Size         int64
	Atim31       [4]byte
	Mtim31       [4]byte
	Ctim31       [4]byte
	Rdev         uint32
	Auditoraudit uint32
	Useraudit    uint32
	Blksize      int32
	Creatim31    [4]byte
	AuditID      [16]byte
	_            [4]byte // rsrvd1
	File_tag     struct {
		Ccsid   uint16
		Txtflag uint16 // aggregating Txflag:1 deferred:1 rsvflags:14
	}
	CharsetID [8]byte
	Blocks    int64

apiVersion: release-notes/v2
kind: feature
area: security
issue:
  - 25591
releaseNotes:
  - |

	internalAudit "github.com/minio/minio/internal/logger/message/audit"
	"github.com/minio/minio/internal/mcontext"
	"github.com/minio/pkg/v3/logger/message/audit"

	xhttp "github.com/minio/minio/internal/http"
)

const contextAuditKey = contextKeyType("audit-entry")

// SetAuditEntry sets Audit info in the context.
func SetAuditEntry(ctx context.Context, audit *audit.Entry) context.Context {
	if ctx == nil {

// evaluatePolicyAndCreateAuditEvent is responsible for evaluating the audit
// policy configuration applicable to the request and create a new audit
// event that will be written to the API audit log.
// - error if anything bad happened
func evaluatePolicyAndCreateAuditEvent(req *http.Request, policy audit.PolicyRuleEvaluator) (*audit.AuditContext, error) {
	ctx := req.Context()
	ac := audit.AuditContextFrom(ctx)
	if ac == nil {

	"context"
	"fmt"

	"k8s.io/apiserver/pkg/audit"
)

// auditHandler logs annotations set by other admission handlers
type auditHandler struct {
	Interface
}

var _ Interface = &auditHandler{}
var _ MutationInterface = &auditHandler{}
var _ ValidationInterface = &auditHandler{}

// WithAudit is a decorator for a admission phase. It saves annotations
// of attribute into the audit event. Attributes passed to the Admit and

		"Total number of messages sent since start",
		targetID)
)

// loadAuditMetrics - `MetricsLoaderFn` for audit
// such as failed messages and total messages.
func loadAuditMetrics(_ context.Context, m MetricValues, c *metricsCache) error {
	audit := logger.CurrentStats()
	for id, st := range audit {
		labels := []string{targetID, id}
		m.Set(auditFailedMessages, float64(st.FailedMessages), labels...)

	"k8s.io/apimachinery/pkg/runtime/schema"
	"k8s.io/apimachinery/pkg/runtime/serializer/json"
	"k8s.io/apimachinery/pkg/util/wait"
	auditinternal "k8s.io/apiserver/pkg/apis/audit"
	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
	"k8s.io/apiserver/pkg/audit"
	"k8s.io/client-go/tools/clientcmd/api/v1"
)

// newWebhookHandler returns a handler which receives webhook events and decodes the

	"testing"

	"github.com/stretchr/testify/require"

	"k8s.io/apimachinery/pkg/runtime"
	auditinternal "k8s.io/apiserver/pkg/apis/audit"
	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
	"k8s.io/apiserver/plugin/pkg/audit/fake"
	// Importing just for the schema definitions.
	_ "k8s.io/apiserver/plugin/pkg/audit/webhook"
)

var (
	defaultConfig = Config{
		MaxBatchSize: 4 * 1024 * 1024,
		MaxEventSize: 100 * 1024,
	}
)

type RequestAuditConfig struct {
	// Level at which the request is being audited at
	Level audit.Level

	// OmitStages is the stages that need to be omitted from being audited.
	OmitStages []audit.Stage

	// OmitManagedFields indicates whether to omit the managed fields of the request
	// and response bodies from being written to the API audit log.
	OmitManagedFields bool
}

// PolicyRuleEvaluator exposes methods for evaluating the policy rules.

	require.NoError(t, f.Close())
	return f.Name()
}

func makeTmpPolicy(t *testing.T) string {
	pol := auditv1.Policy{
		TypeMeta: metav1.TypeMeta{
			APIVersion: "audit.k8s.io/v1",
		},
		Rules: []auditv1.PolicyRule{
			{
				Level: auditv1.LevelRequestResponse,
			},
		},
	}
	f, err := ioutil.TempFile("", "k8s_audit_policy_test_")
	require.NoError(t, err, "creating temp file")