feat(shard): Add audit policy options (#141)

Add an easy way to mount a ConfigMap containing the policy file into the
shard container and let the operator configure the --audit-policy-file
flag for the target path.

on-behalf-of: @eon-se opensource@eon.com

Signed-off-by: Maximilian Blatt <maximilian.blatt.external@eon.com>

Author: MisterMX

config/crd/bases/operator.kcp.io_rootshards.yaml

@@ -51,6 +51,25 @@ spec:
             properties:
               audit:
                 properties:
+                  policy:
+                    description: Audit policy configuration.
+                    properties:
+                      configMap:
+                        description: |-
+                          ConfigMap is a reference to the ConfigMap containing the audit policy
+                          file which is mounted into the container.
+                        properties:
+                          key:
+                            description: Key in the data.
+                            type: string
+                          name:
+                            description: Name of the object.
+                            type: string
+                        required:
+                        - key
+                        - name
+                        type: object
+                    type: object
                   webhook:
                     properties:
                       batchBufferSize:

config/crd/bases/operator.kcp.io_shards.yaml

@@ -51,6 +51,25 @@ spec:
             properties:
               audit:
                 properties:
+                  policy:
+                    description: Audit policy configuration.
+                    properties:
+                      configMap:
+                        description: |-
+                          ConfigMap is a reference to the ConfigMap containing the audit policy
+                          file which is mounted into the container.
+                        properties:
+                          key:
+                            description: Key in the data.
+                            type: string
+                          name:
+                            description: Name of the object.
+                            type: string
+                        required:
+                        - key
+                        - name
+                        type: object
+                    type: object
                   webhook:
                     properties:
                       batchBufferSize:

internal/resources/utils/audit.go

@@ -26,14 +26,55 @@ import (
 )
 
 func applyAuditConfiguration(deployment *appsv1.Deployment, config *operatorv1alpha1.AuditSpec) *appsv1.Deployment {
-	if config == nil || config.Webhook == nil {
+	if config == nil {
 		return deployment
 	}
 
-	return applyAuditWebhookConfiguration(deployment, *config.Webhook)
+	applyAuditPolicyConfiguration(deployment, config.Policy)
+	applyAuditWebhookConfiguration(deployment, config.Webhook)
+	return deployment
 }
 
-func applyAuditWebhookConfiguration(deployment *appsv1.Deployment, config operatorv1alpha1.AuditWebhookSpec) *appsv1.Deployment {
+func applyAuditPolicyConfiguration(deployment *appsv1.Deployment, config *operatorv1alpha1.AuditPolicySpec) {
+	if config == nil {
+		return
+	}
+
+	podSpec := deployment.Spec.Template.Spec
+
+	var extraArgs []string
+
+	if config.ConfigMap != nil {
+		volumeName := "audit-policy"
+		mountPath := "/etc/kcp/audit/policy"
+
+		podSpec.Volumes = append(podSpec.Volumes, corev1.Volume{
+			Name: volumeName,
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: config.ConfigMap.Name,
+					},
+				},
+			},
+		})
+		podSpec.Containers[0].VolumeMounts = append(podSpec.Containers[0].VolumeMounts, corev1.VolumeMount{
+			Name:      volumeName,
+			ReadOnly:  true,
+			MountPath: mountPath,
+		})
+		extraArgs = append(extraArgs, fmt.Sprintf("--audit-policy-file=%s/%s", mountPath, config.ConfigMap.Key))
+	}
+
+	podSpec.Containers[0].Args = append(podSpec.Containers[0].Args, extraArgs...)
+	deployment.Spec.Template.Spec = podSpec
+}
+
+func applyAuditWebhookConfiguration(deployment *appsv1.Deployment, config *operatorv1alpha1.AuditWebhookSpec) {
+	if config == nil {
+		return
+	}
+
 	podSpec := deployment.Spec.Template.Spec
 
 	var extraArgs []string
@@ -109,6 +150,4 @@ func applyAuditWebhookConfiguration(deployment *appsv1.Deployment, config operat
 
 	podSpec.Containers[0].Args = append(podSpec.Containers[0].Args, extraArgs...)
 	deployment.Spec.Template.Spec = podSpec
-
-	return deployment
 }

sdk/apis/operator/v1alpha1/common.go

@@ -70,6 +70,16 @@ type ObjectReference struct {
 	Group string `json:"group,omitempty"`
 }
 
+// LocalDataKeyReference is a reference to a namespace-local object storing
+// key-value data, i.e. ConfigMap or Secret.
+type LocalDataKeyReference struct {
+	// Name of the object.
+	Name string `json:"name"`
+
+	// Key in the data.
+	Key string `json:"key"`
+}
+
 type Certificate string
 
 const (

sdk/apis/operator/v1alpha1/shard_types.go

@@ -87,6 +87,15 @@ type CommonShardSpec struct {
 
 type AuditSpec struct {
 	Webhook *AuditWebhookSpec `json:"webhook,omitempty"`
+
+	// Audit policy configuration.
+	Policy *AuditPolicySpec `json:"policy,omitempty"`
+}
+
+type AuditPolicySpec struct {
+	// ConfigMap is a reference to the ConfigMap containing the audit policy
+	// file which is mounted into the container.
+	ConfigMap *LocalDataKeyReference `json:"configMap,omitempty"`
 }
 
 type ShardCacheConfig struct {