-
Notifications
You must be signed in to change notification settings - Fork 334
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add audit module and support audit for clusters
a new module tke-audit-api added. all audit event will be processed by tke-audit-api and store in es. Signed-off-by: forrestchen <[email protected]>
- Loading branch information
1 parent
96cbaf9
commit fba9e30
Showing
64 changed files
with
3,072 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Tencent is pleased to support the open source community by making TKEStack | ||
# available. | ||
# | ||
# Copyright (C) 2012-2019 Tencent. All Rights Reserved. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use | ||
# this file except in compliance with the License. You may obtain a copy of the | ||
# License at | ||
# | ||
# https://opensource.org/licenses/Apache-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OF ANY KIND, either express or implied. See the License for the | ||
# specific language governing permissions and limitations under the License. | ||
|
||
FROM BASE_IMAGE | ||
|
||
RUN echo "hosts: files dns" >> /etc/nsswitch.conf | ||
|
||
WORKDIR /app | ||
ADD tke-audit-api /app/bin/ | ||
ENTRYPOINT ["/app/bin/tke-audit-api"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
/* | ||
* Tencent is pleased to support the open source community by making TKEStack | ||
* available. | ||
* | ||
* Copyright (C) 2012-2019 Tencent. All Rights Reserved. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use | ||
* this file except in compliance with the License. You may obtain a copy of the | ||
* License at | ||
* | ||
* https://opensource.org/licenses/Apache-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OF ANY KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations under the License. | ||
*/ | ||
|
||
package app | ||
|
||
import ( | ||
commonapiserver "k8s.io/apiserver/pkg/server" | ||
"tkestack.io/tke/cmd/tke-audit-api/app/config" | ||
"tkestack.io/tke/cmd/tke-audit-api/app/options" | ||
"tkestack.io/tke/pkg/app" | ||
"tkestack.io/tke/pkg/util/log" | ||
) | ||
|
||
const commandDesc = `The application is a audit server. It is responsible for saving the | ||
audit events and handling events queries` | ||
|
||
// NewApp creates a App object with default parameters. | ||
func NewApp(basename string) *app.App { | ||
opts := options.NewOptions(basename) | ||
application := app.NewApp("Tencent Kubernetes Engine Audit", | ||
basename, | ||
app.WithOptions(opts), | ||
app.WithDescription(commandDesc), | ||
app.WithRunFunc(run(opts)), | ||
) | ||
return application | ||
} | ||
|
||
func run(opts *options.Options) app.RunFunc { | ||
return func(basename string) error { | ||
log.Init(opts.Log) | ||
defer log.Flush() | ||
|
||
if err := opts.Complete(); err != nil { | ||
return err | ||
} | ||
|
||
cfg, err := config.CreateConfigFromOptions(basename, opts) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
stopCh := commonapiserver.SetupSignalHandler() | ||
return Run(cfg, stopCh) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
/* | ||
* Tencent is pleased to support the open source community by making TKEStack | ||
* available. | ||
* | ||
* Copyright (C) 2012-2019 Tencent. All Rights Reserved. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use | ||
* this file except in compliance with the License. You may obtain a copy of the | ||
* License at | ||
* | ||
* https://opensource.org/licenses/Apache-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OF ANY KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations under the License. | ||
*/ | ||
|
||
package config | ||
|
||
import ( | ||
"fmt" | ||
genericapiserver "k8s.io/apiserver/pkg/server" | ||
"k8s.io/kube-openapi/pkg/common" | ||
"path/filepath" | ||
generatedopenapi "tkestack.io/tke/api/openapi" | ||
"tkestack.io/tke/cmd/tke-audit-api/app/options" | ||
"tkestack.io/tke/pkg/apiserver" | ||
"tkestack.io/tke/pkg/apiserver/authentication" | ||
"tkestack.io/tke/pkg/apiserver/authorization" | ||
"tkestack.io/tke/pkg/apiserver/handler" | ||
"tkestack.io/tke/pkg/apiserver/openapi" | ||
audit "tkestack.io/tke/pkg/audit/api" | ||
auditconfig "tkestack.io/tke/pkg/audit/apis/config" | ||
"tkestack.io/tke/pkg/audit/apis/config/validation" | ||
"tkestack.io/tke/pkg/audit/config/configfiles" | ||
auditopenapi "tkestack.io/tke/pkg/audit/openapi" | ||
utilfs "tkestack.io/tke/pkg/util/filesystem" | ||
"tkestack.io/tke/pkg/util/log" | ||
) | ||
|
||
const ( | ||
license = "Apache 2.0" | ||
title = "Tencent Kubernetes Engine Audit API" | ||
) | ||
|
||
// Config is the running configuration structure of the TKE controller manager. | ||
type Config struct { | ||
ServerName string | ||
GenericAPIServerConfig *genericapiserver.Config | ||
AuditConfig *auditconfig.AuditConfiguration | ||
} | ||
|
||
// CreateConfigFromOptions creates a running configuration instance based | ||
// on a given TKE apiserver command line or configuration file option. | ||
func CreateConfigFromOptions(serverName string, opts *options.Options) (*Config, error) { | ||
auditConfig, err := options.NewAuditConfiguration() | ||
if err != nil { | ||
log.Error("Failed create default audit configuration", log.Err(err)) | ||
return nil, err | ||
} | ||
|
||
// load config file, if provided | ||
if configFile := opts.AuditConfig; len(configFile) > 0 { | ||
auditConfig, err = loadConfigFile(configFile) | ||
if err != nil { | ||
log.Error("Failed to load audit configuration file", log.String("configFile", configFile), log.Err(err)) | ||
return nil, err | ||
} | ||
} | ||
if err := validation.ValidateAuditConfiguration(auditConfig); err != nil { | ||
log.Error("Failed to validate audit configuration", log.Err(err)) | ||
return nil, err | ||
} | ||
|
||
genericAPIServerConfig := genericapiserver.NewConfig(apiserver.Codecs) | ||
var ignoredAuthPathPrefixes []string | ||
ignoredAuthPathPrefixes = append(ignoredAuthPathPrefixes, audit.IgnoredAuthPathPrefixes()...) | ||
genericAPIServerConfig.BuildHandlerChainFunc = handler.BuildHandlerChain(ignoredAuthPathPrefixes) | ||
genericAPIServerConfig.EnableIndex = false | ||
genericAPIServerConfig.EnableDiscovery = false | ||
|
||
if err := opts.Generic.ApplyTo(genericAPIServerConfig); err != nil { | ||
return nil, err | ||
} | ||
if err := opts.SecureServing.ApplyTo(&genericAPIServerConfig.SecureServing, &genericAPIServerConfig.LoopbackClientConfig); err != nil { | ||
return nil, err | ||
} | ||
|
||
openapi.SetupOpenAPI(genericAPIServerConfig, func(callback common.ReferenceCallback) map[string]common.OpenAPIDefinition { | ||
result := make(map[string]common.OpenAPIDefinition) | ||
generated := generatedopenapi.GetOpenAPIDefinitions(callback) | ||
for k, v := range generated { | ||
result[k] = v | ||
} | ||
customs := auditopenapi.GetOpenAPIDefinitions(callback) | ||
for k, v := range customs { | ||
result[k] = v | ||
} | ||
return result | ||
}, title, license, opts.Generic.ExternalHost, opts.Generic.ExternalPort) | ||
|
||
if err := authentication.SetupAuthentication(genericAPIServerConfig, opts.Authentication); err != nil { | ||
return nil, err | ||
} | ||
|
||
if err := authorization.SetupAuthorization(genericAPIServerConfig, opts.Authorization); err != nil { | ||
return nil, err | ||
} | ||
|
||
return &Config{ | ||
ServerName: serverName, | ||
GenericAPIServerConfig: genericAPIServerConfig, | ||
AuditConfig: auditConfig, | ||
}, nil | ||
} | ||
|
||
func loadConfigFile(name string) (*auditconfig.AuditConfiguration, error) { | ||
const errFmt = "failed to load audit config file %s, error %v" | ||
// compute absolute path based on current working dir | ||
auditConfigFile, err := filepath.Abs(name) | ||
if err != nil { | ||
return nil, fmt.Errorf(errFmt, name, err) | ||
} | ||
loader, err := configfiles.NewFsLoader(utilfs.DefaultFs{}, auditConfigFile) | ||
if err != nil { | ||
return nil, fmt.Errorf(errFmt, name, err) | ||
} | ||
kc, err := loader.Load() | ||
if err != nil { | ||
return nil, fmt.Errorf(errFmt, name, err) | ||
} | ||
return kc, err | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
/* | ||
* Tencent is pleased to support the open source community by making TKEStack | ||
* available. | ||
* | ||
* Copyright (C) 2012-2019 Tencent. All Rights Reserved. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use | ||
* this file except in compliance with the License. You may obtain a copy of the | ||
* License at | ||
* | ||
* https://opensource.org/licenses/Apache-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OF ANY KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations under the License. | ||
*/ | ||
|
||
package options | ||
|
||
import ( | ||
auditconfig "tkestack.io/tke/pkg/audit/apis/config" | ||
auditscheme "tkestack.io/tke/pkg/audit/apis/config/scheme" | ||
auditconfigv1 "tkestack.io/tke/pkg/audit/apis/config/v1" | ||
) | ||
|
||
// NewAuditConfiguration will create a new AuditConfiguration with default values | ||
func NewAuditConfiguration() (*auditconfig.AuditConfiguration, error) { | ||
scheme, _, err := auditscheme.NewSchemeAndCodecs() | ||
if err != nil { | ||
return nil, err | ||
} | ||
versioned := &auditconfigv1.AuditConfiguration{} | ||
scheme.Default(versioned) | ||
config := &auditconfig.AuditConfiguration{} | ||
if err := scheme.Convert(versioned, config, nil); err != nil { | ||
return nil, err | ||
} | ||
return config, nil | ||
} |
Oops, something went wrong.