mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-11-04 10:21:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: always override APIServer audit policy

Browse Source 
Fixes #7537

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This commit is contained in:
Andrey Smirnov 2023-07-27 16:26:38 +04:00
parent 355681ddab
commit f863498ff6
No known key found for this signature in database
GPG Key ID: 7B26396447AB6DFD
6 changed files with 78 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
pkg/machinery/config/configpatcher/apply_test.go
View File

@ -130,3 +130,43 @@ func TestApplyMultiDoc(t *testing.T) {
}) })
} }
} }
//go:embed testdata/auditpolicy/config.yaml
var configAudit []byte
//go:embed testdata/auditpolicy/expected.yaml
var expectedAudit []byte
func TestApplyAuditPolicy(t *testing.T) {
patches, err := configpatcher.LoadPatches([]string{
"@testdata/auditpolicy/patch1.yaml",
})
require.NoError(t, err)
cfg, err := configloader.NewFromBytes(configAudit)
require.NoError(t, err)
for _, tt := range []struct {
name string
input configpatcher.Input
}{
{
name: "WithConfig",
input: configpatcher.WithConfig(cfg),
},
{
name: "WithBytes",
input: configpatcher.WithBytes(configAudit),
},
} {
t.Run(tt.name, func(t *testing.T) {
out, err := configpatcher.Apply(tt.input, patches)
require.NoError(t, err)
bytes, err := out.Bytes()
require.NoError(t, err)
assert.Equal(t, string(expectedAudit), string(bytes))
})
}
}

13
pkg/machinery/config/configpatcher/testdata/auditpolicy/config.yaml vendored Normal file
View File

@ -0,0 +1,13 @@
version: v1alpha1
machine:
network:
hostname: hostname-foo
cluster:
apiServer:
auditPolicy:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
controlPlane:
endpoint: https://localhost:6443

16
pkg/machinery/config/configpatcher/testdata/auditpolicy/expected.yaml vendored Normal file
View File

@ -0,0 +1,16 @@
version: v1alpha1
machine:
type: ""
token: ""
certSANs: []
network:
hostname: hostname-foo
cluster:
controlPlane:
endpoint: https://localhost:6443
apiServer:
auditPolicy:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: None

7
pkg/machinery/config/configpatcher/testdata/auditpolicy/patch1.yaml vendored Normal file
View File

@ -0,0 +1,7 @@
cluster:
apiServer:
auditPolicy:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: None

2
pkg/machinery/config/types/v1alpha1/v1alpha1_types.go
View File

@ -1693,7 +1693,7 @@ type APIServerConfig struct {
// - value: APIServerDefaultAuditPolicy // - value: APIServerDefaultAuditPolicy
// schema: // schema:
// type: object // type: object
AuditPolicyConfig Unstructured `yaml:"auditPolicy,omitempty"` AuditPolicyConfig Unstructured `yaml:"auditPolicy,omitempty" merge:"replace"`
// description: | // description: |
// Configure the API server resources. // Configure the API server resources.
// schema: // schema:

1
website/content/v1.5/talos-guides/configuration/patching.md
View File

@ -49,6 +49,7 @@ There are some special rules:
- values of the fields `cluster.network.podSubnets` and `cluster.network.serviceSubnets` are overwritten on merge - values of the fields `cluster.network.podSubnets` and `cluster.network.serviceSubnets` are overwritten on merge
- `network.interfaces` section is merged with the value in the machine config if there is a match on `interface:` or `deviceSelector:` keys - `network.interfaces` section is merged with the value in the machine config if there is a match on `interface:` or `deviceSelector:` keys
- `network.interfaces.vlans` section is merged with the value in the machine config if there is a match on the `vlanId:` key - `network.interfaces.vlans` section is merged with the value in the machine config if there is a match on the `vlanId:` key
- `cluster.apiServer.auditPolicy` value is replaced on merge
When patching a multi-document machine configuration, following rules apply: When patching a multi-document machine configuration, following rules apply: