kubernetes-sigs
diff --git a/‎Dockerfile.ubi‎
Lines changed: 2 additions & 2 deletions b/‎Dockerfile.ubi‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎api/spod/v1alpha1/spod_types.go‎
Lines changed: 30 additions & 0 deletions b/‎api/spod/v1alpha1/spod_types.go‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎api/spod/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 21 additions & 1 deletion b/‎api/spod/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 21 additions & 1 deletion
diff --git a/‎bundle/manifests/security-profiles-operator-profile_v1_configmap.yaml‎
Lines changed: 6 additions & 0 deletions b/‎bundle/manifests/security-profiles-operator-profile_v1_configmap.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎cmd/security-profiles-operator/main.go‎
Lines changed: 139 additions & 26 deletions b/‎cmd/security-profiles-operator/main.go‎
Lines changed: 139 additions & 26 deletions
@@ -18,7 +18,7 @@
 # for more details
 
 # hash below referred to latest
-FROM registry.access.redhat.com/ubi8/go-toolset@sha256:f28b875248f01fec44db5a5a0d842c89540c702144b341ee826d336bed5edaca AS build
+FROM registry.access.redhat.com/ubi8/go-toolset@sha256:621eebfdfc044df4bd4b50ec11f8791bc68986a7b0aa00089777b17bd2e9c751 AS build
 USER root
 WORKDIR /work
 
@@ -45,7 +45,7 @@ ARG STATIC_LINK=no
 RUN make
 
 # hash below referred to latest
-FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:92b1d5747a93608b6adb64dfd54515c3c5a360802db4706765ff3d8470df6290
+FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:11db23b63f9476e721f8d0b8a2de5c858571f76d5a0dae2ec28adf08cbaf3652
 ARG version
 USER root
 
 
@@ -246,6 +246,24 @@ type JsonEnricherOptions struct {
 	// within this interval are grouped together. The default is 60 seconds.
 	// Increasing this interval will reduce the rate at which logs are written.
 	AuditLogIntervalSeconds int32 `json:"auditLogIntervalSeconds,omitempty"`
+
+	// This field specifies the path for the accumulated audit log data.
+	// The audit log will be written to this file in JSON format if a file path
+	// is provided. If left unspecified, the output will be directed to
+	// standard output (stdout).
+	AuditLogPath *string `json:"auditLogPath,omitempty"`
+
+	// This field specifies the maximum number of audit log files to retain.
+	// If left unspecified it defaults to 100 MB.
+	AuditLogMaxSize *int32 `json:"auditLogMaxSize,omitempty"`
+
+	// This field specifies the maximum size in megabytes of the audit log file before it gets rotated.
+	// The default is to retain all old log files (though MaxAge may still cause them to get deleted.)
+	AuditLogMaxBackups *int32 `json:"auditLogMaxBackups,omitempty"`
+
+	// This field specifies the maximum number of days to retain old audit log files
+	// The default is not to remove old log files based on age
+	AuditLogMaxAge *int32 `json:"auditLogMaxAge,omitempty"`
 }
 
 type WebhookOptions struct {
@@ -347,6 +365,18 @@ type SPODSpec struct {
 	// artifact signature verification.
 	// +optional
 	DisableOCIArtifactSignatureVerification bool `json:"disableOciArtifactSignatureVerification"`
+
+	// LogEnricherFilters if defined, an optional JSON-format filter to determine if log lines should be emitted
+	// for the log-enricher. Defaults to an empty string, meaning no filter is applied and all lines are logged.
+	// +optional
+	// +kubebuilder:default=""
+	LogEnricherFilters string `json:"logEnricherFilters,omitempty"`
+
+	// JsonEnricherFilters if defined, an optional JSON-format filter to determine if log lines should be emitted
+	// for the json-enricher. Defaults to an empty string, meaning no filter is applied and all lines are logged.
+	// +optional
+	// +kubebuilder:default=""
+	JsonEnricherFilters string `json:"jsonEnricherFilters,omitempty"`
 }
 
 // SPODState defines the state that the spod is in.
 
@@ -1,5 +1,11 @@
 apiVersion: v1
 data:
+  json-enricher-log-volume-source.json: |
+    {
+      "emptyDir": {
+        "sizeLimit": "500Mi"
+      }
+    }
   bpf-recorder.json: |
     {
       "defaultAction": "SCMP_ACT_ERRNO",
 
@@ -26,8 +26,10 @@ import (
 	_ "net/http/pprof" //nolint:gosec // required for profiling
 	"os"
 	"os/exec"
+	"os/signal"
 	"strconv"
 	"strings"
+	"syscall"
 	"time"
 
 	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
@@ -73,25 +75,31 @@ import (
 	"sigs.k8s.io/security-profiles-operator/internal/pkg/util"
 	"sigs.k8s.io/security-profiles-operator/internal/pkg/version"
 	"sigs.k8s.io/security-profiles-operator/internal/pkg/webhooks/binding"
+	"sigs.k8s.io/security-profiles-operator/internal/pkg/webhooks/execmetadata"
 	"sigs.k8s.io/security-profiles-operator/internal/pkg/webhooks/recording"
 )
 
 const (
-	spocCmd                             string = "spoc"
-	jsonFlag                            string = "json"
-	nodeStatusControllerFlag            string = "with-nodestatus-controller"
-	spodControllerFlag                  string = "with-spod-controller"
-	workloadAnnotatorFlag               string = "with-workload-annotator"
-	recordingMergerFlag                 string = "with-recording-merger"
-	recordingFlag                       string = "with-recording"
-	seccompFlag                         string = "with-seccomp"
-	selinuxFlag                         string = "with-selinux"
-	apparmorFlag                        string = "with-apparmor"
-	webhookFlag                         string = "webhook"
-	memOptimFlag                        string = "with-mem-optim"
-	defaultWebhookPort                  int    = 9443
-	auditLogIntervalSecondsParam        string = "audit-log-interval-seconds"
-	defaultAuditLogFlushIntervalSeconds int    = 60
+	spocCmd                      string = "spoc"
+	jsonFlag                     string = "json"
+	nodeStatusControllerFlag     string = "with-nodestatus-controller"
+	spodControllerFlag           string = "with-spod-controller"
+	workloadAnnotatorFlag        string = "with-workload-annotator"
+	recordingMergerFlag          string = "with-recording-merger"
+	recordingFlag                string = "with-recording"
+	seccompFlag                  string = "with-seccomp"
+	selinuxFlag                  string = "with-selinux"
+	apparmorFlag                 string = "with-apparmor"
+	webhookFlag                  string = "webhook"
+	memOptimFlag                 string = "with-mem-optim"
+	defaultWebhookPort           int    = 9443
+	auditLogIntervalSecondsParam string = "audit-log-interval-seconds"
+	auditLogPathParam            string = "audit-log-path"
+	auditLogMaxSizeParam         string = "audit-log-maxsize"
+	// The plural form is not used for audit-log-file-maxbackup to match the k8s api server audit log options.
+	auditLogMaxBackupParam   string = "audit-log-maxbackup"
+	auditLogMaxAgeParam      string = "audit-log-maxage"
+	enricherFiltersJsonParam string = "enricher-filters-json"
 )
 
 var (
@@ -100,6 +108,21 @@ var (
 )
 
 func main() {
+	// This is required to close any open resource like a file
+	mainctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	sigChan := make(chan os.Signal, 1)
+
+	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
+
+	go func() {
+		sig := <-sigChan
+		// No logger may be available hence using fmt
+		fmt.Printf("\nReceived OS signal: %s. Initiating graceful shutdown...\n", sig)
+		cancel()
+	}()
+
 	app, info := cmd.DefaultApp()
 	app.Name = config.OperatorName
 	app.Usage = "Kubernetes Security Profiles Operator"
@@ -231,6 +254,13 @@ func main() {
 			Name:    "log-enricher",
 			Aliases: []string{"l"},
 			Usage:   "run the audit's log enricher",
+			Flags: []cli.Flag{
+				&cli.StringFlag{
+					Name:  enricherFiltersJsonParam,
+					Value: "",
+					Usage: "Log Enricher filters JSON.",
+				},
+			},
 			Action: func(ctx *cli.Context) error {
 				return runLogEnricher(ctx, info)
 			},
@@ -241,13 +271,61 @@ func main() {
 			Aliases: []string{"j"},
 			Usage:   "run the audit's json enricher",
 			Action: func(ctx *cli.Context) error {
-				return runJsonEnricher(ctx, info)
+				jsonEnricher, err := getJsonEnricher(ctx, info)
+				if err != nil {
+					return fmt.Errorf("could not create json enricher: %w", err)
+				}
+
+				runErr := make(chan error)
+				go jsonEnricher.Run(mainctx, runErr)
+
+				select {
+				case <-runErr:
+					return fmt.Errorf("error while executing JSON Enricher: %w", <-runErr)
+				case <-mainctx.Done():
+					// Cannot use CLI "After" as exit signal won't invoke it
+					fmt.Printf("Exit JSON Enricher")
+					jsonEnricher.ExitJsonEnricher(ctx)
+
+					return nil
+				}
 			},
 			Flags: []cli.Flag{
 				&cli.IntFlag{
 					Name:    auditLogIntervalSecondsParam,
 					Aliases: []string{"a"},
-					Usage:   "Audit log interval in seconds for the JSON Log Enricher",
+					Value:   60,
+					Usage:   "Audit log interval in seconds for the JSON Log Enricher.",
+				},
+				&cli.StringFlag{
+					Name:  auditLogPathParam,
+					Value: "",
+					Usage: "Audit log file path for the JSON Log Enricher. Default is stdout.",
+				},
+				&cli.IntFlag{
+					Name:  auditLogMaxBackupParam,
+					Value: 0,
+					Usage: "Audit log max file backup for the JSON Log Enricher. " +
+						"The maximum number of old audit log files to retain. " +
+						"Setting a value of 0 will mean there's no restriction on the number of files.",
+				},
+				&cli.IntFlag{
+					Name:  auditLogMaxSizeParam,
+					Value: 100,
+					Usage: "Audit log max file size for the JSON Log Enricher. " +
+						"The maximum size in megabytes of the audit log file before it gets rotated.",
+				},
+				&cli.IntFlag{
+					Name:  auditLogMaxAgeParam,
+					Value: 0,
+					Usage: "Audit log max age for the JSON Log Enricher. " +
+						"The maximum number of days to retain old audit log files based " +
+						"on the timestamp encoded in their filename.",
+				},
+				&cli.StringFlag{
+					Name:  enricherFiltersJsonParam,
+					Value: "",
+					Usage: "JSON Enricher filters JSON file path.",
 				},
 			},
 		},
@@ -293,8 +371,13 @@ func main() {
 
 	if err := app.Run(os.Args); err != nil {
 		setupLog.Error(err, "running security-profiles-operator")
+		//nolint:gocritic // this is intentional to return to correct exit code
 		os.Exit(1)
 	}
+
+	if err := app.RunContext(mainctx, os.Args); err != nil {
+		fmt.Printf("application error: %v", err)
+	}
 }
 
 func initialize(ctx *cli.Context) error {
@@ -615,31 +698,60 @@ func runBPFRecorder(_ *cli.Context, info *version.Info) error {
 	return bpfrecorder.New("", ctrl.Log.WithName(component), true, true).Run()
 }
 
-func runLogEnricher(_ *cli.Context, info *version.Info) error {
+func runLogEnricher(ctx *cli.Context, info *version.Info) error {
 	const component = "log-enricher"
 
 	printInfo(component, info)
 
-	return enricher.New(ctrl.Log.WithName(component)).Run()
+	opts := &enricher.LogEnricherOptions{
+		EnricherFiltersJson: ctx.String(enricherFiltersJsonParam),
+	}
+
+	logEnricher, err := enricher.New(ctrl.Log.WithName(component), opts)
+	if err != nil {
+		return fmt.Errorf("create log enricher: %w", err)
+	}
+
+	return logEnricher.Run()
 }
 
-func runJsonEnricher(ctx *cli.Context, info *version.Info) error {
+func getJsonEnricher(ctx *cli.Context, info *version.Info) (*enricher.JsonEnricher, error) {
 	const component = "json-enricher"
 
 	printInfo(component, info)
 
-	auditLogIntervalSeconds := ctx.Int(auditLogIntervalSecondsParam)
-	if auditLogIntervalSeconds == 0 {
-		auditLogIntervalSeconds = defaultAuditLogFlushIntervalSeconds
+	opts := &enricher.JsonEnricherOptions{}
+
+	if auditLogIntervalSeconds := ctx.Int(auditLogIntervalSecondsParam); auditLogIntervalSeconds > 0 {
+		opts.AuditFreq = time.Duration(auditLogIntervalSeconds) * time.Second
+	}
+
+	if auditLogPath := ctx.String(auditLogPathParam); auditLogPath != "" {
+		opts.AuditLogPath = auditLogPath
 	}
 
+	opts.AuditLogMaxSize = ctx.Int(auditLogMaxSizeParam)
+	opts.AuditLogMaxBackups = ctx.Int(auditLogMaxBackupParam)
+	opts.AuditLogMaxAge = ctx.Int(auditLogMaxAgeParam)
+	opts.EnricherFiltersJson = ctx.String(enricherFiltersJsonParam)
+
 	setupLog.Info(
 		"JSON Enricher Configuration",
-		"auditLogFlushIntervalSeconds", auditLogIntervalSeconds,
+		"AuditFreq", opts.AuditFreq,
+		"AuditLogPath", opts.AuditLogPath,
+		"AuditLogMaxSize", opts.AuditLogMaxSize,
+		"AuditLogMaxBackup", opts.AuditLogMaxBackups,
+		"AuditLogMaxAge", opts.AuditLogMaxAge,
+		"EnricherFiltersJson", opts.EnricherFiltersJson,
 	)
 
-	return enricher.NewJsonEnricherArgs(ctrl.Log.WithName(component),
-		time.Duration(auditLogIntervalSeconds)*time.Second).Run()
+	jsonEnricher, err := enricher.NewJsonEnricherArgs(ctrl.Log.WithName(component),
+		opts)
+	if err != nil {
+		return nil, err
+	}
+
+	return jsonEnricher, nil
 }
 
 func runNonRootEnabler(ctx *cli.Context, info *version.Info) error {
@@ -724,6 +836,7 @@ func runWebhook(ctx *cli.Context, info *version.Info) error {
 	hookserver := mgr.GetWebhookServer()
 	binding.RegisterWebhook(hookserver, mgr.GetScheme(), mgr.GetClient())
 	recording.RegisterWebhook(hookserver, mgr.GetScheme(), mgr.GetEventRecorderFor("recording-webhook"), mgr.GetClient())
+	execmetadata.RegisterWebhook(hookserver)
 
 	sigHandler := ctrl.SetupSignalHandler()