pkg/providers/common/auditpolicy.go (303 lines of code) (raw):
package common
import (
"fmt"
"strings"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
"sigs.k8s.io/yaml"
"github.com/aws/eks-anywhere/pkg/api/v1alpha1"
"github.com/aws/eks-anywhere/pkg/semver"
)
// GetAuditPolicy returns the audit policy either v1 or v1beta1 depending on kube version.
func GetAuditPolicy(kubeVersion v1alpha1.KubernetesVersion) (string, error) {
// appending the ".0" as the patch version to have a valid semver string and use those semvers for comparison
kubeVersionSemver, err := semver.New(string(kubeVersion) + ".0")
if err != nil {
return "", fmt.Errorf("error converting kubeVersion %v to semver %v", kubeVersion, err)
}
kube124Semver, err := semver.New(string(v1alpha1.Kube124) + ".0")
if err != nil {
return "", fmt.Errorf("error converting kubeVersion %v to semver %v", kube124Semver, err)
}
if kubeVersionSemver.Compare(kube124Semver) != -1 {
auditPolicyv1, err := AuditPolicyV1Yaml()
if err != nil {
return "", err
}
return strings.TrimSpace(string(auditPolicyv1)), nil
}
return auditPolicy, nil
}
// AuditPolicyV1Yaml returns the byte array for yaml created with v1 api version for audit policy.
func AuditPolicyV1Yaml() ([]byte, error) {
auditPolicy := AuditPolicyV1()
return yaml.Marshal(auditPolicy)
}
// AuditPolicyV1 returns the v1 audit policy.
func AuditPolicyV1() *auditv1.Policy {
return &auditv1.Policy{
TypeMeta: metav1.TypeMeta{
Kind: "Policy",
APIVersion: "audit.k8s.io/v1",
},
Rules: []auditv1.PolicyRule{
{
Level: auditv1.Level("RequestResponse"),
Verbs: []string{
"update",
"patch",
"delete",
},
Resources: []auditv1.GroupResources{
{
Resources: []string{
"configmaps",
},
ResourceNames: []string{
"aws-auth",
},
},
},
OmitStages: []auditv1.Stage{
"RequestReceived",
},
Namespaces: []string{"kube-system"},
},
{
Level: auditv1.Level("None"),
Users: []string{"system:kube-proxy"},
Verbs: []string{"watch"},
Resources: []auditv1.GroupResources{
{
Resources: []string{
"endpoints",
"services",
"services/status",
},
},
},
},
{
Level: auditv1.Level("None"),
Users: []string{"kubelet"},
Verbs: []string{"get"},
Resources: []auditv1.GroupResources{
{
Resources: []string{
"nodes",
"nodes/status",
},
},
},
},
{
Level: auditv1.Level("None"),
Verbs: []string{"get"},
Resources: []auditv1.GroupResources{
{
Resources: []string{
"nodes",
"nodes/status",
},
},
},
},
{
Level: auditv1.Level("None"),
Users: []string{
"system:kube-controller-manager",
"system:kube-scheduler",
"system:serviceaccount:kube-system:endpoint-controller",
},
Verbs: []string{
"get",
"update",
},
Resources: []auditv1.GroupResources{
{
Resources: []string{"endpoints"},
},
},
Namespaces: []string{"kube-system"},
},
{
Level: auditv1.Level("None"),
Users: []string{"system:apiserver"},
Verbs: []string{"get"},
Resources: []auditv1.GroupResources{
{
Resources: []string{
"namespaces",
"namespaces/status",
"namespaces/finalize",
},
},
},
},
{
Level: auditv1.Level("None"),
Users: []string{"system:kube-controller-manager"},
Verbs: []string{
"get",
"list",
},
Resources: []auditv1.GroupResources{
{
Group: "metrics.k8s.io",
},
},
},
{
Level: auditv1.Level("None"),
NonResourceURLs: []string{
"/healthz*",
"/version",
"/swagger*",
},
},
{
Level: auditv1.Level("None"),
Resources: []auditv1.GroupResources{
{
Resources: []string{"events"},
},
},
},
{
Level: auditv1.Level("Request"),
Users: []string{
"kubelet",
"system:node-problem-detector",
"system:serviceaccount:kube-system:node-problem-detector",
},
Verbs: []string{
"update",
"patch",
},
Resources: []auditv1.GroupResources{
{
Resources: []string{
"nodes/status",
"pods/status",
},
},
},
OmitStages: []auditv1.Stage{
"RequestReceived",
},
},
{
Level: auditv1.Level("Request"),
Verbs: []string{
"update",
"patch",
},
Resources: []auditv1.GroupResources{
{
Resources: []string{
"nodes/status",
"pods/status",
},
},
},
OmitStages: []auditv1.Stage{
"RequestReceived",
},
UserGroups: []string{
"system:nodes",
},
},
{
Level: auditv1.Level("Request"),
Users: []string{"system:serviceaccount:kube-system:namespace-controller"},
Verbs: []string{"deletecollection"},
OmitStages: []auditv1.Stage{
"RequestReceived",
},
},
{
Level: auditv1.Level("Metadata"),
Resources: []auditv1.GroupResources{
{Resources: []string{
"secrets",
"configmaps",
}},
{
Group: "authentication.k8s.io",
Resources: []string{"tokenreviews"},
},
},
OmitStages: []auditv1.Stage{
"RequestReceived",
},
},
{
Level: auditv1.Level("Request"),
Resources: []auditv1.GroupResources{
{
Resources: []string{"serviceaccounts/token"},
},
},
},
{
Level: auditv1.Level("Request"),
Verbs: []string{
"get",
"list",
"watch",
},
Resources: []auditv1.GroupResources{
{Group: ""},
{Group: "admissionregistration.k8s.io"},
{Group: "apiextensions.k8s.io"},
{Group: "apiregistration.k8s.io"},
{Group: "apps"},
{Group: "authentication.k8s.io"},
{Group: "authorization.k8s.io"},
{Group: "autoscaling"},
{Group: "batch"},
{Group: "certificates.k8s.io"},
{Group: "extensions"},
{Group: "metrics.k8s.io"},
{Group: "networking.k8s.io"},
{Group: "policy"},
{Group: "rbac.authorization.k8s.io"},
{Group: "scheduling.k8s.io"},
{Group: "settings.k8s.io"},
{Group: "storage.k8s.io"},
},
OmitStages: []auditv1.Stage{
"RequestReceived",
},
},
{
Level: auditv1.Level("RequestResponse"),
Resources: []auditv1.GroupResources{
{Group: ""},
{Group: "admissionregistration.k8s.io"},
{Group: "apiextensions.k8s.io"},
{Group: "apiregistration.k8s.io"},
{Group: "apps"},
{Group: "authentication.k8s.io"},
{Group: "authorization.k8s.io"},
{Group: "autoscaling"},
{Group: "batch"},
{Group: "certificates.k8s.io"},
{Group: "extensions"},
{Group: "metrics.k8s.io"},
{Group: "networking.k8s.io"},
{Group: "policy"},
{Group: "rbac.authorization.k8s.io"},
{Group: "scheduling.k8s.io"},
{Group: "settings.k8s.io"},
{Group: "storage.k8s.io"},
},
OmitStages: []auditv1.Stage{
"RequestReceived",
},
},
{
Level: auditv1.Level("Metadata"),
OmitStages: []auditv1.Stage{
"RequestReceived",
},
},
},
}
}