Implement healthchecks. (#8)

charts/gardener-extension-audit/templates/deployment.yaml

@@ -22,6 +22,7 @@ spec:
         networking.gardener.cloud/to-runtime-apiserver: allowed
         networking.gardener.cloud/to-dns: allowed
         networking.resources.gardener.cloud/to-all-shoots-kube-apiserver-tcp-443: allowed
+        networking.resources.gardener.cloud/to-all-shoots-audit-webhook-backend-tcp-2020: allowed
 {{ include "labels" . | indent 8 }}
     spec:
       containers:
@@ -37,6 +38,17 @@ spec:
         - --webhook-config-namespace={{ .Release.Namespace }}
         - --webhook-config-server-port={{ .Values.webhookConfig.serverPort }}
         - --disable-controllers={{ .Values.disableControllers | join "," }}
+        {{- if .Values.metricsPort }}
+        - --metrics-bind-address=:{{ .Values.metricsPort }}
+        {{- end }}
+        {{- if .Values.healthPort }}
+        - --health-bind-address=:{{ .Values.healthPort }}
+        {{- end }}
+        {{- if .Values.gardener.version }}
+        - --gardener-version={{ .Values.gardener.version }}
+        {{- end }}
+        - --log-level={{ .Values.logLevel | default "info" }}
+        - --log-format={{ .Values.logFormat | default "json" }}
         env:
         - name: LEADER_ELECTION_NAMESPACE
           valueFrom:

charts/gardener-extension-audit/templates/rbac.yaml

@@ -84,6 +84,7 @@ rules:
   - leases
   verbs:
   - create
+  - update
   - list
   - watch
 - apiGroups:

charts/gardener-extension-audit/values.yaml

@@ -10,6 +10,8 @@ controllers:
   concurrentSyncs: 5
   healthcheck:
     concurrentSyncs: 5
+  heartbeat:
+    renewIntervalSeconds: 30
   ignoreOperationAnnotation: false
 
 disableControllers: []

cmd/gardener-extension-audit/app/app.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 
 	"github.com/metal-stack/gardener-extension-audit/pkg/apis/audit/install"
-	"github.com/metal-stack/gardener-extension-audit/pkg/controller"
+	"github.com/metal-stack/gardener-extension-audit/pkg/controller/audit"
 
 	extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller"
 	heartbeatcontroller "github.com/gardener/gardener/extensions/pkg/controller/heartbeat"
@@ -74,9 +74,9 @@ func (o *Options) run(ctx context.Context) error {
 	}
 
 	ctrlConfig := o.auditOptions.Completed()
-	ctrlConfig.Apply(&controller.DefaultAddOptions.Config)
-	o.controllerOptions.Completed().Apply(&controller.DefaultAddOptions.ControllerOptions)
-	o.reconcileOptions.Completed().Apply(&controller.DefaultAddOptions.IgnoreOperationAnnotation)
+	ctrlConfig.Apply(&audit.DefaultAddOptions.Config)
+	o.controllerOptions.Completed().Apply(&audit.DefaultAddOptions.ControllerOptions)
+	o.reconcileOptions.Completed().Apply(&audit.DefaultAddOptions.IgnoreOperationAnnotation)
 	o.heartbeatOptions.Completed().Apply(&heartbeatcontroller.DefaultAddOptions)
 
 	if err := o.controllerSwitches.Completed().AddToManager(mgr); err != nil {

cmd/gardener-extension-audit/app/options.go

@@ -6,9 +6,8 @@ import (
 	controllercmd "github.com/gardener/gardener/extensions/pkg/controller/cmd"
 	heartbeatcmd "github.com/gardener/gardener/extensions/pkg/controller/heartbeat/cmd"
 	webhookcmd "github.com/gardener/gardener/extensions/pkg/webhook/cmd"
-	"k8s.io/client-go/tools/leaderelection/resourcelock"
-
 	auditcmd "github.com/metal-stack/gardener-extension-audit/pkg/cmd"
+	"k8s.io/client-go/tools/leaderelection/resourcelock"
 )
 
 // ExtensionName is the name of the extension.
@@ -55,6 +54,8 @@ func NewOptions() *Options {
 			LeaderElectionID:           controllercmd.LeaderElectionNameID(ExtensionName),
 			LeaderElectionResourceLock: resourcelock.LeasesResourceLock,
 			LeaderElectionNamespace:    os.Getenv("LEADER_ELECTION_NAMESPACE"),
+			MetricsBindAddress:         ":8080",
+			HealthBindAddress:          ":8081",
 		},
 		controllerOptions: &controllercmd.ControllerOptions{
 			// This is a default value.

example/controller-registration.yaml

@@ -5,7 +5,7 @@ metadata:
   name: audit
 type: helm
 providerConfig:
-  chart: H4sIAAAAAAAAA+0ca2/bOLKf9SsIdxdogZNkO7azENC7S1PfbnBtEiS9LA6HQ0BLtK1GErUUlSbX9r/f8CGZkmXLTtKk3XoQwDLFGQ45D85w6MwwC0hCmE1uOEmykCY2zoOQu88eDroA+8Oh/ASof8rn3t6g1x/2RyPR3hsMRt1naPiAPKyEPOOYIfSMUcrX9Wt7/53CbJX8D+eYcecWx9G9xxACHg0GK+Xf7+7V5D8awAfqPsD8WuEHlz9OwwvChNw9dN2zcJouvnadntO1ApL5LEy5bDtAv5EoRr5QDjSlDPE5QVJhUKlAVoJj4qFVmmVd1wZ46iX4oWGl/QfUd2b0QcZos//BqFez/yHAzv4fA1x3Rr2Z0ADMCcrmyPZRx3Fc+LsmSUCZOwv5PJ84Po3dQlkWD3PsX7kFuu3ThDMaRaBOjMzCjEMraJQDZJWPcNBPL3wMn3KAi/HZ+dHJ8Uv9ldzgOI2Iu4qK2IvQuFBTT1LsWJbrolPgAs+IdkskwZOIZKgysTxNqXZZujFMZtJ7+ZQx4nO0GBZVhrVSk/qfzVuttH9OQBiwdNn9I8Ht47/RYDjaxX+PARvI/3JOohT2bIend4sFW/x/r98bVuXf7+7v7+/8/2PAp082Csg0TAjqiLitg+wvX6yVsZvoDtuC7GSZuBGekChzIH50rsitoiK/5BPCEgJ65ITUFSNUaKwgcY2jXLPy6RMKEz/Kg5JBB2nENYws49YZFFQ8tKKHHl+OtDyLMAGdSXwi0Z0zEhGcEecYmGvkrGQtjGEbUZwhJN6EUzTH2SmD9zeok81xfzjyYNgLMTwMJfo7HM9QiZGyMOFT1Pk5+/vPWb0nIynNQk7Z7ToSMEfSRNC7M0GYrDHvukACkkb0NiYJ14F/qRyZCxmHuVxPbQw/IGzg/yEwmoazGKe2FP41BEuU2RSk+ZGFnLSfEbTH/7X8H8xgb+f/HwW0G6qY94WU8EkhYOUEK8cEV2ESeOhQKsY7nFox4TjAHHvgElT23+y2mzVII2UQaDf4VNmsvI3y0F6DXxfkP0Mj6DJHA9G7YEeOmF1W1dVDnwWRtbOukjO821OL7EFhG/u/62lgW/w3qp//9Xt73V3+/yjwUIZdKslXNWY1SmnCCMC2bflpTkRqsCN4j5xSrzNHYxcq7/gRzQOIQXCUznFPUinnr48C1Erk6ijAqjlLTc+PQmAUeibgQaCbmh4wW2v3ZCtw6vskFe3AGH9/m5JMrhMjf+QhIwHqtNB3lgmgMCvxO238NeFrluUKF61bcmVgbseOiVjy8Ue67aoAxnbjCoRyvEnOMr7liBJnuzEVyje0n2zg/xcB/B03gBb/Pxp06/l/b9jfxX+PAhW3qVMy5QTflGLfeBf4Kr4/S4kvBmbkOhR8/hZmIiN9G8YhGGxXvkmj0MfKYRQWqBsPaZ5wNWgGvIgQT/nhGHN//nYzPkaKQGESmoCxKNKtJwnlcp/IiqYyy28Lr4vu/pz4V1keGzmXtMbmuLkihhcyk0c/Oe81l85rWPhTzOeos1EK13kpp6xOIYAHky/DW61hdW1ocAdmW9gqlKjgKCH8I2WgvEtbPKc2AzUIY2KDvmeEwcRB3aOIfiTBZvgBSHUdBiMZzZkPMl7GBTQ7m4P/yGxxkLTgweZ+ag8GewvKLYr4SzH7wiiKLRuHMGK5FnablSqQuuChTj0TMs99vnzxll6r059Olc5pHkWnFEzutmKGCiMtX1ZUiMYxBldTNtjIXXnyuOhja4165RLuu81z1ErkGgFjhUKMbwQVP2cM1tVmRHwJI5K9MnhfVITks+58fpv4mTkNQW9OcMTn0ia2p20gt40TzhLKiE1TokJSe+F1VlFXKCcFxkGJUKf9kUxASa/06tqlJ3+1xpGvxNYKLopuJmO6lwqrHdXpVBTmatSCMBNFPKOiWFk9/XoRp2dgIx9omKDOXzomLZJcm+qlzOLt+ODN+Oxy/HZ8+P7o5Pjy+ODd+Pz04HBc9kRIngD/g9HYMxoRmoYkCs7ItNqq24X/8sp9wSkX8K67QcHv0buDX8cXwOzJ2eXJxfjs97Oj90u8esiVBUrjqMNtPPtY59SFuLLlBStkq+RljFy6HiHDit1vImgYj1FOfQrJ3PvD03p6VbpUE6dslJs2p/8WReFljM8o0S6z162F2+Wq0SiPyTsRHzRMWamxwWosOioJt/ud+0p81TFZEzNLUjf6MYKDkyQCl8xZTlZLXsgn9MmB7wvCx+2bx3OEp9MwCfmtV7YI9QkOYJs9aHiFyiTpTQ57/+wc3F2QR/B0JP2Tbh7fED83k+Xnel3kZnheieCKl3JBRDQ3vklBAzIzAlv0sNEVuV1Z8ClLQkt4CClnC6Oio6ThtbS+hgHFkBuUl6ponKY0orPbfwpeO9Wy05xmXApC4ygFXtr0axroF2c5psva+CingIBMcR7xdzQAvEG/q19tpd6bKff2/LYZyxrev4UM/Glhg/wfrBr2W5bLK4CTPJiRLQ8C2uo/w8F+Lf/fGwxGu/z/MUBb8IyjFyIja8qeX6JevQSUyljeve5NINgpDgxOafCm1JPXUk++jZMDCMj/leBrHEYiaJTks3zSOuF7nxh8Dx5mA/tnE+zf6yJ4i/3vDfr9+v0feNzZ/2OAKJ+Yli2FjXM+pyz8n7oAefWLDD8W1aEI1oywMxqRbex7G8tleSQCG/1hi+LOr4zmqQx2bGTUdKqnLVYlQRBdfcVsBl8gNJjoVuGaZFQZZurho7Dt5YFwEIcyoKzcCFULsjxWnHN5rVTnPr5ZO9qMAfGUp7CgRDEP8bt+TJsZ3GIlFl1rX12wAJ5vzmBaZ3WJq1WHYQ1LhhMI3oKydWMmjKUxFmzBWgCuu4m1TmeZiYwANa6WpQx+n4aVchO8o8I20YTYOOE1eut4XiLqU8qCMFmv/HK3Xj1KG+PbjVG0y+Cgpt76xBz6BmJbi1TlrcqYMWexss9RkIgqng88ZKAOJIZEDE0IwuIquM4p/3Yv64MBNP3a122s737O+jU0gHf6aj4bhtAnY8UyreHQKmvtxm7Swg8EbR9AmnJHUMjnlXOLh4kxn3pHflzYIP7Th0N3DwFb87/uUvy3u//9SNB4/0eb1beRvXF5FUW7iaPTSlq2Wd22PNW25aOHBoM9mdFVj5/l+Rtm4Hu3Os1+agneDza3f6yc7B3cQJv99we13//1+3vDwc7+HwPW2X+xrT6pG3jqBfqTw0r7V2WNB/kHAK33f/f367//Gw1357+PAuoOiMxXijsfHprNfSayCHmD1oYFEj/yXX0xg+OZh+ReIb6lxkWQo+kx5aeQColbZJZ5xuqhnrVIkdCnL5Zl1Pr1XV/zJoSHhtBoXJVQh7KNvVZeefDQFEcZsazlCwQe+s9/i+bf1Xav2iA7bKprifvHomqnauyefC4qXCnOM3V3QRbHLVXdU5M9M9d58dPqRanPfJxEdOLGWEQ+7iQPo8CVpN031L8ibBpCzlQUVw2qSngzSmcRuVzcDlK4No6D0UCjScl19pxuRzeU/5uh5/R6zs33Pave0qw6f30lZtZXLxzHsaxKaOdZqhZeXGgQgaLll6+ab3Q33efGqVR10cn9kNGk0NXF3erGHvLWc6+rSpT6SnJvr2uVP8j0LHM2nd3uuIMd7GAHO9jBDraH/wM5NEJSAFAAAA==
+  chart: H4sIAAAAAAAAA+0ca2/bOLKf9SsIdxdogZPkdxYCendpm90Ntk2CpJfF4XAIaIm2tZFELUXlcW3/+w0fkilZtuwkTdqtiQCWKc6DnAeHw3FmmAUkIcwmN5wkWUgTG+dByN1nD9e60PZGI/kJrf4pn3uDYa8/6o/Hor83HI67z9DoAXlY2fKMY4bQM0YpXzeu7f032mar5P9mjhl3bnEc3ZuGEPB4OFwp/353UJP/eAgfqPsA82tt37n8cRqeEybk7qGrnoXTdPG16/ScrhWQzGdhymXfPvqVRDHyhXKgKWWIzwmSCoNKBbISHBMPrdIs66pG4KmX4LtuK+0/oL4zow9Co83+h+Nezf5H0Hb2/xjNdWfUmwkNwJygbI5sH3Ucx4W/K5IElLmzkM/ziePT2C2UZfEwx/6lW4DbPk04o1EE6sTILMw49IJGOYBW+QgH/fDCx/ApCZwfnJ4dHh+91F/JDY7TiLirsIi9CB0UaupJjB3Lcl10AlzgGdFuiSR4EpEMVSaWpynVLkt3hslMei+fMkZ8jhZkUYWslZrY/2reaqX9cwLCgKXL7h8Jbh//jYej8S7+e4y2gfwv5iRKYc92eHq3WLDF//f6vVFV/v3u3t7ezv8/Rvv40UYBmYYJQR0Rt3WQ/fmztTJ2E8NhW5CDLBM2whMSZQ7Ej84luVVY5Jd8QlhCQI+ckLqCQgXHChRXOMo1Kx8/ojDxozwoGXSQBlzDyDJsnUGBxUMrRmj6ktLyLMIEdCbxiQR3TklEcEacI2CukbOStTCGbURxhpB4E07RHGcnDN7foE42x/3R2AOy54I8kBLjHY5nqIRIWZjwKer8mP3zx6w+kpGUZiGn7HYdCpgjaULo3RkhTNaYd10gAUkjehuThOvAv1SOzIUTh7lcT20M32HbwP9DYDQNZzFObSn8KwiWKLMpSPOahZy05wja4//a+R/MYLDz/4/StBuqmPe5lPBxIWDlBCtpgsswCTz0RirGe5xaMeE4wBx74BLU6b/ZbTdrkAbKINBu8KmyW3kb5aG9Br8u0H+CTtBljoZidMGOpJhdVNXVQ58EkrWzrqIzvNtTi+xB2zb2f9dsYFv8N67n//q9QXd3/n+U9lCGXSrJFzVmRaU0YQTNtm35aU5EarAjeI+cUq8zR0MXKu/4Ec0DiEFwlM5xT2Ip569TAWolcpUKsGrOUuPzoxAYhZEJeBAYpqYHzNb6PdkLnPo+SUU/MMY/3KYkk+vEyJ95yEiAOi34nWUEKMxK+E4bf03wmmW5wkXvllwZkNuxYwKWfPyZbrsqALEdXQFQ0pvkLONbUpQw29FUIF/RfrKB/18E8HfcAFr8/96oO677/9Ggv/P/j9EqblMfyZQTfFuKfeNd4Iv4/iwlviDMyFUo+Pw1zMSJ9F0Yh2CwXfkmjUIfK4dRWKDufEPzhCuiGfAiQjzlh2PM/fm7zfgYKwSFSWgExqJIt54klMt9Iiu6ylN+W3hdDPfnxL/M8tg4c0lrbI6bK2J4IU/y6Afng+bSeQ0Lf4L5HHU2OsJ1XsopqywE8GDyZXirNayuDQ3uwGwLW4USFRwlhF9TBsq7tMVzajNQgzAmNuh7RhhMHNQ9iug1CTaDD0Cq6yAYyWjOfJDxMiyA2dkc/Edmi0TSggeb+6k9HA4eArPSk2syga+X9gT7lyAwSaDf7XcXFFpU/adifQuzK4ICHALlcrXtNj+gmtQ2D3XqZy0zs/T5s7f0WuWXOlU8J3kUnVAw6tuKoSuItHxZUVIaxxicWdlhI3dlbnMxxtY6+8ol3Heb56jV1DVC0gqGGN8ILH7OGKyrzYj4EkYke2Xwvrhzks968Nlt4mfmNAS+OcERn0ur2x63AdxGJ5wllBGbpkQFvfbCr63CrkCOC4j9EqCOu9BOtWZ2uVe8WrNVrITWJiSu9UzG9CgVuDtq0Im4+qthC8JMXBMad5aV1dOvFyeBDGzkDxomqPO3Tt01Gh4edgUW+lkTRf3KnoCp2TgIwLCzV6bur4BtcL41okq8TTTVm9UkmyHbKZauSOd063RLI9PvzaVdB9tAWaCL6MyOYNuKTDzQ+U70gWACMsV5xFEnTKa00wQ9pQx2/Br4z7LThP8jE/lpA54kV6b3UF7v3cH+24PTi4N3B28+HB4fXRztvz84O9l/c1COREheIfzMaOwZnQhNQxIFp2Ra7dX9YgP0ysDCKe3jruFEwe/h+/1fDs6B2ePTi+Pzg9PfTw8/LPHqIVfecBu5MrcxebZOWMIas+UFK0xXmaNBudxZhApW3Pomdgz0GOXUp5GHPrw5qZ/Py53ThCk7ZdTH6b9FVcEyxCeU6B2x162d18pVo1Eek/ciwGyYsvJSBquxGKgk3L6t3Ffiq/KsTcwsSd0YxwgOjpMIdlzOcrJa8kI+oU/2fV8gPmqPDZ4jPJ2GSchvvbJHqE+wD3HafsMrVJ6y3+YQPM7OYDcL8gieDuX2o7sPboifm9mW53pdZKxzVjkCFC/lgojjwMFNKjykGcIvRtjoktyuvDEs7xSX4BBSeylQRYdJw2tpfQ0EBckN7ierYJymFDzb7W+C10713nJOMy4FoWGUAi/FdDUN9ItkoOmyNs4FFk172Pc0ALhhv6tfbaXemyn39vy2Gcsa3r+GFM692gb5HzBKiIZYLktAJ3kwI1smgtru/0bDvVr+ZzAcjnf5n8do2gBnHL0QJ/Km7MlL1KtfAabypOVe9SYQqxQJoxMavC315LXUk68jcwTHpX8l+AqHkQjpJfosn7RO+N4Zo2/BQWxg/2yC/Xv9EKDF/gfDwVL9V3+0s/9HaeL6zLRsKWyc8zll4f9UAezlTzJ6WNwORrBmhJ3SiGxj39tYLssjEZfoD1tc7v3CaJ7KWMVGxp1eNSdmVeJ7MdRXzGbwBXb2ie4VrkkGhWGmHq6FbS8TwkEcyniwUhGsFmSZVpxzWVasjy6+eXe4GQPiKU9hQYliHsJv/Zg2M7jFSiyG1r66YAE835zBtM7qElerUpYNS4YTiL2CsndjJoylMRZswVoArruJtU5nmYmMADaulqWMXZ+GlXITvKPCNuGE0DbhNXzreF5C6lPKgjBZr/xyt96IStsctiNX9Ms4oabpOikOYwOxw0XqErbKo8GYWOTnKEjEha4PPGSgGSSGIxWaEITFrwL06fAf9zJEIKDx175uY4j389uvoQMc1Rdz30BC57iKZVrDoVWWXRgbSws/EL/9AdKUm4MCPqtkIB4m3HzqzfkR2gbxn87t3D0EbD3/dfu7+v8nao31X9qWvo7TG5elSNo3HJ5UjmWb3duXSWlbPnpoOBzIE101eyzTZ5iBw90qGf3UErxf29z+sfKsd3ADbfbfH9Z+/9nvD0bDnf0/Rltn/8Ve+qRu4KkX6C/eVtq/upV4kH8A0Vb/vTeq//57PB7u9v9HaapCRx5SioocD83mPhNHB1lBbcMCiR95ry6b4XjmIblXiG+pUaZzOD2i/ATOP6KK0DJzrB7qWYtzEfr42bKMSgxd623WqXhoBJ1GIYtKyq4axfgEzp5qDLwl14cJhA+g1GeiWCaAgQNxj7OydMVDUxxlxLKWC0E89J//Ft2/q8BA9cHhsekCS1Sqi+s5dZnuyefiKivFeaZqUOQtuKWu8dSynJoSWfwIf3GnZz5OIjpxYyxiJHeSh1HgStTuW+pfEjYN4UhV3KIaWJWYZ5TOInKxqPJSsDaOg/FQg0kZdwZOt6M7yv/i0XN6Pefm255Vb2lWnb+/EjPrqxeO41hWJQj0LHXpXVQuiJDS8stXzbX/TZX/OJVGIQa5ovqk0OpFFX7jCFkf3+uqu0hdvN4DlS5/uutZ5mw6u31013Zt13Zt18z2f98IqUsAUAAA
   values:
     image:
       tag: v0.1.0

pkg/cmd/options.go

@@ -2,15 +2,20 @@ package cmd
 
 import (
 	controllercmd "github.com/gardener/gardener/extensions/pkg/controller/cmd"
+	extensionshealthcheckcontroller "github.com/gardener/gardener/extensions/pkg/controller/healthcheck"
+	extensionsheartbeatcontroller "github.com/gardener/gardener/extensions/pkg/controller/heartbeat"
 	webhookcmd "github.com/gardener/gardener/extensions/pkg/webhook/cmd"
-	"github.com/metal-stack/gardener-extension-audit/pkg/controller"
+	"github.com/metal-stack/gardener-extension-audit/pkg/controller/audit"
+	"github.com/metal-stack/gardener-extension-audit/pkg/controller/healthcheck"
 	"github.com/metal-stack/gardener-extension-audit/pkg/webhook/kapiserver"
 )
 
 // ControllerSwitchOptions are the controllercmd.SwitchOptions for the provider controllers.
 func ControllerSwitchOptions() *controllercmd.SwitchOptions {
 	return controllercmd.NewSwitchOptions(
-		controllercmd.Switch(controller.ControllerName, controller.AddToManager),
+		controllercmd.Switch(audit.ControllerName, audit.AddToManager),
+		controllercmd.Switch(extensionshealthcheckcontroller.ControllerName, healthcheck.AddToManager),
+		controllercmd.Switch(extensionsheartbeatcontroller.ControllerName, extensionsheartbeatcontroller.AddToManager),
 	)
 }
 

pkg/controller/actuator.go → pkg/controller/audit/actuator.go

@@ -1,4 +1,4 @@
-package controller
+package audit
 
 import (
 	"context"
@@ -23,7 +23,7 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/metal-stack/gardener-extension-audit/pkg/apis/audit/v1alpha1"
 	"github.com/metal-stack/gardener-extension-audit/pkg/apis/config"
-	"github.com/metal-stack/gardener-extension-audit/pkg/controller/fluentbitconfig"
+	"github.com/metal-stack/gardener-extension-audit/pkg/fluentbitconfig"
 	"github.com/metal-stack/gardener-extension-audit/pkg/imagevector"
 	"github.com/metal-stack/metal-lib/pkg/pointer"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -274,15 +274,22 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S
 			Data: map[string]string{
 				"fluent-bit.conf": fluentbitconfig.Config{
 					Service: map[string]string{
-						"log_level":                 "info",
+						"log_level": "info",
+
+						"http_server": "on",
+						"http_listen": "0.0.0.0",
+						"http_port":   "2020",
+
 						"storage.path":              "/data/",
 						"storage.sync":              "normal",
 						"storage.checksum":          "off",
 						"storage.max_chunks_up":     "128",
 						"storage.backlog.mem_limit": "5M",
-						"http_server":               "on",
-						"http_listen":               "0.0.0.0",
-						"http_port":                 "2020",
+
+						"health_check":           "on",
+						"hc_errors_count":        "0",
+						"hc_retry_failure_count": "0",
+						"hc_period":              "60",
 					},
 					Input: []fluentbitconfig.Input{
 						map[string]string{
@@ -333,10 +340,11 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S
 							"networking.resources.gardener.cloud/to-audit-cluster-forwarding-vpn-gateway-tcp-9876": "allowed",
 						},
 						Annotations: map[string]string{
-							"scheduler.alpha.kubernetes.io/critical-pod": "",
-							"prometheus.io/scrape":                       "true",
-							"prometheus.io/port":                         "2020",
-							"prometheus.io/path":                         "/api/v1/metrics/prometheus",
+							"scheduler.alpha.kubernetes.io/critical-pod":              "",
+							"networking.resources.gardener.cloud/to-world-from-ports": `[{"port":2020,"protocol":"TCP"}]`,
+							"prometheus.io/scrape":                                    "true",
+							"prometheus.io/port":                                      "2020",
+							"prometheus.io/path":                                      "/api/v1/metrics/prometheus",
 						},
 					},
 					Spec: corev1.PodSpec{
@@ -452,6 +460,10 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "audit-webhook-backend",
 				Namespace: namespace,
+				Annotations: map[string]string{
+					"networking.resources.gardener.cloud/pod-label-selector-namespace-alias": "all-shoots",
+					"networking.resources.gardener.cloud/namespace-selectors":                `[{"matchLabels":{"gardener.cloud/role":"extension"}}]`,
+				},
 			},
 			Spec: corev1.ServiceSpec{
 				Selector: map[string]string{
@@ -463,6 +475,11 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S
 						Port:     9880,
 						Protocol: corev1.ProtocolTCP,
 					},
+					{
+						Name:     "api",
+						Port:     2020,
+						Protocol: corev1.ProtocolTCP,
+					},
 				},
 			},
 		},

pkg/controller/add.go → pkg/controller/audit/add.go

@@ -1,4 +1,4 @@
-package controller
+package audit
 
 import (
 	"github.com/gardener/gardener/extensions/pkg/controller/extension"

pkg/controller/healthcheck/backend.go

@@ -0,0 +1,74 @@
+package healthcheck
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/gardener/gardener/extensions/pkg/controller/healthcheck"
+	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
+
+	"github.com/go-logr/logr"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+type BackendHealthChecker struct {
+	logger     logr.Logger
+	httpClient *http.Client
+}
+
+func backendHealth() healthcheck.HealthCheck {
+	return &BackendHealthChecker{
+		httpClient: http.DefaultClient,
+	}
+}
+
+func (h *BackendHealthChecker) SetLoggerSuffix(provider, extension string) {
+	h.logger = h.logger.WithName(fmt.Sprintf("%s-%s-healthcheck-backend", provider, extension))
+}
+
+func (h *BackendHealthChecker) DeepCopy() healthcheck.HealthCheck {
+	copy := *h
+	return &copy
+}
+
+func (h *BackendHealthChecker) Check(ctx context.Context, request types.NamespacedName) (*healthcheck.SingleCheckResult, error) {
+	err := h.check(ctx, request.Namespace)
+	if err != nil {
+		return &healthcheck.SingleCheckResult{ // nolint:nilerr
+			Status: gardencorev1beta1.ConditionFalse,
+			Detail: err.Error(),
+		}, nil
+	}
+
+	return &healthcheck.SingleCheckResult{
+		Status: gardencorev1beta1.ConditionTrue,
+	}, nil
+}
+
+func (h *BackendHealthChecker) check(ctx context.Context, namespace string) error {
+	url := fmt.Sprintf("http://audit-webhook-backend.%s.svc.cluster.local:2020/api/v1/health", namespace)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return fmt.Errorf("unable to create http request: %w", err)
+	}
+
+	resp, err := h.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("unable to do http request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		return nil
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("unable to read http body: %w", err)
+	}
+
+	return fmt.Errorf("backend is unhealthy since errors or failued have occurred in the last minute time frame: %s", string(body))
+}

pkg/controller/healthcheck/registration.go

@@ -0,0 +1,49 @@
+package healthcheck
+
+import (
+	"time"
+
+	extensionsconfig "github.com/gardener/gardener/extensions/pkg/apis/config"
+	"github.com/gardener/gardener/extensions/pkg/controller/healthcheck"
+	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
+	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
+	"github.com/metal-stack/gardener-extension-audit/pkg/controller/audit"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+)
+
+var (
+	defaultSyncPeriod = time.Second * 30
+	// DefaultAddOptions contains configuration for the health check controller.
+	DefaultAddOptions = healthcheck.DefaultAddArgs{
+		HealthCheckConfig: extensionsconfig.HealthCheckConfig{SyncPeriod: metav1.Duration{Duration: defaultSyncPeriod}},
+	}
+)
+
+// RegisterHealthChecks registers health checks for each extension resource
+// HealthChecks are grouped by extension (e.g worker), extension.type (e.g aws) and  Health Check Type (e.g SystemComponentsHealthy)
+func RegisterHealthChecks(mgr manager.Manager, opts healthcheck.DefaultAddArgs) error {
+	return healthcheck.DefaultRegistration(
+		audit.Type,
+		extensionsv1alpha1.SchemeGroupVersion.WithKind(extensionsv1alpha1.ExtensionResource),
+		func() client.ObjectList { return &extensionsv1alpha1.ExtensionList{} },
+		func() extensionsv1alpha1.Object { return &extensionsv1alpha1.Extension{} },
+		mgr,
+		opts,
+		nil,
+		[]healthcheck.ConditionTypeToHealthCheck{
+			{
+				ConditionType: string(gardencorev1beta1.ShootControlPlaneHealthy),
+				HealthCheck:   backendHealth(),
+			},
+		},
+		sets.New(gardencorev1beta1.ShootSystemComponentsHealthy),
+	)
+}
+
+// AddToManager adds a controller with the default Options.
+func AddToManager(mgr manager.Manager) error {
+	return RegisterHealthChecks(mgr, DefaultAddOptions)
+}