Policy.OmitManagedFields will stand. + // +optional + optional bool omitManagedFields = 9; } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go index 2616f5fe7090..f108b9bc58ff 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go @@ -191,6 +191,15 @@ type Policy struct { // be specified per rule in which case the union of both are omitted. // +optional OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,3,rep,name=omitStages"` + + // OmitManagedFields indicates whether to omit the managed fields of the request + // and response bodies from being written to the API audit log. + // This is used as a global default - a value of 'true' will omit the managed fileds, + // otherwise the managed fields will be included in the API audit log. + // Note that this can also be specified per rule in which case the value specified + // in a rule will override the global default. + // +optional + OmitManagedFields bool `json:"omitManagedFields,omitempty" protobuf:"varint,4,opt,name=omitManagedFields"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -254,6 +263,17 @@ type PolicyRule struct { // An empty list means no restrictions will apply. // +optional OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,8,rep,name=omitStages"` + + // OmitManagedFields indicates whether to omit the managed fields of the request + // and response bodies from being written to the API audit log. + // - a value of 'true' will drop the managed fields from the API audit log + // - a value of 'false' indicates that the managed fileds should be included + // in the API audit log + // Note that the value, if specified, in this rule will override the global default + // If a value is not specified then the global default specified in + // Policy.OmitManagedFields will stand. + // +optional + OmitManagedFields *bool `json:"omitManagedFields,omitempty" protobuf:"varint,9,opt,name=omitManagedFields"` } // GroupResources represents resource kinds in an API group. diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.conversion.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.conversion.go index 35c27734adc6..de9e938d479c 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.conversion.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.conversion.go @@ -263,6 +263,7 @@ func autoConvert_v1alpha1_Policy_To_audit_Policy(in *Policy, out *audit.Policy, out.ObjectMeta = in.ObjectMeta out.Rules = *(*[]audit.PolicyRule)(unsafe.Pointer(&in.Rules)) out.OmitStages = *(*[]audit.Stage)(unsafe.Pointer(&in.OmitStages)) + out.OmitManagedFields = in.OmitManagedFields return nil } @@ -275,6 +276,7 @@ func autoConvert_audit_Policy_To_v1alpha1_Policy(in *audit.Policy, out *Policy, out.ObjectMeta = in.ObjectMeta out.Rules = *(*[]PolicyRule)(unsafe.Pointer(&in.Rules)) out.OmitStages = *(*[]Stage)(unsafe.Pointer(&in.OmitStages)) + out.OmitManagedFields = in.OmitManagedFields return nil } @@ -314,6 +316,7 @@ func autoConvert_v1alpha1_PolicyRule_To_audit_PolicyRule(in *PolicyRule, out *au out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs)) out.OmitStages = *(*[]audit.Stage)(unsafe.Pointer(&in.OmitStages)) + out.OmitManagedFields = (*bool)(unsafe.Pointer(in.OmitManagedFields)) return nil } @@ -331,6 +334,7 @@ func autoConvert_audit_PolicyRule_To_v1alpha1_PolicyRule(in *audit.PolicyRule, o out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs)) out.OmitStages = *(*[]Stage)(unsafe.Pointer(&in.OmitStages)) + out.OmitManagedFields = (*bool)(unsafe.Pointer(in.OmitManagedFields)) return nil } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.deepcopy.go index a986144e7a7d..5f99185eeb62 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.deepcopy.go @@ -280,6 +280,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) { *out = make([]Stage, len(*in)) copy(*out, *in) } + if in.OmitManagedFields != nil { + in, out := &in.OmitManagedFields, &out.OmitManagedFields + *out = new(bool) + **out = **in + } return } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.pb.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.pb.go index 0437d71cf56a..ef04b4463eab 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.pb.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.pb.go @@ -261,87 +261,90 @@ func init() { } var fileDescriptor_c7e4d52063960930 = []byte{ - // 1279 bytes of a gzipped FileDescriptorProto + // 1320 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0x4f, 0x6f, 0x1b, 0x45, - 0x14, 0xcf, 0xd6, 0x71, 0x63, 0x8f, 0x1b, 0xc7, 0x9d, 0x56, 0x74, 0x95, 0x83, 0x6d, 0x8c, 0x04, - 0x11, 0xa4, 0xbb, 0x4d, 0x28, 0x24, 0x42, 0x02, 0x64, 0xab, 0x15, 0x58, 0x4a, 0x43, 0x34, 0x8e, - 0x2b, 0x04, 0x1c, 0x58, 0xdb, 0x2f, 0xf6, 0x62, 0x7b, 0x77, 0xd9, 0x99, 0x35, 0xca, 0x8d, 0x2f, - 0x80, 0xc4, 0x9d, 0xcf, 0xc0, 0x85, 0x0f, 0x50, 0x71, 0xcc, 0xb1, 0xc7, 0x9e, 0x2c, 0x62, 0xbe, - 0x45, 0x24, 0x24, 0x34, 0x7f, 0x76, 0x67, 0xed, 0xd4, 0xc2, 0xe1, 0xd0, 0xdb, 0xce, 0x7b, 0xbf, - 0xf7, 0x9b, 0x37, 0xbf, 0x7d, 0xf3, 0xde, 0xa0, 0x93, 0xe1, 0x21, 0xb5, 0x5c, 0xdf, 0x1e, 0x46, - 0x1d, 0x08, 0x3d, 0x60, 0x40, 0xed, 0x09, 0x78, 0x3d, 0x3f, 0xb4, 0x95, 0xc3, 0x09, 0x5c, 0x0a, - 0xe1, 0x04, 0x42, 0x3b, 0x18, 0xf6, 0xc5, 0xca, 0x76, 0xa2, 0x9e, 0xcb, 0xec, 0xc9, 0x5e, 0x07, - 0x98, 0xb3, 0x67, 0xf7, 0xc1, 0x83, 0xd0, 0x61, 0xd0, 0xb3, 0x82, 0xd0, 0x67, 0x3e, 0x7e, 0x4f, - 0x06, 0x5a, 0x49, 0xa0, 0x15, 0x0c, 0xfb, 0x62, 0x65, 0x89, 0x40, 0x4b, 0x05, 0x6e, 0x3f, 0xec, - 0xbb, 0x6c, 0x10, 0x75, 0xac, 0xae, 0x3f, 0xb6, 0xfb, 0x7e, 0xdf, 0xb7, 0x45, 0x7c, 0x27, 0x3a, - 0x13, 0x2b, 0xb1, 0x10, 0x5f, 0x92, 0x77, 0x7b, 0x57, 0x27, 0x64, 0x3b, 0x11, 0x1b, 0x80, 0xc7, - 0xdc, 0xae, 0xc3, 0x5c, 0xdf, 0xb3, 0x27, 0xd7, 0xb2, 0xd8, 0x7e, 0xac, 0xd1, 0x63, 0xa7, 0x3b, - 0x70, 0x3d, 0x08, 0xcf, 0xf5, 0x09, 0xc6, 0xc0, 0x9c, 0xd7, 0x45, 0xd9, 0xcb, 0xa2, 0xc2, 0xc8, - 0x63, 0xee, 0x18, 0xae, 0x05, 0x7c, 0xfc, 0x5f, 0x01, 0xb4, 0x3b, 0x80, 0xb1, 0xb3, 0x18, 0x57, - 0xfb, 0xfd, 0x0e, 0xca, 0x3e, 0x9d, 0x80, 0xc7, 0xf0, 0xf7, 0x28, 0xc7, 0xb3, 0xe9, 0x39, 0xcc, - 0x31, 0x8d, 0xaa, 0xb1, 0x53, 0xd8, 0x7f, 0x64, 0x69, 0x05, 0x13, 0x52, 0x2d, 0x22, 0x47, 0x5b, - 0x93, 0x3d, 0xeb, 0xab, 0xce, 0x0f, 0xd0, 0x65, 0xcf, 0x80, 0x39, 0x0d, 0x7c, 0x31, 0xad, 0xac, - 0xcd, 0xa6, 0x15, 0xa4, 0x6d, 0x24, 0x61, 0xc5, 0xbb, 0x28, 0x3b, 0x82, 0x09, 0x8c, 0xcc, 0x5b, - 0x55, 0x63, 0x27, 0xdf, 0x78, 0x4b, 0x81, 0xb3, 0x47, 0xdc, 0x78, 0x15, 0x7f, 0x10, 0x09, 0xc2, - 0xdf, 0xa2, 0x3c, 0x4f, 0x9c, 0x32, 0x67, 0x1c, 0x98, 0x19, 0x91, 0xd0, 0xfb, 0xab, 0x25, 0x74, - 0xea, 0x8e, 0xa1, 0x71, 0x57, 0xb1, 0xe7, 0x4f, 0x63, 0x12, 0xa2, 0xf9, 0xf0, 0x31, 0xda, 0x10, - 0x35, 0xd0, 0x7c, 0x62, 0xae, 0x8b, 0x64, 0x1e, 0x2b, 0xf8, 0x46, 0x5d, 0x9a, 0xaf, 0xa6, 0x95, - 0xb7, 0x97, 0x49, 0xca, 0xce, 0x03, 0xa0, 0x56, 0xbb, 0xf9, 0x84, 0xc4, 0x24, 0xfc, 0x68, 0x94, - 0x39, 0x7d, 0x30, 0xb3, 0xf3, 0x47, 0x6b, 0x71, 0xe3, 0x55, 0xfc, 0x41, 0x24, 0x08, 0xef, 0x23, - 0x14, 0xc2, 0x8f, 0x11, 0x50, 0xd6, 0x26, 0x4d, 0xf3, 0xb6, 0x08, 0x49, 0xa4, 0x23, 0x89, 0x87, - 0xa4, 0x50, 0xb8, 0x8a, 0xd6, 0x27, 0x10, 0x76, 0xcc, 0x0d, 0x81, 0xbe, 0xa3, 0xd0, 0xeb, 0xcf, - 0x21, 0xec, 0x10, 0xe1, 0xc1, 0x5f, 0xa2, 0xf5, 0x88, 0x42, 0x68, 0xe6, 0x84, 0x56, 0xef, 0xa6, - 0xb4, 0xb2, 0xe6, 0xcb, 0x94, 0x6b, 0xd4, 0xa6, 0x10, 0x36, 0xbd, 0x33, 0x5f, 0x33, 0x71, 0x0b, - 0x11, 0x0c, 0x78, 0x80, 0x4a, 0xee, 0x38, 0x80, 0x90, 0xfa, 0x1e, 0x2f, 0x15, 0xee, 0x31, 0xf3, - 0x37, 0x62, 0xbd, 0x3f, 0x9b, 0x56, 0x4a, 0xcd, 0x05, 0x0e, 0x72, 0x8d, 0x15, 0x7f, 0x80, 0xf2, - 0xd4, 0x8f, 0xc2, 0x2e, 0x34, 0x4f, 0xa8, 0x89, 0xaa, 0x99, 0x9d, 0x7c, 0x63, 0x93, 0xff, 0xb4, - 0x56, 0x6c, 0x24, 0xda, 0x8f, 0x6d, 0x94, 0xe7, 0xe9, 0xd5, 0xfb, 0xe0, 0x31, 0x13, 0x0b, 0x1d, - 0x92, 0xbf, 0xdc, 0x8e, 0x1d, 0x44, 0x63, 0x30, 0xa0, 0xbc, 0x2f, 0x0a, 0x91, 0xc0, 0x99, 0x59, - 0x10, 0x07, 0x38, 0xb4, 0x56, 0xec, 0x0a, 0xaa, 0xac, 0x09, 0x9c, 0x41, 0x08, 0x5e, 0x17, 0x64, - 0x5e, 0x89, 0x91, 0x68, 0x66, 0x3c, 0x40, 0xc5, 0x10, 0x68, 0xe0, 0x7b, 0x14, 0x5a, 0xcc, 0x61, - 0x11, 0x35, 0xef, 0x88, 0xbd, 0x76, 0x57, 0x2b, 0x57, 0x19, 0xd3, 0xc0, 0xb3, 0x69, 0xa5, 0x48, - 0xe6, 0x78, 0xc8, 0x02, 0x2f, 0x76, 0xd0, 0xa6, 0x2a, 0x09, 0x99, 0x88, 0xb9, 0x29, 0x36, 0xda, - 0x59, 0xba, 0x91, 0xba, 0xfd, 0x56, 0xdb, 0x1b, 0x7a, 0xfe, 0x4f, 0x5e, 0xe3, 0xee, 0x6c, 0x5a, - 0xd9, 0x24, 0x69, 0x0a, 0x32, 0xcf, 0x88, 0x7b, 0xfa, 0x30, 0x6a, 0x8f, 0xe2, 0x0d, 0xf7, 0x98, - 0x3b, 0x88, 0xda, 0x64, 0x81, 0x13, 0xff, 0x62, 0x20, 0x53, 0xed, 0x4b, 0xa0, 0x0b, 0xee, 0x04, - 0x7a, 0xc9, 0x3d, 0x35, 0xb7, 0xc4, 0x86, 0xf6, 0x6a, 0xea, 0x3d, 0x73, 0xbb, 0xa1, 0x2f, 0x6e, - 0x7c, 0x55, 0xd5, 0x82, 0x49, 0x96, 0x10, 0x93, 0xa5, 0x5b, 0x62, 0x1f, 0x15, 0xc5, 0xd5, 0xd4, - 0x49, 0x94, 0xfe, 0x5f, 0x12, 0xf1, 0xcd, 0x2f, 0xb6, 0xe6, 0xe8, 0xc8, 0x02, 0x3d, 0x9e, 0xa0, - 0x82, 0xe3, 0x79, 0x3e, 0x13, 0x57, 0x87, 0x9a, 0x77, 0xab, 0x99, 0x9d, 0xc2, 0xfe, 0xe7, 0x2b, - 0x17, 0xa7, 0x68, 0xd9, 0x56, 0x5d, 0x33, 0x3c, 0xf5, 0x58, 0x78, 0xde, 0xb8, 0xa7, 0x76, 0x2f, - 0xa4, 0x3c, 0x24, 0xbd, 0xd1, 0xf6, 0x67, 0xa8, 0xb4, 0x18, 0x85, 0x4b, 0x28, 0x33, 0x84, 0x73, - 0xd1, 0xf4, 0xf3, 0x84, 0x7f, 0xe2, 0xfb, 0x28, 0x3b, 0x71, 0x46, 0x11, 0xc8, 0x4e, 0x4d, 0xe4, - 0xe2, 0x93, 0x5b, 0x87, 0x46, 0xed, 0x85, 0x81, 0xf2, 0x62, 0xf3, 0x23, 0x97, 0x32, 0xfc, 0xdd, - 0xb5, 0x99, 0x61, 0xad, 0x26, 0x18, 0x8f, 0x16, 0x13, 0xa3, 0xa4, 0x32, 0xce, 0xc5, 0x96, 0xd4, - 0xbc, 0x68, 0xa1, 0xac, 0xcb, 0x60, 0x4c, 0xcd, 0x5b, 0x42, 0x1d, 0xeb, 0x66, 0xea, 0x34, 0x36, - 0xe3, 0x26, 0xdc, 0xe4, 0x24, 0x44, 0x72, 0xd5, 0x7e, 0x33, 0x50, 0xf1, 0x8b, 0xd0, 0x8f, 0x02, - 0x02, 0xb2, 0xb3, 0x50, 0xfc, 0x0e, 0xca, 0xf6, 0xb9, 0x45, 0x2a, 0xa0, 0xe3, 0x24, 0x4c, 0xfa, - 0x78, 0xa7, 0x0a, 0xe3, 0x08, 0x91, 0x90, 0xea, 0x54, 0x09, 0x0d, 0xd1, 0x7e, 0x7c, 0xc0, 0xef, - 0xa9, 0x5c, 0x1c, 0x3b, 0x63, 0xa0, 0x66, 0x46, 0x04, 0xa8, 0xdb, 0x97, 0x72, 0x90, 0x79, 0x5c, - 0xed, 0x8f, 0x0c, 0xda, 0x5a, 0x68, 0x3c, 0x78, 0x17, 0xe5, 0x62, 0x90, 0xca, 0x30, 0x11, 0x2d, - 0xe6, 0x22, 0x09, 0x82, 0x37, 0x49, 0x8f, 0x53, 0x05, 0x4e, 0x57, 0xfd, 0x3e, 0xdd, 0x24, 0x8f, - 0x63, 0x07, 0xd1, 0x18, 0x3e, 0x58, 0xf8, 0x42, 0x8c, 0xd8, 0xd4, 0x60, 0xe1, 0x58, 0x22, 0x3c, - 0xb8, 0x81, 0x32, 0x91, 0xdb, 0x53, 0x83, 0xf2, 0x91, 0x02, 0x64, 0xda, 0xab, 0x0e, 0x49, 0x1e, - 0xcc, 0x0f, 0xe1, 0x04, 0xae, 0x50, 0x54, 0xcd, 0xc8, 0xe4, 0x10, 0xf5, 0x93, 0xa6, 0x54, 0x3a, - 0x41, 0xf0, 0x01, 0xe9, 0x04, 0xee, 0x73, 0x08, 0xa9, 0xeb, 0x7b, 0x8b, 0x03, 0xb2, 0x7e, 0xd2, - 0x54, 0x1e, 0x92, 0x42, 0xe1, 0x3a, 0xda, 0x8a, 0x45, 0x88, 0x03, 0xe5, 0xac, 0x7c, 0xa0, 0x02, - 0xb7, 0xc8, 0xbc, 0x9b, 0x2c, 0xe2, 0xf1, 0x47, 0xa8, 0x40, 0xa3, 0x4e, 0x22, 0x76, 0x4e, 0x84, - 0x27, 0x77, 0xaa, 0xa5, 0x5d, 0x24, 0x8d, 0xab, 0xfd, 0x63, 0xa0, 0xdb, 0x27, 0xfe, 0xc8, 0xed, - 0x9e, 0xbf, 0x81, 0x47, 0xd4, 0xd7, 0x28, 0x1b, 0x46, 0x23, 0x88, 0x2f, 0xc5, 0x87, 0x2b, 0x5f, - 0x0a, 0x99, 0x21, 0x89, 0x46, 0xa0, 0x2b, 0x9c, 0xaf, 0x28, 0x91, 0x84, 0xf8, 0x00, 0x21, 0x7f, - 0xec, 0x32, 0xd1, 0xb8, 0xe2, 0x8a, 0x7d, 0x20, 0xf2, 0x48, 0xac, 0xfa, 0x25, 0x93, 0x82, 0xd6, - 0xfe, 0x34, 0x10, 0x92, 0xec, 0x6f, 0xa0, 0x29, 0x9c, 0xce, 0x37, 0x05, 0xfb, 0x86, 0xe7, 0x5f, - 0xd2, 0x15, 0x5e, 0x64, 0xe2, 0x23, 0x70, 0x49, 0xf4, 0x4b, 0xd5, 0x58, 0xe5, 0xa5, 0x5a, 0x41, - 0x59, 0xfe, 0xe6, 0x88, 0xdb, 0x42, 0x9e, 0x23, 0xf9, 0x7b, 0x84, 0x12, 0x69, 0xc7, 0x16, 0x42, - 0xfc, 0x43, 0xd4, 0x76, 0xac, 0x6c, 0x91, 0x2b, 0xdb, 0x4e, 0xac, 0x24, 0x85, 0xe0, 0x84, 0xfc, - 0x45, 0x47, 0xcd, 0x75, 0x4d, 0xc8, 0x1f, 0x7a, 0x94, 0x48, 0x3b, 0x1e, 0xa4, 0x9b, 0x51, 0x56, - 0x08, 0x71, 0xb0, 0xb2, 0x10, 0xf3, 0xdd, 0x4f, 0x77, 0x87, 0xd7, 0x76, 0x32, 0x0b, 0xa1, 0xa4, - 0x55, 0x50, 0xf3, 0xb6, 0x4e, 0x3d, 0xe9, 0x25, 0x94, 0xa4, 0x10, 0xf8, 0x53, 0xb4, 0xe5, 0xf9, - 0x5e, 0x4c, 0xd5, 0x26, 0x47, 0xd4, 0xdc, 0x10, 0x41, 0xf7, 0xf8, 0x0d, 0x3c, 0x9e, 0x77, 0x91, - 0x45, 0xec, 0x42, 0x0d, 0xe6, 0x56, 0xae, 0xc1, 0xc6, 0xc3, 0x8b, 0xcb, 0xf2, 0xda, 0xcb, 0xcb, - 0xf2, 0xda, 0xab, 0xcb, 0xf2, 0xda, 0xcf, 0xb3, 0xb2, 0x71, 0x31, 0x2b, 0x1b, 0x2f, 0x67, 0x65, - 0xe3, 0xd5, 0xac, 0x6c, 0xfc, 0x35, 0x2b, 0x1b, 0xbf, 0xfe, 0x5d, 0x5e, 0xfb, 0x66, 0x43, 0x69, - 0xf0, 0x6f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x4f, 0xae, 0x4a, 0x9d, 0x6e, 0x0e, 0x00, 0x00, + 0x14, 0xcf, 0xc6, 0x71, 0xe3, 0x9d, 0x34, 0x4e, 0x32, 0x2d, 0x74, 0xc9, 0xc1, 0x0e, 0x41, 0x82, + 0x08, 0xd2, 0xdd, 0xb6, 0x14, 0x5a, 0x21, 0x01, 0x8a, 0x69, 0x29, 0x96, 0xda, 0x34, 0x9a, 0xd4, + 0x15, 0x02, 0x0e, 0x8c, 0xed, 0x17, 0x7b, 0x89, 0x3d, 0xbb, 0xec, 0xcc, 0x1a, 0xe5, 0x86, 0xc4, + 0x19, 0x89, 0x3b, 0x9f, 0x81, 0x0b, 0x1f, 0x00, 0x71, 0x42, 0x3d, 0xf6, 0xd8, 0x53, 0x44, 0xcd, + 0xb7, 0xe8, 0x09, 0xcd, 0xec, 0xec, 0xce, 0x7a, 0x53, 0x8b, 0x0d, 0x87, 0xde, 0x76, 0xde, 0xfb, + 0xbd, 0xdf, 0x7b, 0xf3, 0xf6, 0xfd, 0x19, 0x74, 0x70, 0x7c, 0x9b, 0xbb, 0x7e, 0xe0, 0x1d, 0xc7, + 0x5d, 0x88, 0x18, 0x08, 0xe0, 0xde, 0x04, 0x58, 0x3f, 0x88, 0x3c, 0xad, 0xa0, 0xa1, 0xcf, 0x21, + 0x9a, 0x40, 0xe4, 0x85, 0xc7, 0x03, 0x75, 0xf2, 0x68, 0xdc, 0xf7, 0x85, 0x37, 0xb9, 0xde, 0x05, + 0x41, 0xaf, 0x7b, 0x03, 0x60, 0x10, 0x51, 0x01, 0x7d, 0x37, 0x8c, 0x02, 0x11, 0xe0, 0x77, 0x12, + 0x43, 0x37, 0x33, 0x74, 0xc3, 0xe3, 0x81, 0x3a, 0xb9, 0xca, 0xd0, 0xd5, 0x86, 0x9b, 0x57, 0x07, + 0xbe, 0x18, 0xc6, 0x5d, 0xb7, 0x17, 0x8c, 0xbd, 0x41, 0x30, 0x08, 0x3c, 0x65, 0xdf, 0x8d, 0x8f, + 0xd4, 0x49, 0x1d, 0xd4, 0x57, 0xc2, 0xbb, 0xb9, 0x6b, 0x02, 0xf2, 0x68, 0x2c, 0x86, 0xc0, 0x84, + 0xdf, 0xa3, 0xc2, 0x0f, 0x98, 0x37, 0x39, 0x13, 0xc5, 0xe6, 0x4d, 0x83, 0x1e, 0xd3, 0xde, 0xd0, + 0x67, 0x10, 0x9d, 0x98, 0x1b, 0x8c, 0x41, 0xd0, 0x97, 0x59, 0x79, 0xf3, 0xac, 0xa2, 0x98, 0x09, + 0x7f, 0x0c, 0x67, 0x0c, 0x3e, 0xfc, 0x2f, 0x03, 0xde, 0x1b, 0xc2, 0x98, 0x16, 0xed, 0xb6, 0x7f, + 0xbb, 0x88, 0xaa, 0x77, 0x27, 0xc0, 0x04, 0xfe, 0x16, 0xd5, 0x64, 0x34, 0x7d, 0x2a, 0xa8, 0x63, + 0x6d, 0x59, 0x3b, 0x2b, 0x37, 0xae, 0xb9, 0x26, 0x83, 0x19, 0xa9, 0x49, 0xa2, 0x44, 0xbb, 0x93, + 0xeb, 0xee, 0xc3, 0xee, 0x77, 0xd0, 0x13, 0x0f, 0x40, 0xd0, 0x16, 0x7e, 0x72, 0xda, 0x5c, 0x98, + 0x9e, 0x36, 0x91, 0x91, 0x91, 0x8c, 0x15, 0xef, 0xa2, 0xea, 0x08, 0x26, 0x30, 0x72, 0x16, 0xb7, + 0xac, 0x1d, 0xbb, 0xf5, 0xba, 0x06, 0x57, 0xef, 0x4b, 0xe1, 0x8b, 0xf4, 0x83, 0x24, 0x20, 0xfc, + 0x35, 0xb2, 0x65, 0xe0, 0x5c, 0xd0, 0x71, 0xe8, 0x54, 0x54, 0x40, 0xef, 0x96, 0x0b, 0xe8, 0x91, + 0x3f, 0x86, 0xd6, 0x86, 0x66, 0xb7, 0x1f, 0xa5, 0x24, 0xc4, 0xf0, 0xe1, 0x7d, 0xb4, 0xac, 0x6a, + 0xa0, 0x7d, 0xc7, 0x59, 0x52, 0xc1, 0xdc, 0xd4, 0xf0, 0xe5, 0xbd, 0x44, 0xfc, 0xe2, 0xb4, 0xf9, + 0xe6, 0xbc, 0x94, 0x8a, 0x93, 0x10, 0xb8, 0xdb, 0x69, 0xdf, 0x21, 0x29, 0x89, 0xbc, 0x1a, 0x17, + 0x74, 0x00, 0x4e, 0x75, 0xf6, 0x6a, 0x87, 0x52, 0xf8, 0x22, 0xfd, 0x20, 0x09, 0x08, 0xdf, 0x40, + 0x28, 0x82, 0xef, 0x63, 0xe0, 0xa2, 0x43, 0xda, 0xce, 0x05, 0x65, 0x92, 0xa5, 0x8e, 0x64, 0x1a, + 0x92, 0x43, 0xe1, 0x2d, 0xb4, 0x34, 0x81, 0xa8, 0xeb, 0x2c, 0x2b, 0xf4, 0x45, 0x8d, 0x5e, 0x7a, + 0x0c, 0x51, 0x97, 0x28, 0x0d, 0xfe, 0x02, 0x2d, 0xc5, 0x1c, 0x22, 0xa7, 0xa6, 0x72, 0xf5, 0x76, + 0x2e, 0x57, 0xee, 0x6c, 0x99, 0xca, 0x1c, 0x75, 0x38, 0x44, 0x6d, 0x76, 0x14, 0x18, 0x26, 0x29, + 0x21, 0x8a, 0x01, 0x0f, 0xd1, 0xba, 0x3f, 0x0e, 0x21, 0xe2, 0x01, 0x93, 0xa5, 0x22, 0x35, 0x8e, + 0x7d, 0x2e, 0xd6, 0xcb, 0xd3, 0xd3, 0xe6, 0x7a, 0xbb, 0xc0, 0x41, 0xce, 0xb0, 0xe2, 0xf7, 0x90, + 0xcd, 0x83, 0x38, 0xea, 0x41, 0xfb, 0x80, 0x3b, 0x68, 0xab, 0xb2, 0x63, 0xb7, 0x56, 0xe5, 0x4f, + 0x3b, 0x4c, 0x85, 0xc4, 0xe8, 0xb1, 0x87, 0x6c, 0x19, 0xde, 0xde, 0x00, 0x98, 0x70, 0xb0, 0xca, + 0x43, 0xf6, 0x97, 0x3b, 0xa9, 0x82, 0x18, 0x0c, 0x06, 0x64, 0x07, 0xaa, 0x10, 0x09, 0x1c, 0x39, + 0x2b, 0xea, 0x02, 0xb7, 0xdd, 0x92, 0x53, 0x41, 0x97, 0x35, 0x81, 0x23, 0x88, 0x80, 0xf5, 0x20, + 0x89, 0x2b, 0x13, 0x12, 0xc3, 0x8c, 0x87, 0xa8, 0x1e, 0x01, 0x0f, 0x03, 0xc6, 0xe1, 0x50, 0x50, + 0x11, 0x73, 0xe7, 0xa2, 0xf2, 0xb5, 0x5b, 0xae, 0x5c, 0x13, 0x9b, 0x16, 0x9e, 0x9e, 0x36, 0xeb, + 0x64, 0x86, 0x87, 0x14, 0x78, 0x31, 0x45, 0xab, 0xba, 0x24, 0x92, 0x40, 0x9c, 0x55, 0xe5, 0x68, + 0x67, 0xae, 0x23, 0xdd, 0xfd, 0x6e, 0x87, 0x1d, 0xb3, 0xe0, 0x07, 0xd6, 0xda, 0x98, 0x9e, 0x36, + 0x57, 0x49, 0x9e, 0x82, 0xcc, 0x32, 0xe2, 0xbe, 0xb9, 0x8c, 0xf6, 0x51, 0x3f, 0xa7, 0x8f, 0x99, + 0x8b, 0x68, 0x27, 0x05, 0x4e, 0xfc, 0xb3, 0x85, 0x1c, 0xed, 0x97, 0x40, 0x0f, 0xfc, 0x09, 0xf4, + 0xb3, 0x3e, 0x75, 0xd6, 0x94, 0x43, 0xaf, 0x5c, 0xf6, 0x1e, 0xf8, 0xbd, 0x28, 0x50, 0x1d, 0xbf, + 0xa5, 0x6b, 0xc1, 0x21, 0x73, 0x88, 0xc9, 0x5c, 0x97, 0x38, 0x40, 0x75, 0xd5, 0x9a, 0x26, 0x88, + 0xf5, 0xff, 0x17, 0x44, 0xda, 0xf9, 0xf5, 0xc3, 0x19, 0x3a, 0x52, 0xa0, 0xc7, 0x13, 0xb4, 0x42, + 0x19, 0x0b, 0x84, 0x6a, 0x1d, 0xee, 0x6c, 0x6c, 0x55, 0x76, 0x56, 0x6e, 0x7c, 0x5a, 0xba, 0x38, + 0xd5, 0xc8, 0x76, 0xf7, 0x0c, 0xc3, 0x5d, 0x26, 0xa2, 0x93, 0xd6, 0x25, 0xed, 0x7d, 0x25, 0xa7, + 0x21, 0x79, 0x47, 0x9b, 0x9f, 0xa0, 0xf5, 0xa2, 0x15, 0x5e, 0x47, 0x95, 0x63, 0x38, 0x51, 0x43, + 0xdf, 0x26, 0xf2, 0x13, 0x5f, 0x46, 0xd5, 0x09, 0x1d, 0xc5, 0x90, 0x4c, 0x6a, 0x92, 0x1c, 0x3e, + 0x5a, 0xbc, 0x6d, 0x6d, 0xff, 0x61, 0x21, 0x5b, 0x39, 0xbf, 0xef, 0x73, 0x81, 0xbf, 0x39, 0xb3, + 0x33, 0xdc, 0x72, 0x09, 0x93, 0xd6, 0x6a, 0x63, 0xac, 0xeb, 0x88, 0x6b, 0xa9, 0x24, 0xb7, 0x2f, + 0x0e, 0x51, 0xd5, 0x17, 0x30, 0xe6, 0xce, 0xa2, 0xca, 0x8e, 0x7b, 0xbe, 0xec, 0xb4, 0x56, 0xd3, + 0x21, 0xdc, 0x96, 0x24, 0x24, 0xe1, 0xda, 0xfe, 0xd5, 0x42, 0xf5, 0x7b, 0x51, 0x10, 0x87, 0x04, + 0x92, 0xc9, 0xc2, 0xf1, 0x5b, 0xa8, 0x3a, 0x90, 0x92, 0x24, 0x03, 0xc6, 0x2e, 0x81, 0x25, 0x3a, + 0x39, 0xa9, 0xa2, 0xd4, 0x42, 0x05, 0xa4, 0x27, 0x55, 0x46, 0x43, 0x8c, 0x1e, 0xdf, 0x92, 0x7d, + 0x9a, 0x1c, 0xf6, 0xe9, 0x18, 0xb8, 0x53, 0x51, 0x06, 0xba, 0xfb, 0x72, 0x0a, 0x32, 0x8b, 0xdb, + 0xfe, 0xbd, 0x82, 0xd6, 0x0a, 0x83, 0x07, 0xef, 0xa2, 0x5a, 0x0a, 0xd2, 0x11, 0x66, 0x49, 0x4b, + 0xb9, 0x48, 0x86, 0x90, 0x43, 0x92, 0x49, 0xaa, 0x90, 0xf6, 0xf4, 0xef, 0x33, 0x43, 0x72, 0x3f, + 0x55, 0x10, 0x83, 0x91, 0x8b, 0x45, 0x1e, 0xd4, 0x8a, 0xcd, 0x2d, 0x16, 0x89, 0x25, 0x4a, 0x83, + 0x5b, 0xa8, 0x12, 0xfb, 0x7d, 0xbd, 0x28, 0xaf, 0x69, 0x40, 0xa5, 0x53, 0x76, 0x49, 0x4a, 0x63, + 0x79, 0x09, 0x1a, 0xfa, 0x2a, 0xa3, 0x7a, 0x47, 0x66, 0x97, 0xd8, 0x3b, 0x68, 0x27, 0x99, 0xce, + 0x10, 0x72, 0x41, 0xd2, 0xd0, 0x7f, 0x0c, 0x11, 0xf7, 0x03, 0x56, 0x5c, 0x90, 0x7b, 0x07, 0x6d, + 0xad, 0x21, 0x39, 0x14, 0xde, 0x43, 0x6b, 0x69, 0x12, 0x52, 0xc3, 0x64, 0x57, 0x5e, 0xd1, 0x86, + 0x6b, 0x64, 0x56, 0x4d, 0x8a, 0x78, 0xfc, 0x01, 0x5a, 0xe1, 0x71, 0x37, 0x4b, 0x76, 0x4d, 0x99, + 0x67, 0x3d, 0x75, 0x68, 0x54, 0x24, 0x8f, 0xdb, 0xfe, 0x6b, 0x11, 0x5d, 0x38, 0x08, 0x46, 0x7e, + 0xef, 0xe4, 0x15, 0x3c, 0xa2, 0xbe, 0x44, 0xd5, 0x28, 0x1e, 0x41, 0xda, 0x14, 0xef, 0x97, 0x6e, + 0x8a, 0x24, 0x42, 0x12, 0x8f, 0xc0, 0x54, 0xb8, 0x3c, 0x71, 0x92, 0x10, 0xe2, 0x5b, 0x08, 0x05, + 0x63, 0x5f, 0xa8, 0xc1, 0x95, 0x56, 0xec, 0x15, 0x15, 0x47, 0x26, 0x35, 0x2f, 0x99, 0x1c, 0x14, + 0xdf, 0x43, 0x1b, 0xf2, 0xf4, 0x80, 0x32, 0x3a, 0x80, 0xfe, 0xe7, 0x3e, 0x8c, 0xfa, 0x5c, 0x55, + 0x4b, 0xad, 0xf5, 0x86, 0xf6, 0xb4, 0xf1, 0xb0, 0x08, 0x20, 0x67, 0x6d, 0xb6, 0xff, 0xb4, 0x10, + 0x4a, 0xc2, 0x7c, 0x05, 0xd3, 0xe5, 0xd1, 0xec, 0x74, 0xf1, 0xce, 0x99, 0xc8, 0x39, 0xe3, 0xe5, + 0xa7, 0xa5, 0xf4, 0x0a, 0x32, 0xb7, 0xe6, 0xc9, 0x6b, 0x95, 0x79, 0xf2, 0x36, 0x51, 0x55, 0x3e, + 0x5e, 0xd2, 0xf9, 0x62, 0x4b, 0xa4, 0x7c, 0xd8, 0x70, 0x92, 0xc8, 0xb1, 0x8b, 0x90, 0xfc, 0x50, + 0x4d, 0x92, 0xfe, 0xa2, 0xba, 0xfc, 0x45, 0x9d, 0x4c, 0x4a, 0x72, 0x08, 0x49, 0x28, 0x9f, 0x86, + 0xf2, 0x6f, 0x64, 0x84, 0xf2, 0xc5, 0xc8, 0x49, 0x22, 0xc7, 0xc3, 0xfc, 0x54, 0xab, 0xaa, 0x44, + 0xdc, 0x2a, 0x9d, 0x88, 0xd9, 0x31, 0x6a, 0xc6, 0xcc, 0x4b, 0x47, 0xa2, 0x8b, 0x50, 0x36, 0x73, + 0xb8, 0x73, 0xc1, 0x84, 0x9e, 0x0d, 0x25, 0x4e, 0x72, 0x08, 0xfc, 0x31, 0x5a, 0x63, 0x01, 0x4b, + 0xa9, 0x3a, 0xe4, 0x3e, 0x77, 0x96, 0x95, 0xd1, 0x25, 0xd9, 0xca, 0xfb, 0xb3, 0x2a, 0x52, 0xc4, + 0x16, 0x8a, 0xb9, 0x56, 0xbe, 0x98, 0x3f, 0x7b, 0x59, 0x31, 0xdb, 0xaa, 0x98, 0x5f, 0x2b, 0x5b, + 0xc8, 0xad, 0xab, 0x4f, 0x9e, 0x37, 0x16, 0x9e, 0x3e, 0x6f, 0x2c, 0x3c, 0x7b, 0xde, 0x58, 0xf8, + 0x71, 0xda, 0xb0, 0x9e, 0x4c, 0x1b, 0xd6, 0xd3, 0x69, 0xc3, 0x7a, 0x36, 0x6d, 0x58, 0x7f, 0x4f, + 0x1b, 0xd6, 0x2f, 0xff, 0x34, 0x16, 0xbe, 0x5a, 0xd6, 0x89, 0xfc, 0x37, 0x00, 0x00, 0xff, 0xff, + 0x21, 0x57, 0x33, 0x77, 0xfc, 0x0e, 0x00, 0x00, } func (m *Event) Marshal() (dAtA []byte, err error) { @@ -722,6 +725,14 @@ func (m *Policy) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + i-- + if m.OmitManagedFields { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x20 if len(m.OmitStages) > 0 { for iNdEx := len(m.OmitStages) - 1; iNdEx >= 0; iNdEx-- { i -= len(m.OmitStages[iNdEx]) @@ -825,6 +836,16 @@ func (m *PolicyRule) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + if m.OmitManagedFields != nil { + i-- + if *m.OmitManagedFields { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x48 + } if len(m.OmitStages) > 0 { for iNdEx := len(m.OmitStages) - 1; iNdEx >= 0; iNdEx-- { i -= len(m.OmitStages[iNdEx]) @@ -1062,6 +1083,7 @@ func (m *Policy) Size() (n int) { n += 1 + l + sovGenerated(uint64(l)) } } + n += 2 return n } @@ -1132,6 +1154,9 @@ func (m *PolicyRule) Size() (n int) { n += 1 + l + sovGenerated(uint64(l)) } } + if m.OmitManagedFields != nil { + n += 2 + } return n } @@ -1236,6 +1261,7 @@ func (this *Policy) String() string { `ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`, `Rules:` + repeatedStringForRules + `,`, `OmitStages:` + fmt.Sprintf("%v", this.OmitStages) + `,`, + `OmitManagedFields:` + fmt.Sprintf("%v", this.OmitManagedFields) + `,`, `}`, }, "") return s @@ -1274,6 +1300,7 @@ func (this *PolicyRule) String() string { `Namespaces:` + fmt.Sprintf("%v", this.Namespaces) + `,`, `NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`, `OmitStages:` + fmt.Sprintf("%v", this.OmitStages) + `,`, + `OmitManagedFields:` + valueToStringGenerated(this.OmitManagedFields) + `,`, `}`, }, "") return s @@ -2729,6 +2756,26 @@ func (m *Policy) Unmarshal(dAtA []byte) error { } m.OmitStages = append(m.OmitStages, Stage(dAtA[iNdEx:postIndex])) iNdEx = postIndex + case 4: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field OmitManagedFields", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.OmitManagedFields = bool(v != 0) default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) @@ -3154,6 +3201,27 @@ func (m *PolicyRule) Unmarshal(dAtA []byte) error { } m.OmitStages = append(m.OmitStages, Stage(dAtA[iNdEx:postIndex])) iNdEx = postIndex + case 9: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field OmitManagedFields", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + b := bool(v != 0) + m.OmitManagedFields = &b default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.proto b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.proto index 0a200b538380..e78039fdd526 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.proto +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.proto @@ -204,6 +204,15 @@ message Policy { // be specified per rule in which case the union of both are omitted. // +optional repeated string omitStages = 3; + + // OmitManagedFields indicates whether to omit the managed fields of the request + // and response bodies from being written to the API audit log. + // This is used as a global default - a value of 'true' will omit the managed fileds, + // otherwise the managed fields will be included in the API audit log. + // Note that this can also be specified per rule in which case the value specified + // in a rule will override the global default. + // +optional + optional bool omitManagedFields = 4; } // PolicyList is a list of audit Policies. @@ -259,5 +268,16 @@ message PolicyRule { // An empty list means no restrictions will apply. // +optional repeated string omitStages = 8; + + // OmitManagedFields indicates whether to omit the managed fields of the request + // and response bodies from being written to the API audit log. + // - a value of 'true' will drop the managed fields from the API audit log + // - a value of 'false' indicates that the managed fileds should be included + // in the API audit log + // Note that the value, if specified, in this rule will override the global default + // If a value is not specified then the global default specified in + // Policy.OmitManagedFields will stand. + // +optional + optional bool omitManagedFields = 9; } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go index eb538bc176df..fcca2bcb864b 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go @@ -187,6 +187,15 @@ type Policy struct { // be specified per rule in which case the union of both are omitted. // +optional OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,3,rep,name=omitStages"` + + // OmitManagedFields indicates whether to omit the managed fields of the request + // and response bodies from being written to the API audit log. + // This is used as a global default - a value of 'true' will omit the managed fileds, + // otherwise the managed fields will be included in the API audit log. + // Note that this can also be specified per rule in which case the value specified + // in a rule will override the global default. + // +optional + OmitManagedFields bool `json:"omitManagedFields,omitempty" protobuf:"varint,4,opt,name=omitManagedFields"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -250,6 +259,17 @@ type PolicyRule struct { // An empty list means no restrictions will apply. // +optional OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,8,rep,name=omitStages"` + + // OmitManagedFields indicates whether to omit the managed fields of the request + // and response bodies from being written to the API audit log. + // - a value of 'true' will drop the managed fields from the API audit log + // - a value of 'false' indicates that the managed fileds should be included + // in the API audit log + // Note that the value, if specified, in this rule will override the global default + // If a value is not specified then the global default specified in + // Policy.OmitManagedFields will stand. + // +optional + OmitManagedFields *bool `json:"omitManagedFields,omitempty" protobuf:"varint,9,opt,name=omitManagedFields"` } // GroupResources represents resource kinds in an API group. diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.conversion.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.conversion.go index 5257b2b25dd3..33bfc76e322c 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.conversion.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.conversion.go @@ -258,6 +258,7 @@ func autoConvert_v1beta1_Policy_To_audit_Policy(in *Policy, out *audit.Policy, s out.ObjectMeta = in.ObjectMeta out.Rules = *(*[]audit.PolicyRule)(unsafe.Pointer(&in.Rules)) out.OmitStages = *(*[]audit.Stage)(unsafe.Pointer(&in.OmitStages)) + out.OmitManagedFields = in.OmitManagedFields return nil } @@ -270,6 +271,7 @@ func autoConvert_audit_Policy_To_v1beta1_Policy(in *audit.Policy, out *Policy, s out.ObjectMeta = in.ObjectMeta out.Rules = *(*[]PolicyRule)(unsafe.Pointer(&in.Rules)) out.OmitStages = *(*[]Stage)(unsafe.Pointer(&in.OmitStages)) + out.OmitManagedFields = in.OmitManagedFields return nil } @@ -309,6 +311,7 @@ func autoConvert_v1beta1_PolicyRule_To_audit_PolicyRule(in *PolicyRule, out *aud out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs)) out.OmitStages = *(*[]audit.Stage)(unsafe.Pointer(&in.OmitStages)) + out.OmitManagedFields = (*bool)(unsafe.Pointer(in.OmitManagedFields)) return nil } @@ -326,6 +329,7 @@ func autoConvert_audit_PolicyRule_To_v1beta1_PolicyRule(in *audit.PolicyRule, ou out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs)) out.OmitStages = *(*[]Stage)(unsafe.Pointer(&in.OmitStages)) + out.OmitManagedFields = (*bool)(unsafe.Pointer(in.OmitManagedFields)) return nil } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.deepcopy.go index 0249b3c85ddc..ee7f8b90eadb 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.deepcopy.go @@ -280,6 +280,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) { *out = make([]Stage, len(*in)) copy(*out, *in) } + if in.OmitManagedFields != nil { + in, out := &in.OmitManagedFields, &out.OmitManagedFields + *out = new(bool) + **out = **in + } return } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/zz_generated.deepcopy.go index 4f7b4b3fe96d..81d5add47d71 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/zz_generated.deepcopy.go @@ -278,6 +278,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) { *out = make([]Stage, len(*in)) copy(*out, *in) } + if in.OmitManagedFields != nil { + in, out := &in.OmitManagedFields, &out.OmitManagedFields + *out = new(bool) + **out = **in + } return } diff --git a/staging/src/k8s.io/apiserver/pkg/audit/evaluator.go b/staging/src/k8s.io/apiserver/pkg/audit/evaluator.go index e8591106aa23..d5e40428c009 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/evaluator.go +++ b/staging/src/k8s.io/apiserver/pkg/audit/evaluator.go @@ -39,6 +39,10 @@ type AuditContext struct { type RequestAuditConfig struct { // OmitStages is the stages that need to be omitted from being audited. OmitStages []audit.Stage + + // OmitManagedFields indicates whether to omit the managed fields of the request + // and response bodies from being written to the API audit log. + OmitManagedFields bool } // RequestAuditConfigWithLevel includes Level at which the request is being audited. diff --git a/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go b/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go index dfad2977b6c1..6a98ff4ac04b 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go +++ b/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go @@ -67,7 +67,8 @@ func (p *policyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) au return auditinternal.RequestAuditConfigWithLevel{ Level: rule.Level, RequestAuditConfig: auditinternal.RequestAuditConfig{ - OmitStages: rule.OmitStages, + OmitStages: rule.OmitStages, + OmitManagedFields: isOmitManagedFields(&rule, p.OmitManagedFields), }, } } @@ -76,11 +77,24 @@ func (p *policyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) au return auditinternal.RequestAuditConfigWithLevel{ Level: DefaultAuditLevel, RequestAuditConfig: auditinternal.RequestAuditConfig{ - OmitStages: p.OmitStages, + OmitStages: p.OmitStages, + OmitManagedFields: p.OmitManagedFields, }, } } +// isOmitManagedFields returns whether to omit managed fields from the request +// and response bodies from being written to the API audit log. +// If a user specifies OmitManagedFields inside a policy rule, that overrides +// the global policy default in Policy.OmitManagedFields. +func isOmitManagedFields(policyRule *audit.PolicyRule, policyDefault bool) bool { + if policyRule.OmitManagedFields == nil { + return policyDefault + } + + return *policyRule.OmitManagedFields +} + // Check whether the rule matches the request attrs. func ruleMatches(r *audit.PolicyRule, attrs authorizer.Attributes) bool { user := attrs.GetUser() diff --git a/staging/src/k8s.io/apiserver/pkg/audit/policy/checker_test.go b/staging/src/k8s.io/apiserver/pkg/audit/policy/checker_test.go index 5a250c069c45..dd109ceaa0a8 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/policy/checker_test.go +++ b/staging/src/k8s.io/apiserver/pkg/audit/policy/checker_test.go @@ -345,3 +345,88 @@ func TestUnionStages(t *testing.T) { } } } + +func TestOmitManagedFields(t *testing.T) { + // this authorizer.Attributes should match all policy rules + // specified in this test. + attributes := &authorizer.AttributesRecord{ + Verb: "get", + } + matchingPolicyRule := audit.PolicyRule{ + Level: audit.LevelRequestResponse, + Verbs: []string{ + attributes.GetVerb(), + }, + } + + boolPtr := func(v bool) *bool { + return &v + } + + tests := []struct { + name string + policy func() audit.Policy + want bool + }{ + { + name: "global policy default is false, rule does not override", + policy: func() audit.Policy { + return audit.Policy{ + OmitManagedFields: false, + Rules: []audit.PolicyRule{ + *matchingPolicyRule.DeepCopy(), + }, + } + }, + }, + { + name: "global policy default is true, rule does not override", + policy: func() audit.Policy { + return audit.Policy{ + OmitManagedFields: true, + Rules: []audit.PolicyRule{ + *matchingPolicyRule.DeepCopy(), + }, + } + }, + want: true, + }, + { + name: "global policy default is true, rule overrides to false", + policy: func() audit.Policy { + rule := matchingPolicyRule.DeepCopy() + rule.OmitManagedFields = boolPtr(false) + return audit.Policy{ + OmitManagedFields: true, + Rules: []audit.PolicyRule{*rule}, + } + }, + want: false, + }, + { + name: "global policy default is false, rule overrides to true", + policy: func() audit.Policy { + rule := matchingPolicyRule.DeepCopy() + rule.OmitManagedFields = boolPtr(true) + return audit.Policy{ + OmitManagedFields: false, + Rules: []audit.PolicyRule{*rule}, + } + }, + want: true, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + evaluator := &policyRuleEvaluator{ + Policy: test.policy(), + } + + got := evaluator.EvaluatePolicyRule(attributes) + if test.want != got.OmitManagedFields { + t.Errorf("Expected OmitManagedFields to match, want: %t, got: %t", test.want, got.OmitManagedFields) + } + }) + } +} diff --git a/staging/src/k8s.io/apiserver/pkg/audit/request.go b/staging/src/k8s.io/apiserver/pkg/audit/request.go index 29ad4b72b428..cdfd535f7e86 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/request.go +++ b/staging/src/k8s.io/apiserver/pkg/audit/request.go @@ -18,6 +18,7 @@ package audit import ( "bytes" + "context" "fmt" "net/http" "reflect" @@ -111,7 +112,8 @@ func LogImpersonatedUser(ae *auditinternal.Event, user user.Info) { // LogRequestObject fills in the request object into an audit event. The passed runtime.Object // will be converted to the given gv. -func LogRequestObject(ae *auditinternal.Event, obj runtime.Object, objGV schema.GroupVersion, gvr schema.GroupVersionResource, subresource string, s runtime.NegotiatedSerializer) { +func LogRequestObject(ctx context.Context, obj runtime.Object, objGV schema.GroupVersion, gvr schema.GroupVersionResource, subresource string, s runtime.NegotiatedSerializer) { + ae := AuditEventFrom(ctx) if ae == nil || ae.Level.Less(auditinternal.LevelMetadata) { return } @@ -151,6 +153,16 @@ func LogRequestObject(ae *auditinternal.Event, obj runtime.Object, objGV schema. return } + if shouldOmitManagedFields(ctx) { + copy, ok, err := copyWithoutManagedFields(obj) + if err != nil { + klog.Warningf("error while dropping managed fields from the request for %q error: %v", reflect.TypeOf(obj).Name(), err) + } + if ok { + obj = copy + } + } + // TODO(audit): hook into the serializer to avoid double conversion var err error ae.RequestObject, err = encodeObject(obj, objGV, s) @@ -162,7 +174,8 @@ func LogRequestObject(ae *auditinternal.Event, obj runtime.Object, objGV schema. } // LogRequestPatch fills in the given patch as the request object into an audit event. -func LogRequestPatch(ae *auditinternal.Event, patch []byte) { +func LogRequestPatch(ctx context.Context, patch []byte) { + ae := AuditEventFrom(ctx) if ae == nil || ae.Level.Less(auditinternal.LevelRequest) { return } @@ -175,7 +188,8 @@ func LogRequestPatch(ae *auditinternal.Event, patch []byte) { // LogResponseObject fills in the response object into an audit event. The passed runtime.Object // will be converted to the given gv. -func LogResponseObject(ae *auditinternal.Event, obj runtime.Object, gv schema.GroupVersion, s runtime.NegotiatedSerializer) { +func LogResponseObject(ctx context.Context, obj runtime.Object, gv schema.GroupVersion, s runtime.NegotiatedSerializer) { + ae := AuditEventFrom(ctx) if ae == nil || ae.Level.Less(auditinternal.LevelMetadata) { return } @@ -191,6 +205,17 @@ func LogResponseObject(ae *auditinternal.Event, obj runtime.Object, gv schema.Gr if ae.Level.Less(auditinternal.LevelRequestResponse) { return } + + if shouldOmitManagedFields(ctx) { + copy, ok, err := copyWithoutManagedFields(obj) + if err != nil { + klog.Warningf("error while dropping managed fields from the response for %q error: %v", reflect.TypeOf(obj).Name(), err) + } + if ok { + obj = copy + } + } + // TODO(audit): hook into the serializer to avoid double conversion var err error ae.ResponseObject, err = encodeObject(obj, gv, s) @@ -242,3 +267,72 @@ func maybeTruncateUserAgent(req *http.Request) string { return ua } + +// copyWithoutManagedFields will make a deep copy of the specified object and +// will discard the managed fields from the copy. +// The specified object is expected to be a meta.Object or a "list". +// The specified object obj is treated as readonly and hence not mutated. +// On return, an error is set if the function runs into any error while +// removing the managed fields, the boolean value is true if the copy has +// been made successfully, otherwise false. +func copyWithoutManagedFields(obj runtime.Object) (runtime.Object, bool, error) { + isAccessor := true + if _, err := meta.Accessor(obj); err != nil { + isAccessor = false + } + isList := meta.IsListType(obj) + _, isTable := obj.(*metav1.Table) + if !isAccessor && !isList && !isTable { + return nil, false, nil + } + + // TODO a deep copy isn't really needed here, figure out how we can reliably + // use shallow copy here to omit the manageFields. + copy := obj.DeepCopyObject() + + if isAccessor { + if err := removeManagedFields(copy); err != nil { + return nil, false, err + } + } + + if isList { + if err := meta.EachListItem(copy, removeManagedFields); err != nil { + return nil, false, err + } + } + + if isTable { + table := copy.(*metav1.Table) + for i := range table.Rows { + rowObj := table.Rows[i].Object + if err := removeManagedFields(rowObj.Object); err != nil { + return nil, false, err + } + } + } + + return copy, true, nil +} + +func removeManagedFields(obj runtime.Object) error { + if obj == nil { + return nil + } + accessor, err := meta.Accessor(obj) + if err != nil { + return err + } + accessor.SetManagedFields(nil) + return nil +} + +func shouldOmitManagedFields(ctx context.Context) bool { + if auditContext := AuditContextFrom(ctx); auditContext != nil { + return auditContext.RequestAuditConfig.OmitManagedFields + } + + // If we can't decide, return false to maintain current behavior which is + // to retain the manage fields in the audit. + return false +} diff --git a/staging/src/k8s.io/apiserver/pkg/audit/request_test.go b/staging/src/k8s.io/apiserver/pkg/audit/request_test.go index 12c36ccd6690..ee1701ba0bd0 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/request_test.go +++ b/staging/src/k8s.io/apiserver/pkg/audit/request_test.go @@ -18,11 +18,17 @@ package audit import ( "net/http" + "reflect" "testing" + "time" - "github.com/stretchr/testify/assert" - + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" auditinternal "k8s.io/apiserver/pkg/apis/audit" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/assert" ) func TestLogAnnotation(t *testing.T) { @@ -54,3 +60,184 @@ func TestMaybeTruncateUserAgent(t *testing.T) { req.Header.Set("User-Agent", ua) assert.NotEqual(t, ua, maybeTruncateUserAgent(req)) } + +func TestCopyWithoutManagedFields(t *testing.T) { + tests := []struct { + name string + object runtime.Object + expected runtime.Object + ok bool + err error + }{ + { + name: "object specified is not a meta.Accessor or a list or a table", + object: &metav1.Status{}, + }, + { + name: "object specified is a meta.Accessor and has managed fields", + object: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: "bar", + ManagedFields: []metav1.ManagedFieldsEntry{ + {Manager: "a", Operation: metav1.ManagedFieldsOperationUpdate, Time: &metav1.Time{Time: time.Now()}}, + {Manager: "b", Operation: metav1.ManagedFieldsOperationUpdate, Time: &metav1.Time{Time: time.Now()}}, + }, + }, + }, + expected: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: "bar", + }, + }, + ok: true, + }, + { + name: "object specified is a list and its items have managed fields", + object: &corev1.PodList{ + Items: []corev1.Pod{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: "ns1", + ManagedFields: []metav1.ManagedFieldsEntry{ + {Manager: "a", Operation: metav1.ManagedFieldsOperationUpdate, Time: &metav1.Time{Time: time.Now()}}, + {Manager: "b", Operation: metav1.ManagedFieldsOperationUpdate, Time: &metav1.Time{Time: time.Now()}}, + }, + }, + }, + { + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "ns2", + ManagedFields: []metav1.ManagedFieldsEntry{ + {Manager: "c", Operation: metav1.ManagedFieldsOperationUpdate, Time: &metav1.Time{Time: time.Now()}}, + {Manager: "d", Operation: metav1.ManagedFieldsOperationUpdate, Time: &metav1.Time{Time: time.Now()}}, + }, + }, + }, + }, + }, + expected: &corev1.PodList{ + Items: []corev1.Pod{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: "ns1", + }, + }, + { + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "ns2", + }, + }, + }, + }, + ok: true, + }, + { + name: "object specified is a Table and objects in its rows have managed fields", + object: &metav1.Table{ + Rows: []metav1.TableRow{ + { + Object: runtime.RawExtension{ + Object: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: "ns1", + ManagedFields: []metav1.ManagedFieldsEntry{ + {Manager: "a", Operation: metav1.ManagedFieldsOperationUpdate, Time: &metav1.Time{Time: time.Now()}}, + {Manager: "b", Operation: metav1.ManagedFieldsOperationUpdate, Time: &metav1.Time{Time: time.Now()}}, + }, + }, + }, + }, + }, + { + Object: runtime.RawExtension{ + Object: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "ns2", + ManagedFields: []metav1.ManagedFieldsEntry{ + {Manager: "c", Operation: metav1.ManagedFieldsOperationUpdate, Time: &metav1.Time{Time: time.Now()}}, + {Manager: "d", Operation: metav1.ManagedFieldsOperationUpdate, Time: &metav1.Time{Time: time.Now()}}, + }, + }, + }, + }, + }, + // add an empty row to make sure we don't panic + { + Object: runtime.RawExtension{}, + }, + }, + }, + expected: &metav1.Table{ + Rows: []metav1.TableRow{ + { + Object: runtime.RawExtension{ + Object: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: "ns1", + }, + }, + }, + }, + { + Object: runtime.RawExtension{ + Object: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "ns2", + }, + }, + }, + }, + { + Object: runtime.RawExtension{}, + }, + }, + }, + ok: true, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + original := test.object.DeepCopyObject() + objectGot, ok, err := copyWithoutManagedFields(test.object) + + if test.err != err { + t.Errorf("expected error: %v, but got: %v", test.err, err) + } + if test.ok != ok { + t.Errorf("expected ok: %t, but got: %t", test.ok, ok) + } + + switch { + case test.expected == nil: + if objectGot != nil { + t.Errorf("expected the returned object to be nil, but got %#v", objectGot) + } + default: + // verify that a deep copy of the specified object is made before mutating it. + if expected, actual := reflect.ValueOf(test.object), reflect.ValueOf(objectGot); expected.Pointer() == actual.Pointer() { + t.Error("expected the returned object to be a deep copy of the input object") + } + + if !cmp.Equal(test.expected, objectGot) { + t.Errorf("expected and actual do not match, diff: %s", cmp.Diff(test.expected, objectGot)) + } + } + + // we always expect the original object to be unchanged. + if !cmp.Equal(original, test.object) { + t.Errorf("the original object has mutated, diff: %s", cmp.Diff(original, test.object)) + } + }) + } +} diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/create.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/create.go index 51ad05bf16ba..f2e9e50135b3 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/create.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/create.go @@ -143,7 +143,7 @@ func createHandler(r rest.NamedCreater, scope *RequestScope, admit admission.Int ae := audit.AuditEventFrom(ctx) admit = admission.WithAudit(admit, ae) - audit.LogRequestObject(ae, obj, objGV, scope.Resource, scope.Subresource, scope.Serializer) + audit.LogRequestObject(req.Context(), obj, objGV, scope.Resource, scope.Subresource, scope.Serializer) userInfo, _ := request.UserFrom(ctx) diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete.go index 5b9c36ecab23..e58495bed275 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete.go @@ -103,9 +103,8 @@ func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope *RequestSc } trace.Step("Decoded delete options") - ae := audit.AuditEventFrom(ctx) objGV := gvk.GroupVersion() - audit.LogRequestObject(ae, obj, objGV, scope.Resource, scope.Subresource, scope.Serializer) + audit.LogRequestObject(req.Context(), obj, objGV, scope.Resource, scope.Subresource, scope.Serializer) trace.Step("Recorded the audit event") } else { if err := metainternalversionscheme.ParameterCodec.DecodeParameters(req.URL.Query(), scope.MetaGroupVersion, options); err != nil { @@ -250,9 +249,8 @@ func DeleteCollection(r rest.CollectionDeleter, checkBody bool, scope *RequestSc return } - ae := audit.AuditEventFrom(ctx) objGV := gvk.GroupVersion() - audit.LogRequestObject(ae, obj, objGV, scope.Resource, scope.Subresource, scope.Serializer) + audit.LogRequestObject(req.Context(), obj, objGV, scope.Resource, scope.Subresource, scope.Serializer) } else { if err := metainternalversionscheme.ParameterCodec.DecodeParameters(req.URL.Query(), scope.MetaGroupVersion, options); err != nil { err = errors.NewBadRequest(err.Error()) diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/patch.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/patch.go index 1138bc0aee3b..89c834a4ca57 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/patch.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/patch.go @@ -126,7 +126,7 @@ func PatchResource(r rest.Patcher, scope *RequestScope, admit admission.Interfac ae := audit.AuditEventFrom(ctx) admit = admission.WithAudit(admit, ae) - audit.LogRequestPatch(ae, patchBytes) + audit.LogRequestPatch(req.Context(), patchBytes) trace.Step("Recorded the audit event") baseContentType := runtime.ContentTypeJSON diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/writers.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/writers.go index 676b32fc8dd8..d6d1250b0e8d 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/writers.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/writers.go @@ -267,9 +267,7 @@ func WriteObjectNegotiated(s runtime.NegotiatedSerializer, restrictions negotiat return } - if ae := audit.AuditEventFrom(req.Context()); ae != nil { - audit.LogResponseObject(ae, object, gv, s) - } + audit.LogResponseObject(req.Context(), object, gv, s) encoder := s.EncoderForVersion(serializer.Serializer, gv) SerializeObject(serializer.MediaType, encoder, w, req, statusCode, object) diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/update.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/update.go index bfd8cb4b5147..f771fa80e00d 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/update.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/update.go @@ -119,7 +119,7 @@ func UpdateResource(r rest.Updater, scope *RequestScope, admit admission.Interfa trace.Step("Conversion done") ae := audit.AuditEventFrom(ctx) - audit.LogRequestObject(ae, obj, objGV, scope.Resource, scope.Subresource, scope.Serializer) + audit.LogRequestObject(req.Context(), obj, objGV, scope.Resource, scope.Subresource, scope.Serializer) admit = admission.WithAudit(admit, ae) if err := checkName(obj, name, namespace, scope.Namer); err != nil {