feat: add audit module and support audit for clusters

a new module tke-audit-api added. all audit event will be processed by tke-audit-api and store in es. Signed-off-by: forrestchen <[email protected]>
k8ssphere · May 7, 2020 · fba9e30 · fba9e30
1 parent 96cbaf9
commit fba9e30
Show file tree

Hide file tree

Showing 64 changed files with 3,072 additions and 25 deletions.
diff --git a/build/docker/tke-audit-api/Dockerfile b/build/docker/tke-audit-api/Dockerfile
@@ -0,0 +1,23 @@
+# Tencent is pleased to support the open source community by making TKEStack
+# available.
+#
+# Copyright (C) 2012-2019 Tencent. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use
+# this file except in compliance with the License. You may obtain a copy of the
+# License at
+#
+# https://opensource.org/licenses/Apache-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+FROM BASE_IMAGE
+
+RUN echo "hosts: files dns" >> /etc/nsswitch.conf
+
+WORKDIR /app
+ADD tke-audit-api /app/bin/
+ENTRYPOINT ["/app/bin/tke-audit-api"]
diff --git a/build/lib/deploy.mk b/build/lib/deploy.mk
@@ -22,7 +22,7 @@ KUBECTL := kubectl
 NAMESPACE ?= tke
 CONTEXT ?= tkestack.dev
 
-DEPLOYS=tke-auth-api tke-auth-controller tke-registry-api tke-platform-api tke-platform-controller tke-business-api tke-business-controller tke-notify-api tke-notify-controller tke-monitor-api tke-monitor-controller tke-gateway
+DEPLOYS=tke-auth-api tke-auth-controller tke-registry-api tke-platform-api tke-platform-controller tke-business-api tke-business-controller tke-notify-api tke-notify-controller tke-monitor-api tke-monitor-controller tke-audit-api tke-gateway
 
 .PHONY: deploy.run.all
 deploy.run.all:

diff --git a/build/lib/gen.mk b/build/lib/gen.mk
@@ -25,7 +25,7 @@ EXT_PB_APIS = "k8s.io/api/core/v1 k8s.io/api/apps/v1"
 CODE_GENERATOR_VERSION := v1.17.0-3
 
 .PHONY: gen.run
-gen.run: gen.clean gen.api gen.openapi gen.gateway gen.registry gen.monitor
+gen.run: gen.clean gen.api gen.openapi gen.gateway gen.registry gen.monitor gen.audit
 
 # ==============================================================================
 # Generator
@@ -56,6 +56,18 @@ gen.gateway:
  $(ROOT_PACKAGE)/pkg/gateway/apis \
  "config:v1"
 
+.PHONY: gen.audit
+gen.audit:
+ @$(DOCKER) run --rm \
+ -v $(ROOT_DIR):/go/src/$(ROOT_PACKAGE) \
+ $(REGISTRY_PREFIX)/code-generator:$(CODE_GENERATOR_VERSION) \
+ /root/code.sh \
+ deepcopy-internal,deepcopy-external,defaulter-external,conversion-external \
+ $(ROOT_PACKAGE)/pkg/audit/apis \
+ $(ROOT_PACKAGE)/pkg/audit/apis \
+ $(ROOT_PACKAGE)/pkg/audit/apis \
+ "config:v1"
+
 .PHONY: gen.registry
 gen.registry:
  @$(DOCKER) run --rm \

diff --git a/cmd/tke-audit-api/app/app.go b/cmd/tke-audit-api/app/app.go
@@ -0,0 +1,61 @@
+/*
+ * Tencent is pleased to support the open source community by making TKEStack
+ * available.
+ *
+ * Copyright (C) 2012-2019 Tencent. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
+ * this file except in compliance with the License. You may obtain a copy of the
+ * License at
+ *
+ * https://opensource.org/licenses/Apache-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package app
+
+import (
+ commonapiserver "k8s.io/apiserver/pkg/server"
+ "tkestack.io/tke/cmd/tke-audit-api/app/config"
+ "tkestack.io/tke/cmd/tke-audit-api/app/options"
+ "tkestack.io/tke/pkg/app"
+ "tkestack.io/tke/pkg/util/log"
+)
+
+const commandDesc = `The application is a audit server. It is responsible for saving the
+audit events and handling events queries`
+
+// NewApp creates a App object with default parameters.
+func NewApp(basename string) *app.App {
+ opts := options.NewOptions(basename)
+ application := app.NewApp("Tencent Kubernetes Engine Audit",
+ basename,
+ app.WithOptions(opts),
+ app.WithDescription(commandDesc),
+ app.WithRunFunc(run(opts)),
+ )
+ return application
+}
+
+func run(opts *options.Options) app.RunFunc {
+ return func(basename string) error {
+ log.Init(opts.Log)
+ defer log.Flush()
+
+ if err := opts.Complete(); err != nil {
+ return err
+ }
+
+ cfg, err := config.CreateConfigFromOptions(basename, opts)
+ if err != nil {
+ return err
+ }
+
+ stopCh := commonapiserver.SetupSignalHandler()
+ return Run(cfg, stopCh)
+ }
+}
diff --git a/cmd/tke-audit-api/app/config/config.go b/cmd/tke-audit-api/app/config/config.go
@@ -0,0 +1,134 @@
+/*
+ * Tencent is pleased to support the open source community by making TKEStack
+ * available.
+ *
+ * Copyright (C) 2012-2019 Tencent. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
+ * this file except in compliance with the License. You may obtain a copy of the
+ * License at
+ *
+ * https://opensource.org/licenses/Apache-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package config
+
+import (
+ "fmt"
+ genericapiserver "k8s.io/apiserver/pkg/server"
+ "k8s.io/kube-openapi/pkg/common"
+ "path/filepath"
+ generatedopenapi "tkestack.io/tke/api/openapi"
+ "tkestack.io/tke/cmd/tke-audit-api/app/options"
+ "tkestack.io/tke/pkg/apiserver"
+ "tkestack.io/tke/pkg/apiserver/authentication"
+ "tkestack.io/tke/pkg/apiserver/authorization"
+ "tkestack.io/tke/pkg/apiserver/handler"
+ "tkestack.io/tke/pkg/apiserver/openapi"
+ audit "tkestack.io/tke/pkg/audit/api"
+ auditconfig "tkestack.io/tke/pkg/audit/apis/config"
+ "tkestack.io/tke/pkg/audit/apis/config/validation"
+ "tkestack.io/tke/pkg/audit/config/configfiles"
+ auditopenapi "tkestack.io/tke/pkg/audit/openapi"
+ utilfs "tkestack.io/tke/pkg/util/filesystem"
+ "tkestack.io/tke/pkg/util/log"
+)
+
+const (
+ license = "Apache 2.0"
+ title = "Tencent Kubernetes Engine Audit API"
+)
+
+// Config is the running configuration structure of the TKE controller manager.
+type Config struct {
+ ServerName string
+ GenericAPIServerConfig *genericapiserver.Config
+ AuditConfig *auditconfig.AuditConfiguration
+}
+
+// CreateConfigFromOptions creates a running configuration instance based
+// on a given TKE apiserver command line or configuration file option.
+func CreateConfigFromOptions(serverName string, opts *options.Options) (*Config, error) {
+ auditConfig, err := options.NewAuditConfiguration()
+ if err != nil {
+ log.Error("Failed create default audit configuration", log.Err(err))
+ return nil, err
+ }
+
+ // load config file, if provided
+ if configFile := opts.AuditConfig; len(configFile) > 0 {
+ auditConfig, err = loadConfigFile(configFile)
+ if err != nil {
+ log.Error("Failed to load audit configuration file", log.String("configFile", configFile), log.Err(err))
+ return nil, err
+ }
+ }
+ if err := validation.ValidateAuditConfiguration(auditConfig); err != nil {
+ log.Error("Failed to validate audit configuration", log.Err(err))
+ return nil, err
+ }
+
+ genericAPIServerConfig := genericapiserver.NewConfig(apiserver.Codecs)
+ var ignoredAuthPathPrefixes []string
+ ignoredAuthPathPrefixes = append(ignoredAuthPathPrefixes, audit.IgnoredAuthPathPrefixes()...)
+ genericAPIServerConfig.BuildHandlerChainFunc = handler.BuildHandlerChain(ignoredAuthPathPrefixes)
+ genericAPIServerConfig.EnableIndex = false
+ genericAPIServerConfig.EnableDiscovery = false
+
+ if err := opts.Generic.ApplyTo(genericAPIServerConfig); err != nil {
+ return nil, err
+ }
+ if err := opts.SecureServing.ApplyTo(&genericAPIServerConfig.SecureServing, &genericAPIServerConfig.LoopbackClientConfig); err != nil {
+ return nil, err
+ }
+
+ openapi.SetupOpenAPI(genericAPIServerConfig, func(callback common.ReferenceCallback) map[string]common.OpenAPIDefinition {
+ result := make(map[string]common.OpenAPIDefinition)
+ generated := generatedopenapi.GetOpenAPIDefinitions(callback)
+ for k, v := range generated {
+ result[k] = v
+ }
+ customs := auditopenapi.GetOpenAPIDefinitions(callback)
+ for k, v := range customs {
+ result[k] = v
+ }
+ return result
+ }, title, license, opts.Generic.ExternalHost, opts.Generic.ExternalPort)
+
+ if err := authentication.SetupAuthentication(genericAPIServerConfig, opts.Authentication); err != nil {
+ return nil, err
+ }
+
+ if err := authorization.SetupAuthorization(genericAPIServerConfig, opts.Authorization); err != nil {
+ return nil, err
+ }
+
+ return &Config{
+ ServerName: serverName,
+ GenericAPIServerConfig: genericAPIServerConfig,
+ AuditConfig: auditConfig,
+ }, nil
+}
+
+func loadConfigFile(name string) (*auditconfig.AuditConfiguration, error) {
+ const errFmt = "failed to load audit config file %s, error %v"
+ // compute absolute path based on current working dir
+ auditConfigFile, err := filepath.Abs(name)
+ if err != nil {
+ return nil, fmt.Errorf(errFmt, name, err)
+ }
+ loader, err := configfiles.NewFsLoader(utilfs.DefaultFs{}, auditConfigFile)
+ if err != nil {
+ return nil, fmt.Errorf(errFmt, name, err)
+ }
+ kc, err := loader.Load()
+ if err != nil {
+ return nil, fmt.Errorf(errFmt, name, err)
+ }
+ return kc, err
+}
diff --git a/cmd/tke-audit-api/app/options/audit.go b/cmd/tke-audit-api/app/options/audit.go
@@ -0,0 +1,40 @@
+/*
+ * Tencent is pleased to support the open source community by making TKEStack
+ * available.
+ *
+ * Copyright (C) 2012-2019 Tencent. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
+ * this file except in compliance with the License. You may obtain a copy of the
+ * License at
+ *
+ * https://opensource.org/licenses/Apache-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package options
+
+import (
+ auditconfig "tkestack.io/tke/pkg/audit/apis/config"
+ auditscheme "tkestack.io/tke/pkg/audit/apis/config/scheme"
+ auditconfigv1 "tkestack.io/tke/pkg/audit/apis/config/v1"
+)
+
+// NewAuditConfiguration will create a new AuditConfiguration with default values
+func NewAuditConfiguration() (*auditconfig.AuditConfiguration, error) {
+ scheme, _, err := auditscheme.NewSchemeAndCodecs()
+ if err != nil {
+ return nil, err
+ }
+ versioned := &auditconfigv1.AuditConfiguration{}
+ scheme.Default(versioned)
+ config := &auditconfig.AuditConfiguration{}
+ if err := scheme.Convert(versioned, config, nil); err != nil {
+ return nil, err
+ }
+ return config, nil
+}