Created
May 31, 2019 21:08
-
-
Save sttts/5d1697f353891c8e4a9d55e8d8c0ef7b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/attributes.go b/staging/src/k8s.io/apiserver/pkg/admission/attributes.go | |
index d3e4a615495..51a59fdbc30 100644 | |
--- a/staging/src/k8s.io/apiserver/pkg/admission/attributes.go | |
+++ b/staging/src/k8s.io/apiserver/pkg/admission/attributes.go | |
@@ -112,7 +112,7 @@ func (record *attributesRecord) GetUserInfo() user.Info { | |
// getAnnotations implements privateAnnotationsGetter.It's a private method used | |
// by WithAudit decorator. | |
-func (record *attributesRecord) getAnnotations() map[string]Annotation { | |
+func (record *attributesRecord) getAnnotations(level auditinternal.Level) map[string]Annotation { | |
record.annotationsLock.RLock() | |
defer record.annotationsLock.RUnlock() | |
@@ -121,7 +121,9 @@ func (record *attributesRecord) getAnnotations() map[string]Annotation { | |
} | |
cp := make(map[string]Annotation, len(record.annotations)) | |
for key, value := range record.annotations { | |
- cp[key] = value | |
+ if value.Level <= level { | |
+ cp[key] = value | |
+ } | |
} | |
return cp | |
} | |
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/audit.go b/staging/src/k8s.io/apiserver/pkg/admission/audit.go | |
index 09b3d22e33c..f12acc8cdb8 100644 | |
--- a/staging/src/k8s.io/apiserver/pkg/admission/audit.go | |
+++ b/staging/src/k8s.io/apiserver/pkg/admission/audit.go | |
@@ -86,12 +86,12 @@ func ensureAnnotationGetter(a Attributes) error { | |
func (handler auditHandler) logAnnotations(a Attributes) { | |
switch a := a.(type) { | |
case privateAnnotationsGetter: | |
- for key, annotation := range a.getAnnotations() { | |
- audit.LogAnnotation(handler.ae, key, annotation.Value, annotation.Level) | |
+ for key, annotation := range a.getAnnotations(handler.ae.Level) { | |
+ audit.LogAnnotation(handler.ae, key, annotation.Value) | |
} | |
case AnnotationsGetter: | |
- for key, annotation := range a.GetAnnotations() { | |
- audit.LogAnnotation(handler.ae, key, annotation.Value, annotation.Level) | |
+ for key, annotation := range a.GetAnnotations(handler.ae.Level) { | |
+ audit.LogAnnotation(handler.ae, key, annotation.Value) | |
} | |
default: | |
// this will never happen, because we have already checked it in ensureAnnotationGetter | |
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go b/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go | |
index 97d7289911d..7f8d0fd7db7 100644 | |
--- a/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go | |
+++ b/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go | |
@@ -93,13 +93,13 @@ type ObjectInterfaces interface { | |
// privateAnnotationsGetter is a private interface which allows users to get annotations from Attributes. | |
type privateAnnotationsGetter interface { | |
- getAnnotations() map[string]Annotation | |
+ getAnnotations(level auditinternal.Level) map[string]Annotation | |
} | |
// AnnotationsGetter allows users to get annotations from Attributes. An alternate Attribute should implement | |
// this interface. | |
type AnnotationsGetter interface { | |
- GetAnnotations() map[string]Annotation | |
+ GetAnnotations(level auditinternal.Level) map[string]Annotation | |
} | |
// Annotation holds a pair of intended audit level and annotation string | |
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go | |
index b5c788f610d..f0edf9737ba 100644 | |
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go | |
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go | |
@@ -155,7 +155,7 @@ func (f *FakeAttributes) AddAnnotationWithLevel(k, v string, _ auditinternal.Lev | |
} | |
// GetAnnotations reads annotations from FakeAttributes | |
-func (f *FakeAttributes) GetAnnotations() map[string]string { | |
+func (f *FakeAttributes) GetAnnotations(level auditinternal.Level) map[string]string { | |
f.mutex.Lock() | |
defer f.mutex.Unlock() | |
return f.annotations | |
diff --git a/staging/src/k8s.io/apiserver/pkg/audit/request.go b/staging/src/k8s.io/apiserver/pkg/audit/request.go | |
index 09cc1a94b7e..8990e9f33e8 100644 | |
--- a/staging/src/k8s.io/apiserver/pkg/audit/request.go | |
+++ b/staging/src/k8s.io/apiserver/pkg/audit/request.go | |
@@ -216,13 +216,7 @@ func encodeObject(obj runtime.Object, gv schema.GroupVersion, serializer runtime | |
} | |
// LogAnnotation fills in the Annotations according to the key value pair. | |
-func LogAnnotation(ae *auditinternal.Event, key, value string, level auditinternal.Level) { | |
- if ae == nil || ae.Level.Less(auditinternal.LevelMetadata) { | |
- return | |
- } | |
- if ae.Level.Less(level) { | |
- return | |
- } | |
+func LogAnnotation(ae *auditinternal.Event, key, value string) { | |
if ae.Annotations == nil { | |
ae.Annotations = make(map[string]string) | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment