kubernetes
diff --git a/‎go.mod‎
Lines changed: 2 additions & 2 deletions b/‎go.mod‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎go.sum‎
Lines changed: 4 additions & 4 deletions b/‎go.sum‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎pkg/audit/context.go‎
Lines changed: 19 additions & 0 deletions b/‎pkg/audit/context.go‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎pkg/audit/context_test.go‎
Lines changed: 155 additions & 0 deletions b/‎pkg/audit/context_test.go‎
Lines changed: 155 additions & 0 deletions
@@ -49,10 +49,10 @@ require (
 gopkg.in/evanphx/json-patch.v4 v4.13.0
 gopkg.in/go-jose/go-jose.v2 v2.6.3
 gopkg.in/natefinch/lumberjack.v2 v2.2.1
-k8s.io/api v0.0.0-20250929192326-dd80a46c1286
+k8s.io/api v0.0.0-20250930152327-c397f90a55bd
 k8s.io/apimachinery v0.0.0-20250929164018-5674a461e8a9
 k8s.io/client-go v0.0.0-20250929192726-5eac01c2bb55
-k8s.io/component-base v0.0.0-20250919034137-4453c3be72a8
+k8s.io/component-base v0.0.0-20250930153136-66f123b5ac6a
 k8s.io/klog/v2 v2.130.1
 k8s.io/kms v0.0.0-20250918004306-2fba1b2102ee
 k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
 
@@ -295,14 +295,14 @@ gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYs
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.0.0-20250929192326-dd80a46c1286 h1:2gTEsSU/0HEVWl2v7cttEyNNqDxBU0/6owog7vkVhlw=
-k8s.io/api v0.0.0-20250929192326-dd80a46c1286/go.mod h1:zc2Bftemdv4WGe3gh/TWTwdUt5ERkIycxBrRQmuOjtc=
+k8s.io/api v0.0.0-20250930152327-c397f90a55bd h1:Cg2aqUh0jZZC7BD38J3K2Z6TAvKepgIvsO+e621Gz6M=
+k8s.io/api v0.0.0-20250930152327-c397f90a55bd/go.mod h1:zc2Bftemdv4WGe3gh/TWTwdUt5ERkIycxBrRQmuOjtc=
 k8s.io/apimachinery v0.0.0-20250929164018-5674a461e8a9 h1:tvHk/t27eNXdAUvzZ2Fz+BvoUpfB+tTnvmWR/ET1s2Q=
 k8s.io/apimachinery v0.0.0-20250929164018-5674a461e8a9/go.mod h1:1YSL0XujdSTcnuHOR73D16EdW+d49JOdd8TXjCo6Dhc=
 k8s.io/client-go v0.0.0-20250929192726-5eac01c2bb55 h1:VJDMZBpwiO8tLGelK/I8Ya3GTpJh2BHik2Xm2BNIuFo=
 k8s.io/client-go v0.0.0-20250929192726-5eac01c2bb55/go.mod h1:QU7JGxRCfyhP6ZIE+A+7BhoAnJolaWuH6Dh3NTpH8Sk=
-k8s.io/component-base v0.0.0-20250919034137-4453c3be72a8 h1:6ori9Hm1g6OqXGZa9ihRpScRfwRnVwf0PpqzTu2KCl0=
-k8s.io/component-base v0.0.0-20250919034137-4453c3be72a8/go.mod h1:k2hnvURL10Hd0tc/Tn7RZprCv4tlRGtDqYD3GSRo/NE=
+k8s.io/component-base v0.0.0-20250930153136-66f123b5ac6a h1:40tugOkDa2yxeCGR35eJOeNdHIXQt/610okoFxb6Zt0=
+k8s.io/component-base v0.0.0-20250930153136-66f123b5ac6a/go.mod h1:W22InbHsMbwfSRy9wR+2tl0soSSJFMELYq+qdLu9ysc=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kms v0.0.0-20250918004306-2fba1b2102ee h1:dCR1mK59u+fkeNCgDWwcOBbPZ4lrO4qVyDM8xIOkGOI=
 
@@ -178,6 +178,25 @@ func (ac *AuditContext) LogRequestPatch(patch []byte) {
 })
 }
 
+// GetEventUser returns a copy of the User associated with the audit Event.
+func (ac *AuditContext) GetEventUser() authnv1.UserInfo {
+var val *authnv1.UserInfo
+ac.visitEvent(func(ev *auditinternal.Event) {
+val = ev.User.DeepCopy()
+})
+return *val
+}
+
+// GetEventImpersonatedUser returns a copy of the ImpersonatedUser associated with the audit Event,
+// or returns nil when there is no ImpersonatedUser.
+func (ac *AuditContext) GetEventImpersonatedUser() *authnv1.UserInfo {
+var val *authnv1.UserInfo
+ac.visitEvent(func(ev *auditinternal.Event) {
+val = ev.ImpersonatedUser.DeepCopy()
+})
+return val
+}
+
 func (ac *AuditContext) GetEventAnnotation(key string) (string, bool) {
 var val string
 var ok bool
 
@@ -22,9 +22,11 @@ import (
 "sync"
 "testing"
 
+authnv1 "k8s.io/api/authentication/v1"
 auditinternal "k8s.io/apiserver/pkg/apis/audit"
 
 "github.com/stretchr/testify/assert"
+"github.com/stretchr/testify/require"
 )
 
 func TestEnabled(t *testing.T) {
@@ -175,6 +177,159 @@ func TestAuditAnnotationsWithAuditLoggingSetup(t *testing.T) {
 assert.Equal(t, expected, actual)
 }
 
+func TestGetEventUser(t *testing.T) {
+tests := []struct {
+name string
+auditEventUser authnv1.UserInfo
+wantUser authnv1.UserInfo
+}{
+{
+name: "fields with zero values are returned as fields with zero values",
+auditEventUser: authnv1.UserInfo{},
+wantUser: authnv1.UserInfo{},
+},
+{
+name: "fields with non-zero values are returned as copies",
+auditEventUser: authnv1.UserInfo{
+Username: "test-user",
+UID: "test-uid",
+Groups: []string{"test-group1", "test-group2"},
+Extra: map[string]authnv1.ExtraValue{
+"test-extra1": {"test-extra1-val1", "test-extra1-val2"},
+"test-extra2": {"test-extra2-val1", "test-extra2-val2"},
+},
+},
+wantUser: authnv1.UserInfo{
+Username: "test-user",
+UID: "test-uid",
+Groups: []string{"test-group1", "test-group2"},
+Extra: map[string]authnv1.ExtraValue{
+"test-extra1": {"test-extra1-val1", "test-extra1-val2"},
+"test-extra2": {"test-extra2-val1", "test-extra2-val2"},
+},
+},
+},
+}
+for _, test := range tests {
+t.Run(test.name, func(t *testing.T) {
+ac := AuditContext{event: auditinternal.Event{User: test.auditEventUser}}
+got := ac.GetEventUser()
+require.Equal(t, test.wantUser, got)
+})
+}
+
+t.Run("mutating the returned groups does not change the audit event's User's groups", func(t *testing.T) {
+ac := AuditContext{
+event: auditinternal.Event{
+User: authnv1.UserInfo{
+Groups: []string{"test-group1", "test-group2"},
+},
+},
+}
+got := ac.GetEventUser()
+require.Equal(t, []string{"test-group1", "test-group2"}, got.Groups)
+got.Groups[0] = "mutated group"
+require.Equal(t, []string{"mutated group", "test-group2"}, got.Groups)
+// The event's groups are not changed.
+require.Equal(t, []string{"test-group1", "test-group2"}, ac.event.User.Groups)
+})
+
+t.Run("mutating the returned extras does not change the audit event's User's extras", func(t *testing.T) {
+ac := AuditContext{
+event: auditinternal.Event{
+User: authnv1.UserInfo{
+Extra: map[string]authnv1.ExtraValue{"test-extra": {"test-extra-val"}},
+},
+},
+}
+got := ac.GetEventUser()
+require.Equal(t, map[string]authnv1.ExtraValue{"test-extra": {"test-extra-val"}}, got.Extra)
+got.Extra["test-extra"] = authnv1.ExtraValue{"mutated value"}
+require.Equal(t, map[string]authnv1.ExtraValue{"test-extra": {"mutated value"}}, got.Extra)
+// The event's extras are not changed.
+require.Equal(t, map[string]authnv1.ExtraValue{"test-extra": {"test-extra-val"}}, ac.event.User.Extra)
+})
+}
+
+func TestGetEventImpersonatedUser(t *testing.T) {
+tests := []struct {
+name string
+auditEventImpersonatedUser *authnv1.UserInfo
+wantUser *authnv1.UserInfo
+}{
+{
+name: "nil ImpersonatedUser returns nil",
+auditEventImpersonatedUser: nil,
+wantUser: nil,
+},
+{
+name: "fields with zero values are returned as fields with zero values",
+auditEventImpersonatedUser: &authnv1.UserInfo{},
+wantUser: &authnv1.UserInfo{},
+},
+{
+name: "fields with non-zero values are returned as copies",
+auditEventImpersonatedUser: &authnv1.UserInfo{
+Username: "test-user",
+UID: "test-uid",
+Groups: []string{"test-group1", "test-group2"},
+Extra: map[string]authnv1.ExtraValue{
+"test-extra1": {"test-extra1-val1", "test-extra1-val2"},
+"test-extra2": {"test-extra2-val1", "test-extra2-val2"},
+},
+},
+wantUser: &authnv1.UserInfo{
+Username: "test-user",
+UID: "test-uid",
+Groups: []string{"test-group1", "test-group2"},
+Extra: map[string]authnv1.ExtraValue{
+"test-extra1": {"test-extra1-val1", "test-extra1-val2"},
+"test-extra2": {"test-extra2-val1", "test-extra2-val2"},
+},
+},
+},
+}
+for _, test := range tests {
+t.Run(test.name, func(t *testing.T) {
+ac := AuditContext{event: auditinternal.Event{ImpersonatedUser: test.auditEventImpersonatedUser}}
+got := ac.GetEventImpersonatedUser()
+require.Equal(t, test.wantUser, got)
+})
+}
+
+t.Run("mutating the returned groups does not change the audit event's ImpersonatedUser's groups", func(t *testing.T) {
+ac := AuditContext{
+event: auditinternal.Event{
+ImpersonatedUser: &authnv1.UserInfo{
+Groups: []string{"test-group1", "test-group2"},
+},
+},
+}
+got := ac.GetEventImpersonatedUser()
+require.Equal(t, []string{"test-group1", "test-group2"}, got.Groups)
+got.Groups[0] = "mutated group"
+require.Equal(t, []string{"mutated group", "test-group2"}, got.Groups)
+// The event's groups are not changed.
+require.Equal(t, []string{"test-group1", "test-group2"}, ac.event.ImpersonatedUser.Groups)
+})
+
+t.Run("mutating the returned extras does not change the audit event's ImpersonatedUser's extras", func(t *testing.T) {
+ac := AuditContext{
+event: auditinternal.Event{
+ImpersonatedUser: &authnv1.UserInfo{
+Extra: map[string]authnv1.ExtraValue{"test-extra": {"test-extra-val"}},
+},
+},
+}
+got := ac.GetEventImpersonatedUser()
+require.Equal(t, map[string]authnv1.ExtraValue{"test-extra": {"test-extra-val"}}, got.Extra)
+got.Extra["test-extra"] = authnv1.ExtraValue{"mutated value"}
+require.Equal(t, map[string]authnv1.ExtraValue{"test-extra": {"mutated value"}}, got.Extra)
+// The event's extras are not changed.
+require.Equal(t, map[string]authnv1.ExtraValue{"test-extra": {"test-extra-val"}}, ac.event.ImpersonatedUser.Extra)
+})
+}
+
 func withAuditContextAndLevel(ctx context.Context, t *testing.T, l auditinternal.Level) context.Context {
 ctx = WithAuditContext(ctx)
 if err := AuditContextFrom(ctx).Init(RequestAuditConfig{Level: l}, nil); err != nil {