From 281dcb5262c1b31c5ab8a35db580c0e56ea8128e Mon Sep 17 00:00:00 2001
From: Adrian Berger <adrian.berger@bedag.ch>
Date: Mon, 30 Sep 2024 15:42:24 +0200
Subject: [PATCH] [vcluster]: Add audit feature to apiserver

Signed-off-by: Adrian Berger <adrian.berger@bedag.ch>
---
 charts/vcluster/Chart.yaml                    |  2 +-
 charts/vcluster/README.md                     | 16 ++++++-
 .../kubernetes/apiserver/deployment.yaml      | 28 +++++++++++++
 .../kubernetes/apiserver/policy.yaml          | 18 ++++++++
 .../components/kubernetes/apiserver/pvc.yaml  | 37 ++++++++++++++++
 charts/vcluster/values.yaml                   | 42 ++++++++++++++++++-
 6 files changed, 140 insertions(+), 3 deletions(-)
 create mode 100644 charts/vcluster/templates/components/kubernetes/apiserver/policy.yaml
 create mode 100644 charts/vcluster/templates/components/kubernetes/apiserver/pvc.yaml

diff --git a/charts/vcluster/Chart.yaml b/charts/vcluster/Chart.yaml
index b3a39dd2..fe741fcf 100644
--- a/charts/vcluster/Chart.yaml
+++ b/charts/vcluster/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: vcluster
 description: Virtual Kubernetes Cluster
 type: application
-version: 0.5.7
+version: 0.6.0
 appVersion: 0.1.0
 keywords:
   - vcluster
diff --git a/charts/vcluster/README.md b/charts/vcluster/README.md
index 42389133..059cf9e5 100644
--- a/charts/vcluster/README.md
+++ b/charts/vcluster/README.md
@@ -2,7 +2,7 @@
 
 __This Chart is under active development! We try to improve documentation and values consistency over time__
 
-![Version: 0.5.7](https://img.shields.io/badge/Version-0.5.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Virtual Kubernetes Cluster
 
@@ -410,6 +410,20 @@ Deploys [Kubernetes API Server](https://kubernetes.io/docs/reference/command-lin
 | kubernetes.apiServer.affinity | object | `{}` | Affinity |
 | kubernetes.apiServer.annotations | object | `{}` | Annotations for Workload |
 | kubernetes.apiServer.args | object | `{}` | Extra arguments for the kube-apiserver |
+| kubernetes.apiServer.audit.enabled | bool | `true` | Enable Audit Log |
+| kubernetes.apiServer.audit.maxAge | int | `1` | Defines the maximum number of days to retain old audit log files |
+| kubernetes.apiServer.audit.maxBackup | int | `5` | Defines the maximum number of audit log files to retain |
+| kubernetes.apiServer.audit.maxSize | int | `25` | Defines the maximum size in megabytes of the audit log file before it gets rotated |
+| kubernetes.apiServer.audit.persistence | object | `{"accessModes":["ReadWriteOnce"],"annotations":{"helm.sh/resource-policy":"keep"},"finalizers":["kubernetes.io/pvc-protection"],"size":"1Gi","storageClassName":""}` | PVC Configuration |
+| kubernetes.apiServer.audit.persistence.accessModes | list | `["ReadWriteOnce"]` | Access Modes for Audit Log |
+| kubernetes.apiServer.audit.persistence.annotations | object | `{"helm.sh/resource-policy":"keep"}` | Annotations for Audit Log |
+| kubernetes.apiServer.audit.persistence.finalizers | list | `["kubernetes.io/pvc-protection"]` | Finalizers for Audit Log |
+| kubernetes.apiServer.audit.persistence.size | string | `"1Gi"` | Size for Audit Log |
+| kubernetes.apiServer.audit.persistence.storageClassName | string | `""` | Storage Class for Audit Log |
+| kubernetes.apiServer.audit.policy | string | `"# Log all requests at the Metadata level.\napiVersion: audit.k8s.io/v1\nkind: Policy\nrules:\n  - level: Metadata\n"` | Audit Policy |
+| kubernetes.apiServer.audit.truncateEnabled | bool | `false` | Whether event and batch truncating is enabled |
+| kubernetes.apiServer.audit.truncateMaxBatchSize | int | `10485760` | Maximum size in bytes of the batch sent to the underlying backend |
+| kubernetes.apiServer.audit.truncateMaxEventSize | int | `102400` | Maximum size in bytes of the audit event sent to the underlying backend |
 | kubernetes.apiServer.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler |
 | kubernetes.apiServer.autoscaling.maxReplicas | int | `5` | Maximum available Replicas |
 | kubernetes.apiServer.autoscaling.minReplicas | int | `1` | Minimum available Replicas |
diff --git a/charts/vcluster/templates/components/kubernetes/apiserver/deployment.yaml b/charts/vcluster/templates/components/kubernetes/apiserver/deployment.yaml
index ad80d905..2e1bd92a 100644
--- a/charts/vcluster/templates/components/kubernetes/apiserver/deployment.yaml
+++ b/charts/vcluster/templates/components/kubernetes/apiserver/deployment.yaml
@@ -111,6 +111,18 @@ spec:
         - --advertise-address={{ . }}
           {{- end }}
         {{- end }}
+        {{- if $kubernetes.apiServer.audit.enabled }}
+        - --audit-policy-file=/etc/kubernetes/audit-policy.yaml
+        - --audit-log-path=/var/log/kubernetes/audit/audit.log
+        - --audit-log-maxage={{ $kubernetes.apiServer.audit.maxAge }}
+        - --audit-log-maxbackup={{ $kubernetes.apiServer.audit.maxBackup }}
+        - --audit-log-maxsize={{ $kubernetes.apiServer.audit.maxSize }}
+        {{- if $kubernetes.apiServer.audit.truncateEnabled }}
+        - --audit-log-truncate-enabled={{ $kubernetes.apiServer.audit.truncateEnabled }}
+        - --audit-log-truncate-max-batch-size={{ $kubernetes.apiServer.audit.truncateMaxBatchSize }}
+        - --audit-log-truncate-max-event-size={{ $kubernetes.apiServer.audit.truncateMaxEventSize }}
+        {{- end }}
+        {{- end }}
         {{- with $kubernetes.apiServer.args }}
           {{- include "pkg.utils.args" (dict "args" . "ctx" $) | nindent 8 }}
         {{- end }}
@@ -171,6 +183,14 @@ spec:
           name: konnectivity-uds
           {{- end }}
         {{- end }}
+        {{- if $kubernetes.apiServer.audit.enabled }}
+        - mountPath: /etc/kubernetes/
+          name: audit
+          readOnly: true
+        - mountPath: /var/log/kubernetes/audit/
+          name: audit-log
+          readOnly: false
+        {{- end }}
         {{- with $kubernetes.apiServer.volumeMounts }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -207,6 +227,14 @@ spec:
           {{- include "kubernetes.konnectivityServer.volumes" $ | nindent 6 }}
         {{- end }}
       {{- end }}
+      {{- if $kubernetes.apiServer.audit.enabled }}
+      - configMap:
+          name: "{{ $fullName }}-audit-policy"
+        name: audit
+      - persistentVolumeClaim:
+          claimName: "{{ $fullName }}-audit-log"
+        name: audit-log
+      {{- end }}
       {{- with $kubernetes.apiServer.volumes }}
         {{- toYaml . | nindent 6 }}
       {{- end }}
diff --git a/charts/vcluster/templates/components/kubernetes/apiserver/policy.yaml b/charts/vcluster/templates/components/kubernetes/apiserver/policy.yaml
new file mode 100644
index 00000000..8a1caebb
--- /dev/null
+++ b/charts/vcluster/templates/components/kubernetes/apiserver/policy.yaml
@@ -0,0 +1,18 @@
+{{- if (include "kubernetes.enabled" $) -}}
+  {{- $kubernetes := $.Values.kubernetes -}}
+  {{- if and $kubernetes.apiServer.enabled $kubernetes.apiServer.audit.enabled -}}
+    {{- $fullName := include "kubernetes.fullname" . -}}
+    {{- $component_name := "apiserver" -}}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $fullName }}-audit-policy
+  labels: {{- include "kubernetes.labels" $ | nindent 4 }}
+    {{ include "pkg.common.labels.component" $ }}: {{ $component_name }}
+  namespace: {{ $.Release.Namespace }}
+data:
+  audit-policy.yaml: |
+    {{- $kubernetes.apiServer.audit.policy | nindent 4 }}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/vcluster/templates/components/kubernetes/apiserver/pvc.yaml b/charts/vcluster/templates/components/kubernetes/apiserver/pvc.yaml
new file mode 100644
index 00000000..34d10fd9
--- /dev/null
+++ b/charts/vcluster/templates/components/kubernetes/apiserver/pvc.yaml
@@ -0,0 +1,37 @@
+{{- if (include "kubernetes.enabled" $) -}}
+  {{- $kubernetes := $.Values.kubernetes -}}
+  {{- if and $kubernetes.apiServer.enabled $kubernetes.apiServer.audit.enabled -}}
+    {{- $fullName := include "kubernetes.fullname" . -}}
+    {{- $component_name := "apiserver" -}}
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ $fullName }}-audit-log
+  labels: {{- include "kubernetes.labels" $ | nindent 4 }}
+    {{ include "pkg.common.labels.component" $ }}: {{ $component_name }}
+    {{- if $kubernetes.apiServer.audit.persistence.labels }}
+      {{- toYaml $kubernetes.apiServer.audit.persistence.labels | nindent 4 }}
+    {{- end }}
+  {{- with $kubernetes.apiServer.audit.persistence.annotations  }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $kubernetes.apiServer.audit.persistence.finalizers  }}
+  finalizers:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+  accessModes:
+    {{- range $kubernetes.apiServer.audit.persistence.accessModes }}
+    - {{ . | quote }}
+    {{- end }}
+  {{- with (include "pkg.components.storageClass" (dict "sc" $kubernetes.apiServer.audit.persistence.storageClassName "ctx" $)) }}
+  storageClassName: {{ . }}
+  {{- end }}
+  resources:
+    requests:
+      storage: {{ $kubernetes.apiServer.audit.persistence.size | quote }}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/vcluster/values.yaml b/charts/vcluster/values.yaml
index 7fd0d91e..c8cd730c 100644
--- a/charts/vcluster/values.yaml
+++ b/charts/vcluster/values.yaml
@@ -998,7 +998,6 @@ osm:
     # -- Benchmark Memory Usage
     targetMemoryUtilizationPercentage:
 
-
 # ----------------------------
 #  Kubernetes Component
 # ----------------------------
@@ -1453,6 +1452,47 @@ kubernetes:
         # -- Assign additional Annotations
         annotations: {}
 
+    # API Server Audit Configuration
+    audit:
+      # -- Enable Audit Log
+      enabled: true
+
+      # -- Defines the maximum number of days to retain old audit log files
+      maxAge: 1
+      # -- Defines the maximum number of audit log files to retain
+      maxBackup: 5
+      # -- Defines the maximum size in megabytes of the audit log file before it gets rotated
+      maxSize: 25
+      # -- Whether event and batch truncating is enabled
+      truncateEnabled: false
+      # -- Maximum size in bytes of the batch sent to the underlying backend
+      truncateMaxBatchSize: 10485760
+      # -- Maximum size in bytes of the audit event sent to the underlying backend
+      truncateMaxEventSize: 102400
+
+      # -- PVC Configuration
+      persistence:
+        # -- Access Modes for Audit Log
+        accessModes:
+          - ReadWriteOnce
+        # -- Size for Audit Log
+        size: 1Gi
+        # -- Storage Class for Audit Log
+        storageClassName: ""
+        # -- Annotations for Audit Log
+        annotations:
+          helm.sh/resource-policy: keep
+        # -- Finalizers for Audit Log
+        finalizers:
+          - kubernetes.io/pvc-protection
+      # -- Audit Policy
+      policy: |
+        # Log all requests at the Metadata level.
+        apiVersion: audit.k8s.io/v1
+        kind: Policy
+        rules:
+          - level: Metadata
+
   controllerManager:
     # -- Enable Kubernetes Controller-Manager
     enabled: true