Matthias Andreas Benkard | 832a54e | 2019-01-29 09:27:38 +0100 | [diff] [blame] | 1 | /* |
| 2 | Copyright 2017 The Kubernetes Authors. |
| 3 | |
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | you may not use this file except in compliance with the License. |
| 6 | You may obtain a copy of the License at |
| 7 | |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | |
| 10 | Unless required by applicable law or agreed to in writing, software |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | See the License for the specific language governing permissions and |
| 14 | limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | // Package webhook implements the audit.Backend interface using HTTP webhooks. |
| 18 | package webhook |
| 19 | |
| 20 | import ( |
| 21 | "time" |
| 22 | |
| 23 | "k8s.io/apimachinery/pkg/runtime/schema" |
| 24 | auditinternal "k8s.io/apiserver/pkg/apis/audit" |
| 25 | "k8s.io/apiserver/pkg/apis/audit/install" |
| 26 | "k8s.io/apiserver/pkg/audit" |
| 27 | "k8s.io/apiserver/pkg/util/webhook" |
| 28 | "k8s.io/client-go/rest" |
| 29 | ) |
| 30 | |
| 31 | const ( |
| 32 | // PluginName is the name of this plugin, to be used in help and logs. |
| 33 | PluginName = "webhook" |
| 34 | |
| 35 | // DefaultInitialBackoff is the default amount of time to wait before |
| 36 | // retrying sending audit events through a webhook. |
| 37 | DefaultInitialBackoff = 10 * time.Second |
| 38 | ) |
| 39 | |
| 40 | func init() { |
| 41 | install.Install(audit.Scheme) |
| 42 | } |
| 43 | |
| 44 | func loadWebhook(configFile string, groupVersion schema.GroupVersion, initialBackoff time.Duration) (*webhook.GenericWebhook, error) { |
| 45 | return webhook.NewGenericWebhook(audit.Scheme, audit.Codecs, configFile, |
| 46 | []schema.GroupVersion{groupVersion}, initialBackoff) |
| 47 | } |
| 48 | |
| 49 | type backend struct { |
| 50 | w *webhook.GenericWebhook |
| 51 | } |
| 52 | |
| 53 | // NewBackend returns an audit backend that sends events over HTTP to an external service. |
| 54 | func NewBackend(kubeConfigFile string, groupVersion schema.GroupVersion, initialBackoff time.Duration) (audit.Backend, error) { |
| 55 | w, err := loadWebhook(kubeConfigFile, groupVersion, initialBackoff) |
| 56 | if err != nil { |
| 57 | return nil, err |
| 58 | } |
| 59 | return &backend{w}, nil |
| 60 | } |
| 61 | |
| 62 | func (b *backend) Run(stopCh <-chan struct{}) error { |
| 63 | return nil |
| 64 | } |
| 65 | |
| 66 | func (b *backend) Shutdown() { |
| 67 | // nothing to do here |
| 68 | } |
| 69 | |
| 70 | func (b *backend) ProcessEvents(ev ...*auditinternal.Event) { |
| 71 | if err := b.processEvents(ev...); err != nil { |
| 72 | audit.HandlePluginError(PluginName, err, ev...) |
| 73 | } |
| 74 | } |
| 75 | |
| 76 | func (b *backend) processEvents(ev ...*auditinternal.Event) error { |
| 77 | var list auditinternal.EventList |
| 78 | for _, e := range ev { |
| 79 | list.Items = append(list.Items, *e) |
| 80 | } |
| 81 | return b.w.WithExponentialBackoff(func() rest.Result { |
| 82 | return b.w.RestClient.Post().Body(&list).Do() |
| 83 | }).Error() |
| 84 | } |
| 85 | |
| 86 | func (b *backend) String() string { |
| 87 | return PluginName |
| 88 | } |