chore: do not audit log GET requests to k8s

Since we do not audit log read-like requests, I think it makes sense to do the same here.

Signed-off-by: Dmitriy Matrenichev <[email protected]>
(cherry picked from commit c904e3a)

Author: DmitriyMV

go.work

@@ -1,4 +1,4 @@
-go 1.23.0
+go 1.23.2
 
 use (
 	.

internal/backend/k8sproxy/middleware.go

@@ -129,7 +129,6 @@ func AuthorizeRequest(next http.Handler, keyFunc KeyProvider, clusterUUIDResolve
 					Session:        req.Header.Get("Kubectl-Session"),
 					ClusterName:    clusterName,
 					ClusterUUID:    clusterUUID,
-					Body:           "",
 				},
 				Session: audit.Session{
 					UserAgent: req.Header.Get("User-Agent"),

internal/backend/runtime/omni/audit/audit.go

@@ -7,7 +7,6 @@
 package audit
 
 import (
-	"bytes"
 	"context"
 	"errors"
 	"fmt"
@@ -124,21 +123,15 @@ func (l *Log) AuditTalosAccess(ctx context.Context, fullMethodName string, clust
 // Wrap wraps the http.Handler with audit logging.
 func (l *Log) Wrap(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		clonedReq := req.Clone(req.Context())
-
-		strData, body, err := duplicateReadCloser(req.Body)
-		if err != nil {
-			l.logger.Error("failed to clone request body", zap.Error(err))
+		if req.Method == http.MethodGet || req.Method == http.MethodHead || req.Method == http.MethodOptions {
 			next.ServeHTTP(w, req)
 
 			return
 		}
 
-		clonedReq.Body = body
-
 		data, ok := ctxstore.Value[*Data](req.Context())
 		if !ok {
-			next.ServeHTTP(w, clonedReq)
+			next.ServeHTTP(w, req)
 
 			return
 		}
@@ -147,9 +140,7 @@ func (l *Log) Wrap(next http.Handler) http.Handler {
 			data.K8SAccess = &K8SAccess{}
 		}
 
-		data.K8SAccess.Body = strData
-
-		err = l.logFile.Dump(event{
+		err := l.logFile.Dump(event{
 			Type: "k8s_access",
 			Time: time.Now().UnixMilli(),
 			Data: data,
@@ -158,7 +149,7 @@ func (l *Log) Wrap(next http.Handler) http.Handler {
 			l.logger.Error("failed to write audit log", zap.Error(err))
 		}
 
-		next.ServeHTTP(w, clonedReq)
+		next.ServeHTTP(w, req)
 	})
 }
 
@@ -181,21 +172,6 @@ func (l *Log) RunCleanup(ctx context.Context) error {
 	}
 }
 
-func duplicateReadCloser(body io.ReadCloser) (string, io.ReadCloser, error) {
-	if body == nil {
-		return "", nil, nil
-	}
-
-	var buf bytes.Buffer
-
-	_, err := buf.ReadFrom(body)
-	if err != nil {
-		return "", nil, err
-	}
-
-	return buf.String(), io.NopCloser(&buf), nil
-}
-
 type (
 	// CreateHook is a hook for specific type resource creation.
 	CreateHook = func(ctx context.Context, res resource.Resource, option ...state.CreateOption) error

internal/backend/runtime/omni/audit/data.go

@@ -122,7 +122,6 @@ type TalosAccess struct {
 type K8SAccess struct {
 	FullMethodName string `json:"full_method_name,omitempty"`
 	Command        string `json:"command,omitempty"`
-	Body           string `json:"body,omitempty"`
 	Session        string `json:"kube_session,omitempty"`
 	ClusterName    string `json:"cluster_name,omitempty"`
 	ClusterUUID    string `json:"cluster_uuid,omitempty"`