fix: always override APIServer audit policy

Fixes #7537 Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
2025-11-01 08:51:15 +01:00 · 2023-07-27 16:26:38 +04:00 · 2023-07-27 16:26:38 +04:00 · f863498ff6
commit f863498ff6
parent 355681ddab
6 changed files with 78 additions and 1 deletions
--- a/pkg/machinery/config/configpatcher/apply_test.go
+++ b/pkg/machinery/config/configpatcher/apply_test.go
@ -130,3 +130,43 @@ func TestApplyMultiDoc(t *testing.T) {
 		})
 	}
 }
+
+//go:embed testdata/auditpolicy/config.yaml
+var configAudit []byte
+
+//go:embed testdata/auditpolicy/expected.yaml
+var expectedAudit []byte
+
+func TestApplyAuditPolicy(t *testing.T) {
+	patches, err := configpatcher.LoadPatches([]string{
+		"@testdata/auditpolicy/patch1.yaml",
+	})
+	require.NoError(t, err)
+
+	cfg, err := configloader.NewFromBytes(configAudit)
+	require.NoError(t, err)
+
+	for _, tt := range []struct {
+		name  string
+		input configpatcher.Input
+	}{
+		{
+			name:  "WithConfig",
+			input: configpatcher.WithConfig(cfg),
+		},
+		{
+			name:  "WithBytes",
+			input: configpatcher.WithBytes(configAudit),
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			out, err := configpatcher.Apply(tt.input, patches)
+			require.NoError(t, err)
+
+			bytes, err := out.Bytes()
+			require.NoError(t, err)
+
+			assert.Equal(t, string(expectedAudit), string(bytes))
+		})
+	}
+}
--- a/pkg/machinery/config/configpatcher/testdata/auditpolicy/config.yaml
+++ b/pkg/machinery/config/configpatcher/testdata/auditpolicy/config.yaml
@ -0,0 +1,13 @@
+version: v1alpha1
+machine:
+  network:
+    hostname: hostname-foo
+cluster:
+  apiServer:
+    auditPolicy:
+      apiVersion: audit.k8s.io/v1
+      kind: Policy
+      rules:
+        - level: Metadata
+  controlPlane:
+    endpoint: https://localhost:6443
--- a/pkg/machinery/config/configpatcher/testdata/auditpolicy/expected.yaml
+++ b/pkg/machinery/config/configpatcher/testdata/auditpolicy/expected.yaml
@ -0,0 +1,16 @@
+version: v1alpha1
+machine:
+    type: ""
+    token: ""
+    certSANs: []
+    network:
+        hostname: hostname-foo
+cluster:
+    controlPlane:
+        endpoint: https://localhost:6443
+    apiServer:
+        auditPolicy:
+            apiVersion: audit.k8s.io/v1
+            kind: Policy
+            rules:
+                - level: None
--- a/pkg/machinery/config/configpatcher/testdata/auditpolicy/patch1.yaml
+++ b/pkg/machinery/config/configpatcher/testdata/auditpolicy/patch1.yaml
@ -0,0 +1,7 @@
+cluster:
+  apiServer:
+    auditPolicy:
+      apiVersion: audit.k8s.io/v1
+      kind: Policy
+      rules:
+        - level: None
--- a/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go
+++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go
@ -1693,7 +1693,7 @@ type APIServerConfig struct {
 	//     - value: APIServerDefaultAuditPolicy
 	//   schema:
 	//     type: object
-	AuditPolicyConfig Unstructured `yaml:"auditPolicy,omitempty"`
+	AuditPolicyConfig Unstructured `yaml:"auditPolicy,omitempty" merge:"replace"`
 	//   description: |
 	//     Configure the API server resources.
 	//   schema:
--- a/website/content/v1.5/talos-guides/configuration/patching.md
+++ b/website/content/v1.5/talos-guides/configuration/patching.md
@ -49,6 +49,7 @@ There are some special rules:
  - values of the fields `cluster.network.podSubnets` and `cluster.network.serviceSubnets` are overwritten on merge
  - `network.interfaces` section is merged with the value in the machine config if there is a match on `interface:` or `deviceSelector:` keys
  - `network.interfaces.vlans` section is merged with the value in the machine config if there is a match on the `vlanId:` key
+  - `cluster.apiServer.auditPolicy` value is replaced on merge

 When patching a multi-document machine configuration, following rules apply: