Enable virtual workspace server audit logging

ncdc · ncdc · commit f00df0adfbed · 2023-02-01T15:28:47.000-05:00
Signed-off-by: Andy Goldstein &lt;andy.goldstein@redhat.com&gt;
diff --git a/cmd/sharded-test-server/audit-policy.yaml b/cmd/sharded-test-server/audit-policy.yaml
@@ -0,0 +1,30 @@
+apiVersion: audit.k8s.io/v1
+kind: Policy
+omitStages:
+- RequestReceived
+omitManagedFields: true
+rules:
+- level: None
+  nonResourceURLs:
+  - "/api*"
+  - "/version"
+
+- level: Metadata
+  resources:
+  - group: ""
+    resources: ["secrets", "configmaps"]
+  - group: "authorization.k8s.io"
+    resources: ["subjectaccessreviews"]
+
+- level: Metadata
+  verbs: ["list", "watch"]
+
+- level: Metadata
+  verbs: ["get", "delete"]
+  omitStages:
+  - ResponseStarted
+
+- level: RequestResponse
+  verbs: ["create", "update", "patch"]
+  omitStages:
+  - ResponseStarted
diff --git a/cmd/sharded-test-server/shard.go b/cmd/sharded-test-server/shard.go
@@ -64,9 +64,6 @@ func newShard(ctx context.Context, n int, args []string, standaloneVW bool, serv
 		os.Exit(1)
 	}
 
-	if err != nil {
-		return nil, err
-	}
 	logFilePath := filepath.Join(workDirPath, fmt.Sprintf(".kcp-%d", n), "kcp.log")
 	auditFilePath := filepath.Join(workDirPath, fmt.Sprintf(".kcp-%d", n), "audit.log")
 	if logDirPath != "" {
diff --git a/cmd/sharded-test-server/virtual.go b/cmd/sharded-test-server/virtual.go
@@ -18,6 +18,7 @@ package main
 
 import (
 	"context"
+	"embed"
 	"fmt"
 	"io"
 	"net"
@@ -44,6 +45,9 @@ import (
 	"github.com/kcp-dev/kcp/test/e2e/framework"
 )
 
+//go:embed *.yaml
+var embeddedResources embed.FS
+
 type headWriter interface {
 	io.Writer
 	StopOut()
@@ -128,7 +132,17 @@ func newVirtualWorkspace(ctx context.Context, index int, servingCA *crypto.CA, h
 	authenticationKubeconfigPath := filepath.Join(workDirPath, fmt.Sprintf(".kcp-%d", index), "admin.kubeconfig")
 	clientCAFilePath := filepath.Join(workDirPath, ".kcp", "client-ca.crt")
 
-	args := []string{}
+	// write audit policy
+	bs, err := embeddedResources.ReadFile("audit-policy.yaml")
+	if err != nil {
+		return nil, err
+	}
+	auditPolicyFile := filepath.Join(workDirPath, fmt.Sprintf(".kcp-virtual-workspaces-%d", index), "audit-policy.yaml")
+	if err := os.WriteFile(auditPolicyFile, bs, 0644); err != nil {
+		return nil, err
+	}
+
+	var args []string
 	args = append(args,
 		fmt.Sprintf("--kubeconfig=%s", kubeconfigPath),
 		fmt.Sprintf("--cache-kubeconfig=%s", cacheServerConfigPath),
@@ -137,6 +151,15 @@ func newVirtualWorkspace(ctx context.Context, index int, servingCA *crypto.CA, h
 		fmt.Sprintf("--tls-private-key-file=%s", servingKeyFile),
 		fmt.Sprintf("--tls-cert-file=%s", servingCertFile),
 		fmt.Sprintf("--secure-port=%s", virtualWorkspacePort(index)),
+		"--audit-log-maxsize=1024",
+		"--audit-log-mode=batch",
+		"--audit-log-batch-max-wait=1s",
+		"--audit-log-batch-max-size=1000",
+		"--audit-log-batch-buffer-size=10000",
+		"--audit-log-batch-throttle-burst=15",
+		"--audit-log-batch-throttle-enable=true",
+		"--audit-log-batch-throttle-qps=10",
+		fmt.Sprintf("--audit-policy-file=%s", auditPolicyFile),
 	)
 
 	return &VirtualWorkspace{
@@ -155,6 +178,13 @@ func (v *VirtualWorkspace) start(ctx context.Context) error {
 		lineprefix.Color(color.New(color.FgHiYellow)),
 	)
 
+	logFilePath := filepath.Join(v.workDirPath, fmt.Sprintf(".kcp-virtual-workspaces-%d/virtualworkspace.log", v.index))
+	auditFilePath := filepath.Join(v.workDirPath, fmt.Sprintf(".kcp-virtual-workspaces-%d", v.index), "audit.log")
+	if v.logDirPath != "" {
+		logFilePath = filepath.Join(v.logDirPath, fmt.Sprintf("kcp-virtual-workspaces-%d.log", v.index))
+		auditFilePath = filepath.Join(v.logDirPath, fmt.Sprintf("kcp-virtual-workspaces-%d-audit.log", v.index))
+	}
+
 	commandLine := framework.DirectOrGoRunCommand("virtual-workspaces")
 	commandLine = append(commandLine, v.args...)
 	commandLine = append(
@@ -164,16 +194,12 @@ func (v *VirtualWorkspace) start(ctx context.Context) error {
 		"--requestheader-group-headers=X-Remote-Group",
 		fmt.Sprintf("--requestheader-client-ca-file=%s", filepath.Join(v.workDirPath, ".kcp/requestheader-ca.crt")),
 		"--v=4",
+		"--audit-log-path", auditFilePath,
 	)
 	fmt.Fprintf(out, "running: %v\n", strings.Join(commandLine, " "))
 
 	cmd := exec.CommandContext(ctx, commandLine[0], commandLine[1:]...) //nolint:gosec
 
-	logFilePath := filepath.Join(v.workDirPath, fmt.Sprintf(".kcp-virtual-workspaces-%d/virtualworkspace.log", v.index))
-	if v.logDirPath != "" {
-		logFilePath = filepath.Join(v.logDirPath, fmt.Sprintf("kcp-virtual-workspaces-%d.log", v.index))
-	}
-
 	if err := os.MkdirAll(filepath.Dir(logFilePath), 0755); err != nil {
 		return err
 	}
diff --git a/cmd/virtual-workspaces/options/options.go b/cmd/virtual-workspaces/options/options.go
@@ -85,6 +85,7 @@ func (o *Options) AddFlags(flags *pflag.FlagSet) {
 	o.Cache.AddFlags(flags)
 	o.SecureServing.AddFlags(flags)
 	o.Authentication.AddFlags(flags)
+	o.Audit.AddFlags(flags)
 	o.Logs.AddFlags(flags)
 	o.VirtualWorkspaces.AddFlags(flags)
 

Original file line number	Diff line number	Diff line change
`@@ -64,9 +64,6 @@ func newShard(ctx context.Context, n int, args []string, standaloneVW bool, serv`
`64`	`64`	`os.Exit(1)`
`65`	`65`	`}`
`66`	`66`
`67`		`- if err != nil {`
`68`		`- return nil, err`
`69`		`- }`
`70`	`67`	`logFilePath := filepath.Join(workDirPath, fmt.Sprintf(".kcp-%d", n), "kcp.log")`
`71`	`68`	`auditFilePath := filepath.Join(workDirPath, fmt.Sprintf(".kcp-%d", n), "audit.log")`
`72`	`69`	`if logDirPath != "" {`