new features.enable_dynamic_audit_log

config.yaml.dist

@@ -31,18 +31,24 @@ provider:
   name: ''
 
   # Set kubelet flag --cloud-provider=external, to be used with external
-  # Cloud Controller Managers (CCM)
+  # Cloud Controller Managers (CCM).
   external: false
 
-  # path to file that will be uploaded and used as custom --cloud-config file
+  # Path to file that will be uploaded and used as custom --cloud-config file.
   cloud_config: ''
 
 features:
-  # enables PodSecurityPolicy admission plugin in API server, as well as creates
+  # Enables PodSecurityPolicy admission plugin in API server, as well as creates
   # default `privileged` PodSecurityPolicy, plus RBAC rules to authorize
   # `kube-system` namespace pods to `use` it.
   enable_pod_security_policy: false
 
+  # Enables dynamic audit logs.
+  # After enablig this, operator should create auditregistration.k8s.io/v1alpha1
+  # AuditSink object.
+  # More info: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#dynamic-backend
+  enable_dynamic_audit_log: false
+
 backup:
   # Ark supported provider, see https://heptio.github.io/ark/v0.10.0/support-matrix
   provider: '' # currently only aws is supported, empty provider disable ark backups

pkg/config/cluster.go

@@ -387,6 +387,7 @@ func (m *BackupConfig) ApplyEnvironment() error {
 // Features switches
 type Features struct {
 	EnablePodSecurityPolicy bool `json:"enable_pod_security_policy"`
+	EnableDynamicAuditLog   bool `json:"enable_dynamic_audit_log"`
 }
 
 // MachineControllerConfig controls

pkg/features/activate.go

@@ -21,9 +21,6 @@ func Activate(ctx *util.Context) error {
 // UpdateKubeadmClusterConfiguration update additional config options in the kubeadm's
 // v1beta1.ClusterConfiguration according to enabled features
 func UpdateKubeadmClusterConfiguration(featuresCfg config.Features, clusterConfig *kubeadmv1beta1.ClusterConfiguration) {
-	if clusterConfig.APIServer.ExtraArgs == nil {
-		clusterConfig.APIServer.ExtraArgs = make(map[string]string)
-	}
-
 	activateKubeadmPSP(featuresCfg.EnablePodSecurityPolicy, clusterConfig)
+	activateKubeadmDynamicAuditLogs(featuresCfg.EnableDynamicAuditLog, clusterConfig)
 }

pkg/features/dynamic_audit_log.go

@@ -0,0 +1,34 @@
+package features
+
+import (
+	kubeadmv1beta1 "github.com/kubermatic/kubeone/pkg/apis/kubeadm/v1beta1"
+)
+
+const (
+	auditDynamicConfigurationFlag = "audit-dynamic-configuration"
+	runtimeConfigFlag             = "runtime-config"
+	auditRegistrationAPI          = "auditregistration.k8s.io/v1alpha1=true"
+)
+
+func activateKubeadmDynamicAuditLogs(activate bool, clusterConfig *kubeadmv1beta1.ClusterConfiguration) {
+	if !activate {
+		return
+	}
+
+	if clusterConfig.APIServer.ExtraArgs == nil {
+		clusterConfig.APIServer.ExtraArgs = make(map[string]string)
+	}
+
+	clusterConfig.APIServer.ExtraArgs[auditDynamicConfigurationFlag] = "true"
+
+	if _, ok := clusterConfig.APIServer.ExtraArgs[runtimeConfigFlag]; ok {
+		clusterConfig.APIServer.ExtraArgs[runtimeConfigFlag] += "," + auditRegistrationAPI
+	} else {
+		clusterConfig.APIServer.ExtraArgs[runtimeConfigFlag] = auditRegistrationAPI
+	}
+
+	if clusterConfig.FeatureGates == nil {
+		clusterConfig.FeatureGates = map[string]bool{}
+	}
+	clusterConfig.FeatureGates["DynamicAuditing"] = true
+}

pkg/features/psp.go

@@ -41,6 +41,10 @@ func activateKubeadmPSP(activate bool, clusterConfig *kubeadmv1beta1.ClusterConf
 		return
 	}
 
+	if clusterConfig.APIServer.ExtraArgs == nil {
+		clusterConfig.APIServer.ExtraArgs = make(map[string]string)
+	}
+
 	if _, ok := clusterConfig.APIServer.ExtraArgs[apiServerAdmissionPluginsFlag]; ok {
 		clusterConfig.APIServer.ExtraArgs[apiServerAdmissionPluginsFlag] += "," + pspAdmissionPlugin
 	} else {