[Tetragon] - productionise module

[jaskaransarkaria]

User Need

As a Platform Engineer
I want deploy tetragon to our production environments
so that we can capture kubectl exec logs for auditing purposes

---

Context

Following the POC work. If the POC is accepted, there are a few things that we would need to do before pushing to production.

---

What’s Needed

List anything the solution must do or be (behaviour, performance, security, UX, etc.).

• create an adr outline our decision
• optimise our fluent bit to handle the volume we might experience in production so that we don't drop logs https://docs.fluentbit.io/manual/administration/backpressure
• centralise disparate fluent bit configs into the DaemonSet
• add fluent-bit and tetragon to renovate config
• consider enriching the current exec data with who for this you would need to query the api server for kubectl audit logs and cross-check it with the time and container data from the tetragon audit log
• consider enabling s3 object locks
• consider adding another bucket to capture s3 access logs, should we ship these to Cyber like forms-deploy
  
• add the following policy to our s3 module and configure fluent-bit to enable tls too

data "aws_iam_policy_document" "require_latest_tls" {
  statement {
    sid    = "denyOutdatedTLS"
    effect = "Deny"

    actions = ["s3:*"]

    resources = [
      aws_s3_bucket.this.arn,
      "${aws_s3_bucket.this.arn}/*",
    ]

    principals {
      type        = "*"
      identifiers = ["*"]
    }

    condition {
      test     = "NumericLessThan"
      variable = "s3:TlsVersion"
      values = [
        "1.2"
      ]
    }
  }
}

---

Acceptance Criteria

Clear, measurable conditions to verify the story is complete and valuable.

• We are not dropping logs
• We are happy with the level of security and auditing for our shared s3 module

---