Skip to content

feat: log details on log denies#2813

Merged
sozercan merged 4 commits into
open-policy-agent:masterfrom
acpana:acpana/log-details
Jun 13, 2023
Merged

feat: log details on log denies#2813
sozercan merged 4 commits into
open-policy-agent:masterfrom
acpana:acpana/log-details

Conversation

@acpana
Copy link
Copy Markdown
Contributor

@acpana acpana commented Jun 3, 2023

Smallest of patches to log the details of a violation. I don't think this has a place in audit but am open to reconsider.

Addresses #2790

Example:

{
  "level": "info",
  "ts": 1685780064.9552832,
  "logger": "webhook",
  "msg": "denied admission: All namespaces must have an `owner` label that points to your company username",
  "hookType": "validation",
  "process": "admission",
  "event_type": "violation",
  "constraint_name": "all-must-have-owner",
  "constraint_group": "constraints.gatekeeper.sh",
  "constraint_api_version": "v1beta1",
  "constraint_kind": "K8sRequiredLabelsOptimized",
  "constraint_action": "deny",
  "violation_metadata": {
    "details": {
      "missing_labels": [
        "owner"
      ]
    }
  },
  "resource_group": "",
  "resource_api_version": "v1",
  "resource_kind": "Namespace",
  "resource_namespace": "",
  "resource_name": "disallowed-namespace",
  "request_username": "kubernetes-admin"
}

@acpana
feat: log details on log denies
b8408f9 
Signed-off-by: Alex Pana <8968914+acpana@users.noreply.github.com>
@acpana acpana requested a review from maxsmythe June 3, 2023 22:08
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Jun 3, 2023
edited
Loading

Codecov Report

Patch coverage: 4.54% and project coverage change: +0.12 🎉

Comparison is base (ba39189) 52.73% compared to head (5bff76d) 52.86%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2813      +/-   ##
==========================================
+ Coverage   52.73%   52.86%   +0.12%     
==========================================
  Files         132      132              
  Lines       11629    11632       +3     
==========================================
+ Hits         6133     6149      +16     
+ Misses       5013     5005       -8     
+ Partials      483      478       -5
Flag Coverage Δ
unittests 52.86% <4.54%> (+0.12%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/util/wildcard.go 100.00% <ø> (ø)
pkg/webhook/mutation.go 24.65% <0.00%> (-0.86%) ⬇️
pkg/webhook/policy.go 35.97% <7.69%> (-0.56%) ⬇️

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@maxsmythe
Copy link
Copy Markdown
Contributor

maxsmythe commented Jun 5, 2023

Why don't you think audit should also report details?

@maxsmythe
Copy link
Copy Markdown
Contributor

maxsmythe commented Jun 5, 2023

FWIW audit already reports details:

gatekeeper/pkg/audit/manager.go

Line 1115 in b7230e0

logging.Details, details,

maxsmythe
maxsmythe reviewed Jun 5, 2023
View reviewed changes
Comment thread pkg/logging/logging.go Outdated
Mutator = "mutator"
DebugLevel = 2 // r.log.Debug(foo) == r.log.V(logging.DebugLevel).Info(foo)
ExecutionStats = "execution_stats"
ViolationMetadata = "violation_metadata"
Copy link
Copy Markdown
Contributor

@maxsmythe maxsmythe Jun 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should be consistent with how audit handles the details field:

gatekeeper/pkg/audit/manager.go

Line 1115 in b7230e0

logging.Details, details,

Copy link
Copy Markdown
Contributor Author

@acpana acpana Jun 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I missed that! 🤦🏼

Deduping this comment with the audit logging. I figured that logging the details of the rego evaluations for every object for every audit run would be too noisy. At present, we only log details for a violation in audit so this should be consistent w the audit behavior now:

gatekeeper/pkg/audit/manager.go

Lines 1106 to 1131 in b7230e0

func logViolation(l logr.Logger,
constraint *unstructured.Unstructured,
enforcementAction util.EnforcementAction, resourceGroupVersionKind schema.GroupVersionKind, rnamespace, rname, message string, details interface{}, rlabels map[string]string,
) {
userConstraintAnnotations := constraint.GetAnnotations()
delete(userConstraintAnnotations, "kubectl.kubernetes.io/last-applied-configuration")
l.Info(
message,
logging.Details, details,
logging.EventType, "violation_audited",
logging.ConstraintGroup, constraint.GroupVersionKind().Group,
logging.ConstraintAPIVersion, constraint.GroupVersionKind().Version,
logging.ConstraintKind, constraint.GetKind(),
logging.ConstraintName, constraint.GetName(),
logging.ConstraintNamespace, constraint.GetNamespace(),
logging.ConstraintAction, enforcementAction,
logging.ConstraintAnnotations, userConstraintAnnotations,
logging.ResourceGroup, resourceGroupVersionKind.Group,
logging.ResourceAPIVersion, resourceGroupVersionKind.Version,
logging.ResourceKind, resourceGroupVersionKind.Kind,
logging.ResourceNamespace, rnamespace,
logging.ResourceName, rname,
logging.ResourceLabels, rlabels,
)
}

@acpana
use logging.details
5bff76d 
Signed-off-by: Alex Pana <8968914+acpana@users.noreply.github.com>
@acpana acpana requested a review from maxsmythe June 6, 2023 00:53
@acpana
Copy link
Copy Markdown
Contributor Author

acpana commented Jun 6, 2023

@maxsmythe PTAL when you have some time 🙏🏼 ; this is a one liner now hehe

JaydipGabani
JaydipGabani reviewed Jun 9, 2023
View reviewed changes
Comment thread pkg/webhook/policy.go Outdated
@acpana @JaydipGabani
Update pkg/webhook/policy.go
528c38b 
Co-authored-by: Jaydipkumar Arvindbhai Gabani <gabanijaydip@gmail.com>
Signed-off-by: alex <8968914+acpana@users.noreply.github.com>
@acpana acpana requested a review from JaydipGabani June 9, 2023 20:27
sozercan
sozercan approved these changes Jun 12, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@sozercan sozercan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

maxsmythe
maxsmythe approved these changes Jun 13, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sozercan sozercan merged commit 3847284 into open-policy-agent:master Jun 13, 2023
@ritazh ritazh added this to the v3.13.0 milestone Jul 12, 2023
This was referenced Nov 22, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sozercan sozercan sozercan approved these changes

@maxsmythe maxsmythe maxsmythe approved these changes

@JaydipGabani JaydipGabani Awaiting requested review from JaydipGabani

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v3.13.0

Development

Successfully merging this pull request may close these issues.

6 participants

@acpana @codecov-commenter @maxsmythe @sozercan @JaydipGabani @ritazh