audit policy: reject audit policy files without apiVersion and kind

staging/src/k8s.io/apiserver/pkg/audit/policy/BUILD

@@ -34,7 +34,7 @@ go_library(
     importpath = "k8s.io/apiserver/pkg/audit/policy",
     deps = [
         "//vendor/github.com/golang/glog:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/apis/audit:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/apis/audit/v1alpha1:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/apis/audit/v1beta1:go_default_library",

staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go

@@ -20,7 +20,7 @@ import (
 	"fmt"
 	"io/ioutil"
 
-	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	auditv1alpha1 "k8s.io/apiserver/pkg/apis/audit/v1alpha1"
 	auditv1beta1 "k8s.io/apiserver/pkg/apis/audit/v1beta1"
@@ -30,6 +30,20 @@ import (
 	"github.com/golang/glog"
 )
 
+var (
+	apiGroupVersions = []schema.GroupVersion{
+		auditv1beta1.SchemeGroupVersion,
+		auditv1alpha1.SchemeGroupVersion,
+	}
+	apiGroupVersionSet = map[schema.GroupVersion]bool{}
+)
+
+func init() {
+	for _, gv := range apiGroupVersions {
+		apiGroupVersionSet[gv] = true
+	}
+}
+
 func LoadPolicyFromFile(filePath string) (*auditinternal.Policy, error) {
 	if filePath == "" {
 		return nil, fmt.Errorf("file path not specified")
@@ -40,11 +54,18 @@ func LoadPolicyFromFile(filePath string) (*auditinternal.Policy, error) {
 	}
 
 	policy := &auditinternal.Policy{}
-	decoder := audit.Codecs.UniversalDecoder(auditv1beta1.SchemeGroupVersion, auditv1alpha1.SchemeGroupVersion)
-	if err := runtime.DecodeInto(decoder, policyDef, policy); err != nil {
+	decoder := audit.Codecs.UniversalDecoder(apiGroupVersions...)
+
+	_, gvk, err := decoder.Decode(policyDef, nil, policy)
+	if err != nil {
 		return nil, fmt.Errorf("failed decoding file %q: %v", filePath, err)
 	}
 
+	// Ensure the policy file contained an apiVersion and kind.
+	if !apiGroupVersionSet[schema.GroupVersion{Group: gvk.Group, Version: gvk.Version}] {
+		return nil, fmt.Errorf("unknown group version field %v in policy file %s", gvk, filePath)
+	}
+
 	if err := validation.ValidatePolicy(policy); err != nil {
 		return nil, err.ToAggregate()
 	}

staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go

@@ -71,6 +71,24 @@ rules:
   - level: Metadata
 `
 
+const policyWithNoVersionOrKind = `
+rules:
+  - level: None
+    nonResourceURLs:
+      - /healthz*
+      - /version
+  - level: RequestResponse
+    users: ["tim"]
+    userGroups: ["testers", "developers"]
+    verbs: ["patch", "delete", "create"]
+    resources:
+      - group: ""
+      - group: "rbac.authorization.k8s.io"
+        resources: ["clusterroles", "clusterrolebindings"]
+    namespaces: ["default", "kube-system"]
+  - level: Metadata
+`
+
 var expectedPolicy = &audit.Policy{
 	Rules: []audit.PolicyRule{{
 		Level:           audit.LevelNone,
@@ -104,6 +122,15 @@ func TestParserV1alpha1(t *testing.T) {
 	}
 }
 
+func TestParsePolicyWithNoVersionOrKind(t *testing.T) {
+	f, err := writePolicy(t, policyWithNoVersionOrKind)
+	require.NoError(t, err)
+	defer os.Remove(f)
+
+	_, err = LoadPolicyFromFile(f)
+	assert.Contains(t, err.Error(), "unknown group version field")
+}
+
 func TestParserV1beta1(t *testing.T) {
 	f, err := writePolicy(t, policyDefV1beta1)
 	require.NoError(t, err)