Track which user created resources #13925
Conversation
|
@kubernetes/kube-api - the proposal didn't get many comments but this adds a new metadata field to track created users. |
|
I assume |
| @@ -25,6 +25,9 @@ import ( | |||
| // FillObjectMetaSystemFields populates fields that are managed by the system on ObjectMeta. | |||
| func FillObjectMetaSystemFields(ctx Context, meta *ObjectMeta) { | |||
| meta.CreationTimestamp = util.Now() | |||
| if user, ok := UserFrom(ctx); ok { | |||
There was a problem hiding this comment.
When would there never be a user?
There was a problem hiding this comment.
Yes, I don't want to create new names even if the english is slightly
weird. We're fairly good at "" in our API - "creation" is
the concept, "type" is "UserName", "Timestamp", "PeriodInSeconds", "Name",
"Ref"
On Mon, Sep 14, 2015 at 1:41 PM, Derek Carr [email protected]
wrote:
In pkg/api/meta.go
#13925 (comment)
:@@ -25,6 +25,9 @@ import (
// FillObjectMetaSystemFields populates fields that are managed by the system on ObjectMeta.
func FillObjectMetaSystemFields(ctx Context, meta *ObjectMeta) {
meta.CreationTimestamp = util.Now()
- if user, ok := UserFrom(ctx); ok {
When would there never be a user?
—
Reply to this email directly or view it on GitHub
https://github.com/kubernetes/kubernetes/pull/13925/files#r39422744.
Clayton Coleman | Lead Engineer, OpenShift
There was a problem hiding this comment.
There could not be a user if it's an object created before this change went
in, created by a core system process (like endpoints and namespaces created
by the master on startup), or created by direct edit in etcd that does not
require authentication. Or a cluster that doesn't require authentication
or doesn't pass that info to Kube.
On Mon, Sep 14, 2015 at 2:08 PM, Clayton Coleman [email protected]
wrote:
Yes, I don't want to create new names even if the english is slightly
weird. We're fairly good at "" in our API - "creation" is
the concept, "type" is "UserName", "Timestamp", "PeriodInSeconds", "Name",
"Ref"On Mon, Sep 14, 2015 at 1:41 PM, Derek Carr [email protected]
wrote:In pkg/api/meta.go
#13925 (comment)
:@@ -25,6 +25,9 @@ import (
// FillObjectMetaSystemFields populates fields that are managed by the system on ObjectMeta.
func FillObjectMetaSystemFields(ctx Context, meta *ObjectMeta) {
meta.CreationTimestamp = util.Now()
- if user, ok := UserFrom(ctx); ok {
When would there never be a user?
—
Reply to this email directly or view it on GitHub
https://github.com/kubernetes/kubernetes/pull/13925/files#r39422744.Clayton Coleman | Lead Engineer, OpenShift
Clayton Coleman | Lead Engineer, OpenShift
|
ok to test |
|
@bgrant0607 let me know if the naming makes sense here |
|
I understand that you want a field that can't be set/modified by the client, as opposed to an annotation. I'm fine with that. CreationUserName seems fine with respect to the field naming conventions. I also like that CreationUserName makes it clear that it's a user name and not, for instance, a controller name. What I don't know is what our plans for User concepts/APIs are. Is "UserName" consistent with our current thinking in that direction? @erictune? @liggitt? @derekwaynecarr? |
| @@ -273,6 +273,12 @@ func ValidateObjectMetaUpdate(new, old *api.ObjectMeta) errs.ValidationErrorList | |||
| } else { | |||
| new.CreationTimestamp = old.CreationTimestamp | |||
| } | |||
| // ignore changes to user name | |||
| if len(old.CreationUserName) == 0 { | |||
| old.CreationUserName = new.CreationUserName | |||
There was a problem hiding this comment.
If it was empty before, it seems weird to allow it to be updated later.
There was a problem hiding this comment.
It was to allow an automated process to update it for legacy data. So
someone upgrading from Kube 1.0 would be able to be assigned the value. I
can disable the ability to set it post creation, which means we have no API
path to ever set that value and would have to write directly to etcd.
Allowing it to be set from empty to something post create has potential for
abuse.
On Sep 16, 2015, at 9:47 AM, David Eads [email protected] wrote:
In pkg/api/validation/validation.go
#13925 (comment):
@@ -273,6 +273,12 @@ func ValidateObjectMetaUpdate(new, old *api.ObjectMeta) errs.ValidationErrorList
} else {
new.CreationTimestamp = old.CreationTimestamp
}
- // ignore changes to user name
- if len(old.CreationUserName) == 0 {
old.CreationUserName = new.CreationUserName
If it was empty before, it seems weird to allow it to be updated later.
—
Reply to this email directly or view it on GitHub
https://github.com/kubernetes/kubernetes/pull/13925/files#r39630766.
There was a problem hiding this comment.
+1 for making it immutable by default
|
On Sep 16, 2015, at 1:24 AM, Brian Grant [email protected] wrote: I understand that you want a field that can't be set/modified by the CreationUserName seems fine with respect to the field naming conventions. I also like that CreationUserName makes it clear that it's a user name and What I don't know is what our plans for User concepts/APIs are. Is As defined in our authentication patterns we settled on UserName as the — |
|
CreationUserName seems ok. The user.Info interface has both Name() and UID(). Do we want to preserve both (that gets us point in time uniqueness as well). |
|
I wanted to make the minimal change here to start down the path. If On Wed, Sep 16, 2015 at 12:57 PM, Jordan Liggitt [email protected]
Clayton Coleman | Lead Engineer, OpenShift |
2fc55dc to
4023b9c
Compare
4023b9c to
c163105
Compare
Adds `creationUserName` which records the creating user in the resource for use in audit scenarios. Set by the system automatically to the user name returned by the authentication plugin. Clients must assume that the name value may be machine-readable and therefore is not guaranteed to be a pretty name.
c163105 to
a3d32f9
Compare
|
Rebased. This is as minimal a change as I can make that provides real value. Do we have consensus on |
|
code lgtm. I like username as a starting point. |
|
@saad-ali because he ❤️ events. |
|
Downside is that is a lot more events. Also, today at least events are owned by a namespace so they can be deleted when the namespace is deleted. |
|
It may be worth comparing with other IaaS/PaaS APIs which are mature enough
On Thu, Dec 24, 2015 at 8:35 PM, Clayton Coleman [email protected]
|
|
The salesforce metadata is another good metric of what and end state
metadata audit looks like:
https://help.salesforce.com/apex/HTViewHelpDoc?id=field_audit_trail.htm&language=en_US
Tracks creator and updater.
I think event tracking makes a lot of sense for approaching audit, but does
require more thought in how events are implemented and handled. For
instance, having events warehoused, survive namespace deletion, and
protected/exposed safely to end users.
|
|
Just curious how this request is progressing. Specifically the created-by-user is of great interest but not for an audit perspective but more as a pod attribute. As discussed in #19079 (and sorry for those who have read both of these comments!) I am interested in this as we are working on integrating our scheduler (Grid Engine) with kubernetes and from our past experience user ownership of compute tasks is important when organizations implement resource allocation policies. It would be useful for us to be able to quota against users, favor pods created by one user over another, and group pods of certain users under hierarchical organizational groups. With our scheduler we could do just about all of this now in kubernetes if there was a user tag on resources. |
|
@cameronbrunner Resources are often created by controllers in kubernetes, not end-users. Before we can have this feature in a useful way, we would need to implement acting-as #16933. |
|
This PR has had no meaningful activity for multiple months. If it is still valid please rebase, push a new commit and reopen the PR. Thanks! |
|
Why did we drop this? It seems useful. |
|
GCE e2e build/test failed for commit a3d32f9. Please reference the list of currently known flakes when examining this failure. If you request a re-test, you must reference the issue describing the flake. |
|
@erictune @smarterclayton Since #23549 was merged, what is the current progress with this PR? Let me know if I can help with anything. |
|
cc @mikedanese |
|
#27087 will add a detailed audit log. We should see how many use cases that satisfies (I know it does not satisfy @cameronbrunner use case, but want to see how many other need this after we have an audit log). Also, submitting this before we have implemented controllers that use "acting-as" will mean that we have to do a breaking change once we add "acting-as" support. So, we should do that first, and then reevaluate this. |
|
@aanm It would be helpful if you could describe in detail how you would use this field. |
|
@erictune It would help to allow or deny network traffic from/to a particular user. |
|
@erictune The use case is derived from the Net-SIG NetworkPolicy decision which now allows ingress rules based on PodSelector. We would like to allow for the creation of rules based on who has created/is running a particular pod. |
|
Why not do this based on the service account of the pod? This allows two good things:
|
|
@sttts fyi |
|
Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test". This message will repeat several times in short succession due to jenkinsci/ghprb-plugin#292. Sorry. |
|
This PR hasn't been active in 90 days. Closing this PR. Please reopen if you would like to work towards merging this change, if/when the PR is ready for the next round of review. You can add 'keep-open' label to prevent this from happening again, or add a comment to keep it open another 90 days |
Adds
creationUserNamewhich records the creating user in the resourcefor use in audit scenarios. Set by the system automatically to the user
name returned by the authentication plugin. Clients must assume that the
name value may be machine-readable and therefore is not guaranteed to be
a pretty name.
Fixes #13306
This change is