Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: log details on log denies #2813

Merged
merged 4 commits into from
Jun 13, 2023
Merged

feat: log details on log denies #2813

merged 4 commits into from
Jun 13, 2023

Conversation

acpana
Copy link
Contributor

@acpana acpana commented Jun 3, 2023

Smallest of patches to log the details of a violation. I don't think this has a place in audit but am open to reconsider.

Addresses #2790

Example:

{
  "level": "info",
  "ts": 1685780064.9552832,
  "logger": "webhook",
  "msg": "denied admission: All namespaces must have an `owner` label that points to your company username",
  "hookType": "validation",
  "process": "admission",
  "event_type": "violation",
  "constraint_name": "all-must-have-owner",
  "constraint_group": "constraints.gatekeeper.sh",
  "constraint_api_version": "v1beta1",
  "constraint_kind": "K8sRequiredLabelsOptimized",
  "constraint_action": "deny",
  "violation_metadata": {
    "details": {
      "missing_labels": [
        "owner"
      ]
    }
  },
  "resource_group": "",
  "resource_api_version": "v1",
  "resource_kind": "Namespace",
  "resource_namespace": "",
  "resource_name": "disallowed-namespace",
  "request_username": "kubernetes-admin"
}

@acpana
feat: log details on log denies
b8408f9 
Signed-off-by: Alex Pana <8968914+acpana@users.noreply.github.com>
@acpana acpana requested a review from maxsmythe June 3, 2023 22:08
@codecov-commenter
Copy link

codecov-commenter commented Jun 3, 2023
edited
Loading

Codecov Report

Patch coverage: 4.54% and project coverage change: +0.12 🎉

Comparison is base (ba39189) 52.73% compared to head (5bff76d) 52.86%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2813      +/-   ##
==========================================
+ Coverage   52.73%   52.86%   +0.12%     
==========================================
  Files         132      132              
  Lines       11629    11632       +3     
==========================================
+ Hits         6133     6149      +16     
+ Misses       5013     5005       -8     
+ Partials      483      478       -5
Flag Coverage Δ
unittests 52.86% <4.54%> (+0.12%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/util/wildcard.go 100.00% <ø> (ø)
pkg/webhook/mutation.go 24.65% <0.00%> (-0.86%) ⬇️
pkg/webhook/policy.go 35.97% <7.69%> (-0.56%) ⬇️

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@maxsmythe
Copy link
Contributor

Why don't you think audit should also report details?

@maxsmythe
Copy link
Contributor

FWIW audit already reports details:

gatekeeper/pkg/audit/manager.go

Line 1115 in b7230e0

logging.Details, details,

maxsmythe
maxsmythe reviewed Jun 5, 2023
View reviewed changes
pkg/logging/logging.go Outdated
@@ -34,6 +34,7 @@ const (
Mutator = "mutator"
DebugLevel = 2 // r.log.Debug(foo) == r.log.V(logging.DebugLevel).Info(foo)
ExecutionStats = "execution_stats"
ViolationMetadata = "violation_metadata"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should be consistent with how audit handles the details field:

gatekeeper/pkg/audit/manager.go

Line 1115 in b7230e0

logging.Details, details,

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I missed that! 🤦🏼

Deduping this comment with the audit logging. I figured that logging the details of the rego evaluations for every object for every audit run would be too noisy. At present, we only log details for a violation in audit so this should be consistent w the audit behavior now:

gatekeeper/pkg/audit/manager.go

Lines 1106 to 1131 in b7230e0

func logViolation(l logr.Logger,
constraint *unstructured.Unstructured,
enforcementAction util.EnforcementAction, resourceGroupVersionKind schema.GroupVersionKind, rnamespace, rname, message string, details interface{}, rlabels map[string]string,
) {
userConstraintAnnotations := constraint.GetAnnotations()
delete(userConstraintAnnotations, "kubectl.kubernetes.io/last-applied-configuration")
l.Info(
message,
logging.Details, details,
logging.EventType, "violation_audited",
logging.ConstraintGroup, constraint.GroupVersionKind().Group,
logging.ConstraintAPIVersion, constraint.GroupVersionKind().Version,
logging.ConstraintKind, constraint.GetKind(),
logging.ConstraintName, constraint.GetName(),
logging.ConstraintNamespace, constraint.GetNamespace(),
logging.ConstraintAction, enforcementAction,
logging.ConstraintAnnotations, userConstraintAnnotations,
logging.ResourceGroup, resourceGroupVersionKind.Group,
logging.ResourceAPIVersion, resourceGroupVersionKind.Version,
logging.ResourceKind, resourceGroupVersionKind.Kind,
logging.ResourceNamespace, rnamespace,
logging.ResourceName, rname,
logging.ResourceLabels, rlabels,
)
}

@acpana
use logging.details
5bff76d 
Signed-off-by: Alex Pana <8968914+acpana@users.noreply.github.com>
@acpana acpana requested a review from maxsmythe June 6, 2023 00:53
@acpana
Copy link
Contributor Author

acpana commented Jun 6, 2023

@maxsmythe PTAL when you have some time 🙏🏼 ; this is a one liner now hehe

JaydipGabani
JaydipGabani reviewed Jun 9, 2023
View reviewed changes
@acpana @JaydipGabani
Update pkg/webhook/policy.go
528c38b 
Co-authored-by: Jaydipkumar Arvindbhai Gabani <gabanijaydip@gmail.com>
Signed-off-by: alex <8968914+acpana@users.noreply.github.com>
@acpana acpana requested a review from JaydipGabani June 9, 2023 20:27
sozercan
sozercan approved these changes Jun 12, 2023
View reviewed changes
Copy link
Member

@sozercan sozercan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

maxsmythe
maxsmythe approved these changes Jun 13, 2023
View reviewed changes
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sozercan sozercan merged commit 3847284 into open-policy-agent:master Jun 13, 2023
@ritazh ritazh added this to the v3.13.0 milestone Jul 12, 2023
This was referenced Nov 22, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sozercan sozercan sozercan approved these changes

@maxsmythe maxsmythe maxsmythe approved these changes

@JaydipGabani JaydipGabani Awaiting requested review from JaydipGabani

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v3.13.0
Development

Successfully merging this pull request may close these issues.
6 participants
@acpana @codecov-commenter @maxsmythe @sozercan @JaydipGabani @ritazh