fix: admission request is saved in db logs

pkg/http-server/webhook-scan-logs.go

@@ -175,14 +175,14 @@ func (g *APIHandler) getLogReasoning(log dblogs.WebhookScanLog) string {
 	if !log.Allowed {
 		err := json.Unmarshal([]byte(log.DeniableViolations), &violations)
 		if err != nil {
-			zap.S().Errorf("Failed to deserialize deniable violations summary. Error: %v", err.Error())
+			zap.S().Errorf("failed to deserialize deniable violations summary. Error: %v", err.Error())
 			return ""
 		}
 	} else {
 		var violationStore results.ViolationStore
 		err := json.Unmarshal([]byte(log.ViolationsSummary), &violationStore)
 		if err != nil {
-			zap.S().Errorf("Failed to deserialize violations summary. Error: %v", err.Error())
+			zap.S().Errorf("failed to deserialize violations summary. Error: %v", err.Error())
 			return ""
 		}
 
@@ -218,13 +218,13 @@ func (g *APIHandler) getLogRequest(log dblogs.WebhookScanLog) string {
 	err := json.Unmarshal([]byte(log.Request), &review)
 
 	if err != nil {
-		zap.S().Errorf("Failed to deserialize request. Error: %v", err.Error())
+		zap.S().Errorf("failed to deserialize request. Error: %v", err.Error())
 		return "{}"
 	}
 
 	result, err := json.Marshal(review.Request)
 	if err != nil {
-		zap.S().Errorf("Failed to serialize request. Error: %v", err.Error())
+		zap.S().Errorf("failed to serialize request. Error: %v", err.Error())
 		return "{}"
 	}
 

pkg/http-server/webhook-scan.go

@@ -33,11 +33,20 @@ import (
 func (g *APIHandler) validateK8SWebhook(w http.ResponseWriter, r *http.Request) {
 
 	var (
-		params            = mux.Vars(r)
-		apiKey            = params["apiKey"]
-		validatingWebhook = admissionWebhook.NewValidatingWebhook(g.configFile)
+		params = mux.Vars(r)
+		apiKey = params["apiKey"]
 	)
 
+	// Read the request into byte array
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		msg := fmt.Sprintf("failed to read validating admission webhook request body, error: '%v'", err)
+		apiErrorResponse(w, msg, http.StatusBadRequest)
+		return
+	}
+	zap.S().Debugf("scanning configuration webhook request: %+v", string(body))
+
+	validatingWebhook := admissionWebhook.NewValidatingWebhook(g.configFile, body)
 	// Validate if authorized (API key is specified and matched the server one (saved in an environment variable)
 	if err := validatingWebhook.Authorize(apiKey); err != nil {
 		switch err {
@@ -51,16 +60,6 @@ func (g *APIHandler) validateK8SWebhook(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	// Read the request into byte array
-	body, err := ioutil.ReadAll(r.Body)
-	if err != nil {
-		msg := fmt.Sprintf("failed to read validating admission webhook request body, error: '%v'", err)
-		apiErrorResponse(w, msg, http.StatusBadRequest)
-		return
-	}
-
-	zap.S().Debugf("scanning configuration webhook request: %+v", string(body))
-
 	// decode incoming admission review request
 	requestedAdmissionReview, err := validatingWebhook.DecodeAdmissionReviewRequest(body)
 	if err != nil {
@@ -92,6 +91,6 @@ func (g *APIHandler) sendResponseAdmissionReview(w http.ResponseWriter, admissio
 		return
 	}
 
-	zap.S().Debugf("Response result: %+v", string(respBytes))
+	zap.S().Debugf("response result: %+v", string(respBytes))
 	apiResponse(w, string(respBytes), http.StatusOK)
 }

pkg/k8s/admission-webhook/validating-webhook.go

@@ -47,10 +47,11 @@ type ValidatingWebhook struct {
 }
 
 // NewValidatingWebhook returns a new, empty ValidatingWebhook struct
-func NewValidatingWebhook(configFile string) AdmissionWebhook {
+func NewValidatingWebhook(configFile string, body []byte) AdmissionWebhook {
 	return ValidatingWebhook{
-		configFile: configFile,
-		dblogger:   dblogs.NewWebhookScanLogger(),
+		configFile:  configFile,
+		dblogger:    dblogs.NewWebhookScanLogger(),
+		requestBody: body,
 	}
 }
 
@@ -106,7 +107,6 @@ func (w ValidatingWebhook) DecodeAdmissionReviewRequest(requestBody []byte) (adm
 		deserializer             = codecs.UniversalDeserializer()
 		requestedAdmissionReview admissionv1.AdmissionReview
 	)
-	w.requestBody = requestBody
 	admissionv1.AddToScheme(scheme)
 
 	// decode incoming admission request