sttts/level-attributes.diff

## level-attributes.diff
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/attributes.go b/staging/src/k8s.io/apiserver/pkg/admission/attributes.go
index d3e4a615495..51a59fdbc30 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/attributes.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/attributes.go
@@ -112,7 +112,7 @@ func (record *attributesRecord) GetUserInfo() user.Info {

 // getAnnotations implements privateAnnotationsGetter.It's a private method used
 // by WithAudit decorator.
-func (record *attributesRecord) getAnnotations() map[string]Annotation {
+func (record *attributesRecord) getAnnotations(level auditinternal.Level) map[string]Annotation {
 	record.annotationsLock.RLock()
 	defer record.annotationsLock.RUnlock()

@@ -121,7 +121,9 @@ func (record *attributesRecord) getAnnotations() map[string]Annotation {
 	}
 	cp := make(map[string]Annotation, len(record.annotations))
 	for key, value := range record.annotations {
-		cp[key] = value
+		if value.Level <= level {
+			cp[key] = value
+		}
 	}
 	return cp
 }
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/audit.go b/staging/src/k8s.io/apiserver/pkg/admission/audit.go
index 09b3d22e33c..f12acc8cdb8 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/audit.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/audit.go
@@ -86,12 +86,12 @@ func ensureAnnotationGetter(a Attributes) error {
 func (handler auditHandler) logAnnotations(a Attributes) {
 	switch a := a.(type) {
 	case privateAnnotationsGetter:
-		for key, annotation := range a.getAnnotations() {
-			audit.LogAnnotation(handler.ae, key, annotation.Value, annotation.Level)
+		for key, annotation := range a.getAnnotations(handler.ae.Level) {
+			audit.LogAnnotation(handler.ae, key, annotation.Value)
 		}
 	case AnnotationsGetter:
-		for key, annotation := range a.GetAnnotations() {
-			audit.LogAnnotation(handler.ae, key, annotation.Value, annotation.Level)
+		for key, annotation := range a.GetAnnotations(handler.ae.Level) {
+			audit.LogAnnotation(handler.ae, key, annotation.Value)
 		}
 	default:
 		// this will never happen, because we have already checked it in ensureAnnotationGetter
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go b/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go
index 97d7289911d..7f8d0fd7db7 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go
@@ -93,13 +93,13 @@ type ObjectInterfaces interface {

 // privateAnnotationsGetter is a private interface which allows users to get annotations from Attributes.
 type privateAnnotationsGetter interface {
-	getAnnotations() map[string]Annotation
+	getAnnotations(level auditinternal.Level) map[string]Annotation
 }

 // AnnotationsGetter allows users to get annotations from Attributes. An alternate Attribute should implement
 // this interface.
 type AnnotationsGetter interface {
-	GetAnnotations() map[string]Annotation
+	GetAnnotations(level auditinternal.Level) map[string]Annotation
 }

 // Annotation holds a pair of intended audit level and annotation string
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go
index b5c788f610d..f0edf9737ba 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go
@@ -155,7 +155,7 @@ func (f *FakeAttributes) AddAnnotationWithLevel(k, v string, _ auditinternal.Lev
 }

 // GetAnnotations reads annotations from FakeAttributes
-func (f *FakeAttributes) GetAnnotations() map[string]string {
+func (f *FakeAttributes) GetAnnotations(level auditinternal.Level) map[string]string {
 	f.mutex.Lock()
 	defer f.mutex.Unlock()
 	return f.annotations
diff --git a/staging/src/k8s.io/apiserver/pkg/audit/request.go b/staging/src/k8s.io/apiserver/pkg/audit/request.go
index 09cc1a94b7e..8990e9f33e8 100644
--- a/staging/src/k8s.io/apiserver/pkg/audit/request.go
+++ b/staging/src/k8s.io/apiserver/pkg/audit/request.go
@@ -216,13 +216,7 @@ func encodeObject(obj runtime.Object, gv schema.GroupVersion, serializer runtime
 }

 // LogAnnotation fills in the Annotations according to the key value pair.
-func LogAnnotation(ae *auditinternal.Event, key, value string, level auditinternal.Level) {
-	if ae == nil || ae.Level.Less(auditinternal.LevelMetadata) {
-		return
-	}
-	if ae.Level.Less(level) {
-		return
-	}
+func LogAnnotation(ae *auditinternal.Event, key, value string) {
 	if ae.Annotations == nil {
 		ae.Annotations = make(map[string]string)
 	}
	diff --git a/staging/src/k8s.io/apiserver/pkg/admission/attributes.go b/staging/src/k8s.io/apiserver/pkg/admission/attributes.go
	index d3e4a615495..51a59fdbc30 100644
	--- a/staging/src/k8s.io/apiserver/pkg/admission/attributes.go
	+++ b/staging/src/k8s.io/apiserver/pkg/admission/attributes.go
	@@ -112,7 +112,7 @@ func (record *attributesRecord) GetUserInfo() user.Info {

	// getAnnotations implements privateAnnotationsGetter.It's a private method used
	// by WithAudit decorator.
	-func (record *attributesRecord) getAnnotations() map[string]Annotation {
	+func (record *attributesRecord) getAnnotations(level auditinternal.Level) map[string]Annotation {
	record.annotationsLock.RLock()
	defer record.annotationsLock.RUnlock()

	@@ -121,7 +121,9 @@ func (record *attributesRecord) getAnnotations() map[string]Annotation {
	}
	cp := make(map[string]Annotation, len(record.annotations))
	for key, value := range record.annotations {
	- cp[key] = value
	+ if value.Level <= level {
	+ cp[key] = value
	+ }
	}
	return cp
	}
	diff --git a/staging/src/k8s.io/apiserver/pkg/admission/audit.go b/staging/src/k8s.io/apiserver/pkg/admission/audit.go
	index 09b3d22e33c..f12acc8cdb8 100644
	--- a/staging/src/k8s.io/apiserver/pkg/admission/audit.go
	+++ b/staging/src/k8s.io/apiserver/pkg/admission/audit.go
	@@ -86,12 +86,12 @@ func ensureAnnotationGetter(a Attributes) error {
	func (handler auditHandler) logAnnotations(a Attributes) {
	switch a := a.(type) {
	case privateAnnotationsGetter:
	- for key, annotation := range a.getAnnotations() {
	- audit.LogAnnotation(handler.ae, key, annotation.Value, annotation.Level)
	+ for key, annotation := range a.getAnnotations(handler.ae.Level) {
	+ audit.LogAnnotation(handler.ae, key, annotation.Value)
	}
	case AnnotationsGetter:
	- for key, annotation := range a.GetAnnotations() {
	- audit.LogAnnotation(handler.ae, key, annotation.Value, annotation.Level)
	+ for key, annotation := range a.GetAnnotations(handler.ae.Level) {
	+ audit.LogAnnotation(handler.ae, key, annotation.Value)
	}
	default:
	// this will never happen, because we have already checked it in ensureAnnotationGetter
	diff --git a/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go b/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go
	index 97d7289911d..7f8d0fd7db7 100644
	--- a/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go
	+++ b/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go
	@@ -93,13 +93,13 @@ type ObjectInterfaces interface {

	// privateAnnotationsGetter is a private interface which allows users to get annotations from Attributes.
	type privateAnnotationsGetter interface {
	- getAnnotations() map[string]Annotation
	+ getAnnotations(level auditinternal.Level) map[string]Annotation
	}

	// AnnotationsGetter allows users to get annotations from Attributes. An alternate Attribute should implement
	// this interface.
	type AnnotationsGetter interface {
	- GetAnnotations() map[string]Annotation
	+ GetAnnotations(level auditinternal.Level) map[string]Annotation
	}

	// Annotation holds a pair of intended audit level and annotation string
	diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go
	index b5c788f610d..f0edf9737ba 100644
	--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go
	+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go
	@@ -155,7 +155,7 @@ func (f *FakeAttributes) AddAnnotationWithLevel(k, v string, _ auditinternal.Lev
	}

	// GetAnnotations reads annotations from FakeAttributes
	-func (f *FakeAttributes) GetAnnotations() map[string]string {
	+func (f *FakeAttributes) GetAnnotations(level auditinternal.Level) map[string]string {
	f.mutex.Lock()
	defer f.mutex.Unlock()
	return f.annotations
	diff --git a/staging/src/k8s.io/apiserver/pkg/audit/request.go b/staging/src/k8s.io/apiserver/pkg/audit/request.go
	index 09cc1a94b7e..8990e9f33e8 100644
	--- a/staging/src/k8s.io/apiserver/pkg/audit/request.go
	+++ b/staging/src/k8s.io/apiserver/pkg/audit/request.go
	@@ -216,13 +216,7 @@ func encodeObject(obj runtime.Object, gv schema.GroupVersion, serializer runtime
	}

	// LogAnnotation fills in the Annotations according to the key value pair.
	-func LogAnnotation(ae *auditinternal.Event, key, value string, level auditinternal.Level) {
	- if ae == nil \|\| ae.Level.Less(auditinternal.LevelMetadata) {
	- return
	- }
	- if ae.Level.Less(level) {
	- return
	- }
	+func LogAnnotation(ae *auditinternal.Event, key, value string) {
	if ae.Annotations == nil {
	ae.Annotations = make(map[string]string)
	}