UPSTREAM: 131694: Eliminate AuditContext`s SetEventLevel

Signed-off-by: Davanum Srinivas <[email protected]>
Co-Authored-By: Jordan Liggitt <[email protected]>

Set event level during context init

Signed-off-by: Davanum Srinivas <[email protected]>

Author: dims

staging/src/k8s.io/apiserver/pkg/admission/audit_test.go

@@ -144,7 +144,10 @@ func TestWithAudit(t *testing.T) {
 		var handler Interface = fakeHandler{tc.admit, tc.admitAnnotations, tc.validate, tc.validateAnnotations, tc.handles}
 		ctx := audit.WithAuditContext(context.Background())
 		ac := audit.AuditContextFrom(ctx)
-		ac.SetEventLevel(auditinternal.LevelMetadata)
+		if err := ac.Init(audit.RequestAuditConfig{Level: auditinternal.LevelMetadata}, nil); err != nil {
+			t.Fatal(err)
+		}
+
 		auditHandler := WithAudit(handler)
 		a := attributes()
 
@@ -186,8 +189,6 @@ func TestWithAuditConcurrency(t *testing.T) {
 	}
 	var handler Interface = fakeHandler{admitAnnotations: admitAnnotations, handles: true}
 	ctx := audit.WithAuditContext(context.Background())
-	ac := audit.AuditContextFrom(ctx)
-	ac.SetEventLevel(auditinternal.LevelMetadata)
 	auditHandler := WithAudit(handler)
 	a := attributes()
 

staging/src/k8s.io/apiserver/pkg/audit/context.go

@@ -46,8 +46,6 @@ type AuditContext struct {
 	// initialized indicates whether requestAuditConfig and sink have been populated and are safe to read unguarded.
 	// This should only be set via Init().
 	initialized atomic.Bool
-	// initialize wraps setting requestAuditConfig and sink, and is only called via Init().
-	initialize sync.Once
 	// requestAuditConfig is the audit configuration that applies to the request.
 	// This should only be written via Init(RequestAuditConfig, Sink), and only read when initialized.Load() is true.
 	requestAuditConfig RequestAuditConfig
@@ -81,16 +79,15 @@ func (ac *AuditContext) Enabled() bool {
 }
 
 func (ac *AuditContext) Init(requestAuditConfig RequestAuditConfig, sink Sink) error {
-	initialized := false
-	ac.initialize.Do(func() {
-		ac.requestAuditConfig = requestAuditConfig
-		ac.sink = sink
-		ac.initialized.Store(true)
-		initialized = true
-	})
-	if !initialized {
+	ac.lock.Lock()
+	defer ac.lock.Unlock()
+	if ac.initialized.Load() {
 		return errors.New("audit context was already initialized")
 	}
+	ac.requestAuditConfig = requestAuditConfig
+	ac.sink = sink
+	ac.event.Level = requestAuditConfig.Level
+	ac.initialized.Store(true)
 	return nil
 }
 
@@ -198,12 +195,6 @@ func (ac *AuditContext) GetEventLevel() auditinternal.Level {
 	return level
 }
 
-func (ac *AuditContext) SetEventLevel(level auditinternal.Level) {
-	ac.visitEvent(func(event *auditinternal.Event) {
-		event.Level = level
-	})
-}
-
 func (ac *AuditContext) SetEventStage(stage auditinternal.Stage) {
 	ac.visitEvent(func(event *auditinternal.Event) {
 		event.Stage = stage

staging/src/k8s.io/apiserver/pkg/audit/request.go

@@ -40,7 +40,7 @@ const (
 	userAgentTruncateSuffix = "...TRUNCATED"
 )
 
-func LogRequestMetadata(ctx context.Context, req *http.Request, requestReceivedTimestamp time.Time, level auditinternal.Level, attribs authorizer.Attributes) {
+func LogRequestMetadata(ctx context.Context, req *http.Request, requestReceivedTimestamp time.Time, attribs authorizer.Attributes) {
 	ac := AuditContextFrom(ctx)
 	if !ac.Enabled() {
 		return
@@ -51,7 +51,6 @@ func LogRequestMetadata(ctx context.Context, req *http.Request, requestReceivedT
 		ev.Verb = attribs.GetVerb()
 		ev.RequestURI = req.URL.RequestURI()
 		ev.UserAgent = maybeTruncateUserAgent(req)
-		ev.Level = level
 
 		ips := utilnet.SourceIPs(req)
 		ev.SourceIPs = make([]string, len(ips))

staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go

@@ -33,7 +33,6 @@ import (
 	"golang.org/x/sync/singleflight"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/warning"
@@ -199,9 +198,6 @@ func (a *cachedTokenAuthenticator) doAuthenticateToken(ctx context.Context, toke
 
 		ctx = audit.WithAuditContext(ctx)
 		ac := audit.AuditContextFrom(ctx)
-		// since this is shared work between multiple requests, we have no way of knowing if any
-		// particular request supports audit annotations.  thus we always attempt to record them.
-		ac.SetEventLevel(auditinternal.LevelMetadata)
 
 		record.resp, record.ok, record.err = a.authenticator.AuthenticateToken(ctx, token)
 		record.annotations = ac.GetEventAnnotations()

staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go

@@ -35,7 +35,6 @@ import (
 
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/apimachinery/pkg/util/uuid"
-	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
@@ -546,8 +545,6 @@ func (s *singleBenchmark) bench(b *testing.B) {
 // extraction.
 func withAudit(ctx context.Context) context.Context {
 	ctx = audit.WithAuditContext(ctx)
-	ac := audit.AuditContextFrom(ctx)
-	ac.SetEventLevel(auditinternal.LevelMetadata)
 	return ctx
 }
 

staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go

@@ -142,7 +142,7 @@ func evaluatePolicyAndCreateAuditEvent(req *http.Request, policy audit.PolicyRul
 	if !ok {
 		requestReceivedTimestamp = time.Now()
 	}
-	audit.LogRequestMetadata(ctx, req, requestReceivedTimestamp, rac.Level, attribs)
+	audit.LogRequestMetadata(ctx, req, requestReceivedTimestamp, attribs)
 
 	return ac, nil
 }

staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete_test.go

@@ -31,7 +31,12 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
+<<<<<<< HEAD
 	auditapis "k8s.io/apiserver/pkg/apis/audit"
+=======
+	"k8s.io/apiserver/pkg/admission"
+	auditinternal "k8s.io/apiserver/pkg/apis/audit"
+>>>>>>> ad91dd2caa0 (UPSTREAM: 131694: Eliminate AuditContext`s SetEventLevel)
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/apiserver/pkg/endpoints/handlers/negotiation"
 	"k8s.io/apiserver/pkg/registry/rest"
@@ -66,7 +71,9 @@ func TestDeleteResourceAuditLogRequestObject(t *testing.T) {
 
 	ctx := audit.WithAuditContext(context.TODO())
 	ac := audit.AuditContextFrom(ctx)
-	ac.SetEventLevel(auditapis.LevelRequestResponse)
+	if err := ac.Init(audit.RequestAuditConfig{Level: auditinternal.LevelRequestResponse}, nil); err != nil {
+		t.Fatal(err)
+	}
 
 	policy := metav1.DeletePropagationBackground
 	deleteOption := &metav1.DeleteOptions{

staging/src/k8s.io/apiserver/pkg/util/x509metrics/server_cert_deprecations_test.go

@@ -30,7 +30,6 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
-	auditapi "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/component-base/metrics"
 	"k8s.io/component-base/metrics/testutil"
@@ -247,7 +246,6 @@ func TestCheckForHostnameError(t *testing.T) {
 			}
 			req = req.WithContext(audit.WithAuditContext(req.Context()))
 			auditCtx := audit.AuditContextFrom(req.Context())
-			auditCtx.SetEventLevel(auditapi.LevelMetadata)
 
 			_, err = client.Transport.RoundTrip(req)
 
@@ -390,7 +388,6 @@ func TestCheckForInsecureAlgorithmError(t *testing.T) {
 			}
 			req = req.WithContext(audit.WithAuditContext(req.Context()))
 			auditCtx := audit.AuditContextFrom(req.Context())
-			auditCtx.SetEventLevel(auditapi.LevelMetadata)
 
 			// can't use tlsServer.Client() as it contains the server certificate
 			// in tls.Config.Certificates. The signatures are, however, only checked