Use audit policy and splunk secret from resource references. (#5)

README.md

@@ -1,7 +1,26 @@
 # gardener-extension-audit
 
-Provides a Gardener extension for sending audit traces to a backend and forwarding them into the shoot cluster.
+Provides a Gardener extension for managing kube-apiserver audit logs for a shoot cluster.
+
+The extension spins up a fluentbit-based audit sink in the seed's shoot namespace prior to starting the shoot's API server. Therefore, it is required to run this extension with the reconcile lifecycle policy `BeforeKubeAPIServer`.
+
+This sink has the ability to buffer audit logs to a persistent volume and send them to the supported backends.
+
+## Specifying An Audit Policy
+
+A custom audit policy can be natively configured by Gardener in the shoot spec's API server configuration under `.spec.kubernetes.kubeAPIServer.auditConfig.auditPolicy.configMapRef.name`.
 
 ## Supported Backends
 
+- Log (just logs to the container, only for devel-purposes)
+- Cluster Forwarding (forwards audit logs into a pod in the shoot cluster, should not be used for production purposes)
 - Splunk
+
+## Development
+
+This extension can be developed in the gardener-local devel environment.
+
+1. Start up the local devel environment
+1. The extension's docker image can be pushed into Kind using `make push-to-gardener-local`
+1. Install the extension `kubectl apply -k example/`
+1. Parametrize the `example/shoot.yaml` and apply with `kubectl -f example/shoot.yaml`

example/10-custom-audit-policy.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: custom-audit-policy
+  namespace: garden-local
+data:
+  policy: |
+    apiVersion: audit.k8s.io/v1
+    kind: Policy
+    omitStages:
+      - "RequestReceived"
+    rules:
+      - level: RequestResponse
+        resources:
+        - group: ""
+          resources: ["pods"]
+      - level: Metadata
+        resources:
+        - group: ""
+          resources: ["pods/log", "pods/status"]

example/10-splunk-secret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: splunk-secret
+  namespace: garden-local
+stringData:
+  token: <hec token>
+  ca: |
+    -----BEGIN CERTIFICATE-----
+    <cert>
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    <cert>
+    -----END CERTIFICATE-----

example/shoot.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: core.gardener.cloud/v1beta1
 kind: Shoot
 metadata:
@@ -17,41 +18,26 @@ spec:
       apiVersion: audit.metal.extensions.gardener.cloud/v1alpha1
       kind: AuditConfig
       webhookMode: blocking
+      # persistence:
+      #   size: 10Gi
       backends:
         log:
           enabled: true
-        clusterForwarding:
-          enabled: false
-        splunk:
-          enabled: true
-          index: <splunk index>
-          host: splunk-endpoint.example.com
-          port: "443"
-          hecToken: <hec token>
-          caFile: |
-            -----BEGIN CERTIFICATE-----
-            <cert>
-            -----END CERTIFICATE-----
-            -----BEGIN CERTIFICATE-----
-            <cert>
-            -----END CERTIFICATE-----
-          tls: true
-      # persistence:
-      #   size: 10Gi
-      # auditPolicy: |
-      #   apiVersion: audit.k8s.io/v1
-      #   kind: Policy
-      #   omitStages:
-      #     - "RequestReceived"
-      #   rules:
-      #     - level: RequestResponse
-      #       resources:
-      #       - group: ""
-      #         resources: ["pods"]
-      #     - level: Metadata
-      #       resources:
-      #       - group: ""
-      #         resources: ["pods/log", "pods/status"]
+        # clusterForwarding:
+        #   enabled: true
+        # splunk:
+        #   enabled: true
+        #   index: <splunk index>
+        #   host: splunk-endpoint.example.com
+        #   port: "443"
+        #   secretResourceName: splunk-secret
+        #   tls: true
+  # resources:
+  #   - name: splunk-secret
+  #     resourceRef:
+  #       apiVersion: v1
+  #       kind: Secret
+  #       name: splunk-secret
   networking:
     type: calico
     providerConfig:
@@ -78,3 +64,8 @@ spec:
       registryBurst: 20
       protectKernelDefaults: true
       streamingConnectionIdleTimeout: 5m
+    # kubeAPIServer:
+    #   auditConfig:
+    #     auditPolicy:
+    #       configMapRef:
+    #         name: custom-audit-policy

pkg/apis/audit/types.go

@@ -27,10 +27,6 @@ type AuditConfig struct {
 	// WebhookMode allows to select which auditing mode - batching or blocking - should be used.
 	WebhookMode AuditWebhookMode
 
-	// AuditPolicy contains the audit policy to be used for the cluster, as unencoded string.
-	// If none is supplied, a default auditpolicy is used.
-	AuditPolicy *string
-
 	// Backends contains the settings for the various backends.
 	Backends *AuditBackends
 }
@@ -85,10 +81,13 @@ type AuditBackendSplunk struct {
 	// Port ist the port on which the HEC endpoint is listening.
 	Port string
 
-	// Token is the splunk HEC token necessary to send log data to this Host/Index.
-	Token string
-	// CaFile contains, in an unencoded string, the CA (bundle) of the CA that signed the HEC endpoint's server certificate.
-	CaFile string
+	// SecretResourceName is a reference under Shoot.spec.resources to the secret used to authenticate against the splunk backend.
+	//
+	// The referenced secret may contain the following keys:
+	//
+	// - token: Required, hec token to authenticate against this host/index
+	// - ca: Optional, the CA (bundle) that signed the HEC endpoint's server certificate as an unencoded string.
+	SecretResourceName string
 
 	// TlsEnabled determines whether TLS should be used to communicate to the HEC endpoint.
 	TlsEnabled bool

pkg/apis/audit/v1alpha1/types.go

@@ -13,6 +13,9 @@ const (
 	AuditWebhookModeBatch          AuditWebhookMode = "batch"
 	AuditWebhookModeBlocking       AuditWebhookMode = "blocking"
 	AuditWebhookModeBlockingStrict AuditWebhookMode = "blocking-strict"
+
+	SplunkSecretTokenKey  = "token"
+	SplunkSecretCaFileKey = "ca"
 )
 
 type (
@@ -32,10 +35,6 @@ type AuditConfig struct {
 	// WebhookMode allows to select which auditing mode - batching or blocking - should be used.
 	WebhookMode AuditWebhookMode `json:"webhookMode,omitempty"`
 
-	// AuditPolicy contains the audit policy to be used for the cluster, as unencoded string.
-	// If none is supplied, a default auditpolicy is used.
-	AuditPolicy *string `json:"auditPolicy,omitempty"`
-
 	// Backends contains the settings for the various backends.
 	Backends *AuditBackends `json:"backends,omitempty"`
 }
@@ -96,11 +95,13 @@ type AuditBackendSplunk struct {
 	// Port ist the port on which the HEC endpoint is listening.
 	Port string `json:"port"`
 
-	// Token is the splunk HEC token necessary to send log data to this Host/Index.
-	Token string `json:"hecToken"`
-
-	// CaFile contains, in an unencoded string, the CA (bundle) of the CA that signed the HEC endpoint's server certificate.
-	CaFile string `json:"caFile"`
+	// SecretResourceName is a reference under Shoot.spec.resources to the secret used to authenticate against the splunk backend.
+	//
+	// The referenced secret may contain the following keys:
+	//
+	// - token: Required, hec token to authenticate against this host/index
+	// - ca: Optional, the CA (bundle) that signed the HEC endpoint's server certificate as an unencoded string.
+	SecretResourceName string `json:"secretResourceName"`
 
 	// TlsEnabled determines whether TLS should be used to communicate to the HEC endpoint.
 	TlsEnabled bool `json:"tls"`