Untitled

* audit-webhook needs

** TODO --audit-webhook-config-file

Most similar to AuditPolicyConfiguration / --audit-policy-file

It can't really have a default value, because you need to specify a webhook url.

** TODO --audit-webhook-initial-backoff

Most similar to LogMaxAge / --audit-log-maxage INT

The default is 10s, but I'm unsure we should specificy it if we aren't provided it as a config option.

** TODO add other options for audit webhook
#+BEGIN_EXAMPLE
      --audit-webhook-config-file string                        Path to a kubeconfig formatted file that defines the audit webhook configuration. Requires the 'AdvancedAuditing' feature gate.
      --audit-webhook-mode string                               Strategy for sending audit events. Blocking indicates sending events should block server responses. Batch causes the backend to buffer and write events asynchronously. Known modes are batch,blocking. (default "batch")
      --audit-webhook-initial-backoff duration                  The amount of time to wait before retrying the first failed request. (default 10s)
      --audit-webhook-batch-buffer-size int                     The size of the buffer to store events before batching and writing. Only used in batch mode. (default 10000)
      --audit-webhook-batch-max-size int                        The maximum size of a batch. Only used in batch mode. (default 400)
      --audit-webhook-batch-max-wait duration                   The amount of time to wait before force writing the batch that hadn't reached the max size. Only used in batch mode. (default 30s)
      --audit-webhook-batch-throttle-burst int                  Maximum number of requests sent at the same moment if ThrottleQPS was not utilized before. Only used in batch mode. (default 15)
      --audit-webhook-batch-throttle-enable                     Whether batching throttling is enabled. Only used in batch mode. (default true)
      --audit-webhook-batch-throttle-qps float32                Maximum average number of batches per second. Only used in batch mode. (default 10)
#+END_EXAMPLE

* Types, Defaults, and Constants

** [[file:app/apis/kubeadm/types.go::AuditPolicyConfiguration%20holds%20the%20options][app/apis/kubeadm/types.go::AuditPolicyConfiguration struct]]

#+BEGIN_SRC go
// AuditPolicyConfiguration holds the options for configuring the api server audit policy.
type AuditPolicyConfiguration struct {
	// Path is the local path to an audit policy.
	Path string
	// LogDir is the local path to the directory where logs should be stored.
	LogDir string
	// LogMaxAge is the number of days logs will be stored for. 0 indicates forever.
	LogMaxAge *int32
	// WebhookConfigPath is the local path to webhook policy.
	WebhookConfigPath string
	// WebhookInitialBackoff is the time to wait (in seconds) before retrying the first failed request.
	WebhookInitialBackoff *int32 //defaults to 10s if not provided
	//TODO(chuckha) add other options for audit policy.
}
#+END_SRC
** [[file:app/apis/kubeadm/v1alpha1/types.go::type%20AuditPolicyConfiguration%20struct%20{][app/apis/kubeadm/v1alpha1/types.go::AuditPolicyConfiguration struct]]

#+BEGIN_SRC go
// AuditPolicyConfiguration holds the options for configuring the api server audit policy.
type AuditPolicyConfiguration struct {
	// Path is the local path to an audit policy.
	Path string `json:"path"`
	// LogDir is the local path to the directory where logs should be stored.
	LogDir string `json:"logDir"`
	// LogMaxAge is the number of days logs will be stored for. 0 indicates forever.
	LogMaxAge *int32 `json:"logMaxAge,omitempty"`
	// WebhookConfigPath is the local path to webhook policy.
	WebhookConfigPath string `json:"webhookConfigPath"`
	// WebhookInitialBackoff is the time to wait (in seconds) before retrying the first failed request.
	WebhookInitialBackoff *int32 `json:"webhookInitialBackoff,omitempty"`
	//TODO(chuckha) add other options for audit policy.
}
#+END_SRC

** [[file:app/apis/kubeadm/v1alpha1/defaults.go::DefaultAuditPolicyLogMaxAge%20=%20int32(2)][app/apis/kubeadm/v1alpha1/default.go::DefaultAuditPolicyLogMaxAge =]]

#+BEGIN_SRC go
var (
	// DefaultAuditPolicyLogMaxAge is defined as a var so its address can be taken
	// It is the number of days to store audit logs
	DefaultAuditPolicyLogMaxAge = int32(2)
  // POSSIBLY NOT NEEDED, IF WE DO NOT WANT A DEFAULT
	// DefaultAuditWebhookInitialBackoff also needs it's address taken
	// It is the number of seconds to wait before retrying the first failed request.
	DefaultAuditWebhookInitialBackoff = int32(2)
)
#+END_SRC

** [[file:app/apis/kubeadm/v1alpha1/defaults.go::func%20SetDefaults_AuditPolicyConfiguration(][app/apis/kubeadm/v1alpha1/default.go::func SetDefaults_AuditPolicyConfiguration(]]

#+BEGIN_SRC go
// SetDefaults_AuditPolicyConfiguration sets default values for the AuditPolicyConfiguration
func SetDefaults_AuditPolicyConfiguration(obj *MasterConfiguration) {
	if obj.AuditPolicyConfiguration.LogDir == "" {
		obj.AuditPolicyConfiguration.LogDir = constants.StaticPodAuditPolicyLogDir
	}
	if obj.AuditPolicyConfiguration.LogMaxAge == nil {
		obj.AuditPolicyConfiguration.LogMaxAge = &DefaultAuditPolicyLogMaxAge
	}
  // POSSIBLY NOT NEEDED, IF WE DO NOT WANT A DEFAULT
	if obj.AuditPolicyConfiguration.WebhookInitialBackoff == nil {
		obj.AuditPolicyConfiguration.WebhookInitialBackoff = &DefaultAuditWebhookInitialBackoff
	}
}
#+END_SRC

[[file:app/constants/constants.go::kubeauditpolicyvolumename][app/constants/constants.go::kubeaudit]]

#+BEGIN_SRC go
	// KubeAuditPolicyVolumeName is the name of the volume that will contain the audit policy
	KubeAuditPolicyVolumeName = "audit"
	// AuditPolicyDir is the directory that will contain the audit policy
	AuditPolicyDir = "audit"
	// AuditPolicyFile is the name of the audit policy file itself
	AuditPolicyFile = "audit.yaml"
	// AuditWebhookConfigFile is the name of the audit webhook config file itself
	AuditWebhookConfigFile = "webhook.yaml"
	// AuditPolicyLogFile is the name of the file audit logs get written to
	AuditPolicyLogFile = "audit.log"
	// KubeAuditPolicyLogVolumeName is the name of the volume that will contain the audit logs
	KubeAuditPolicyLogVolumeName = "audit-log"
	// StaticPodAuditPolicyLogDir is the name of the directory in the static pod that will have the audit logs
	StaticPodAuditPolicyLogDir = "/var/log/kubernetes/audit"
#+END_SRC

[[file:app/constants/constants.go::/%20getstaticpodauditpolicyfile%20returns%20the%20path%20to%20the%20audit%20policy%20file%20within%20a%20static%20pod][app/constants/constants.go:: getstaticpodauditpolicyfile]]

#+BEGIN_SRC go
// GetStaticPodAuditPolicyFile returns the path to the audit policy file within a static pod
func GetStaticPodAuditPolicyFile() string {
	return filepath.Join(KubernetesDir, AuditPolicyDir, AuditPolicyFile)
}
// GetStaticPodAuditWebhookConfigFile returns the path to the audit webhook config file within a static pod
func GetStaticPodAuditWebhookConfigFile() string {
	return filepath.Join(KubernetesDir, AuditPolicyDir, AuditWebhookConfigFile)
}
#+END_SRC

* Implementation
** [[file:app/cmd/init.go::if%20features.Enabled(][app/cmd/init.go::if features.Enabled(]]

#+BEGIN_SRC go
	if features.Enabled(i.cfg.FeatureGates, features.Auditing) {
		// Setup the AuditPolicy (either it was passed in and exists or it wasn't passed in and generate a default policy)
		if i.cfg.AuditPolicyConfiguration.Path != "" {
			// TODO(chuckha) ensure passed in audit policy is valid so users don't have to find the error in the api server log.
			if _, err := os.Stat(i.cfg.AuditPolicyConfiguration.Path); err != nil {
				return fmt.Errorf("error getting file info for audit policy file %q [%v]", i.cfg.AuditPolicyConfiguration.Path, err)
			}
		} else {
			i.cfg.AuditPolicyConfiguration.Path = filepath.Join(kubeConfigDir, kubeadmconstants.AuditPolicyDir, kubeadmconstants.AuditPolicyFile)
			if err := auditutil.CreateDefaultAuditLogPolicy(i.cfg.AuditPolicyConfiguration.Path); err != nil {
				return fmt.Errorf("error creating default audit policy %q [%v]", i.cfg.AuditPolicyConfiguration.Path, err)
			}
		}
		// Verify the AuditWebhookConfigFile (verify it exists if it was passed in)
		if i.cfg.AuditPolicyConfiguration.WebhookConfigPath != "" {
			// TODO(chuckha) ensure passed in audit webhook config is valid so users don't have to find the error in the api server log.
			if _, err := os.Stat(i.cfg.AuditPolicyConfiguration.WebhookConfigPath); err != nil {
				return fmt.Errorf("error getting file info for audit webhook config file %q [%v]", i.cfg.AuditPolicyConfiguration.WebhookConfigPath, err)
			}
		} else {
			i.cfg.AuditPolicyConfiguration.WebhookConfigPath = filepath.Join(kubeConfigDir, kubeadmconstants.AuditPolicyDir, kubeadmconstants.AuditWebhookConfigFile)
			if err := auditutil.CreateDefaultAuditWebhookConfig(i.cfg.AuditPolicyConfiguration.WebhookConfigPath); err != nil {
				return fmt.Errorf("error creating default audit policy %q [%v]", i.cfg.AuditPolicyConfiguration.WebhookConfigPath, err)
			}
		}

		}
#+END_SRC
** [[file:app/phases/controlplane/manifests.go::features.auditing][app/phases/controlplane/manifests.go features.auditing]]

#+BEGIN_SRC go
  if features.Enabled(cfg.FeatureGates, features.Auditing) {
		command = append(command, "--audit-policy-file="+kubeadmconstants.GetStaticPodAuditPolicyFile())
		command = append(command, "--audit-log-path="+filepath.Join(kubeadmconstants.StaticPodAuditPolicyLogDir, kubeadmconstants.AuditPolicyLogFile))
		if cfg.AuditPolicyConfiguration.LogMaxAge == nil {
			command = append(command, fmt.Sprintf("--audit-log-maxage=%d", kubeadmapiext.DefaultAuditPolicyLogMaxAge))
		} else {
			command = append(command, fmt.Sprintf("--audit-log-maxage=%d", *cfg.AuditPolicyConfiguration.LogMaxAge))
		}
		if cfg.AuditPolicyConfiguration.WebhookConfigPath != nil {
		  command = append(command, "--audit-webhook-config-file="+kubeadmconstants.GetStaticPodAuditWebhookConfigFile())
    }
		if cfg.AuditPolicyConfiguration.WebhookInitialBackoff != nil {
			command = append(command, fmt.Sprintf("--audit-webhook-initial-backoff=%d", *cfg.AuditPolicyConfiguration.WebhookInitialBackoff))
    }
	}
#+END_SRC

** [[file:app/phases/controlplane/volumes.go::/%20Read-only%20mount%20for%20the%20audit%20policy%20file.][app/phases/controlplane/volumes.go::/ Mounts for audit policy file / audit logs]]

#+BEGIN_SRC go
  if features.Enabled(cfg.FeatureGates, features.Auditing) {
		// Read-only mount for the audit policy file.
		mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeAuditPolicyVolumeName, cfg.AuditPolicyConfiguration.Path, kubeadmconstants.GetStaticPodAuditPolicyFile(), true, &hostPathFile)
		// Read-only mount for the audit webhook config file.
		mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeAuditPolicyVolumeName, cfg.AuditPolicyConfiguration.Path, kubeadmconstants.GetStaticPodAuditWebhookConfigFile(), true, &hostPathFile)
		// Write mount for the audit logs.
		mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeAuditPolicyLogVolumeName, cfg.AuditPolicyConfiguration.LogDir, kubeadmconstants.StaticPodAuditPolicyLogDir, false, &hostPathDirectoryOrCreate)
	}
#+END_SRC
** [[file:app/util/audit/utils.go::func%20writePolicyToDisk(policyFile%20string,%20policy%20*auditv1beta1.Policy)%20error%20{][app/util/audit/utils.go::func writePolicyToDisk(policyFile string]]

#+BEGIN_SRC go
// CreateDefaultAuditLogPolicy writes the default audit log policy to disk.
func CreateDefaultAuditLogPolicy(policyFile string) error {
	policy := auditv1beta1.Policy{
		TypeMeta: metav1.TypeMeta{
			APIVersion: "audit.k8s.io/v1beta1",
			Kind:       "Policy",
		},
		Rules: []auditv1beta1.PolicyRule{
			{
				Level: auditv1beta1.LevelMetadata,
			},
		},
	}
	return writePolicyToDisk(policyFile, &policy)
}

// CreateDefaultAuditWebhookConfig writes the default audit webhook config to disk.
func CreateDefaultAuditWebhookConfig(webhookConfigFile string) error {
  // We do not have a default, but we do have a volume mapping for this file
	return os.OpenFile(name, os.O_RDONLY|os.O_CREATE, 0644)
}

func writePolicyToDisk(policyFile string, policy *auditv1beta1.Policy) error {
	// creates target folder if not already exists
	if err := os.MkdirAll(filepath.Dir(policyFile), 0700); err != nil {
		return fmt.Errorf("failed to create directory %q: %v", filepath.Dir(policyFile), err)
	}

	// Registers auditv1beta1 with the runtime Scheme
	auditv1beta1.AddToScheme(scheme.Scheme)

	// writes the policy to disk
	serialized, err := util.MarshalToYaml(policy, auditv1beta1.SchemeGroupVersion)
	if err != nil {
		return fmt.Errorf("failed to marshal audit policy to YAML: %v", err)
	}

	if err := ioutil.WriteFile(policyFile, serialized, 0600); err != nil {
		return fmt.Errorf("failed to write audit policy to %v: %v", policyFile, err)
	}

	return nil
}
func writeWebhookConfigToDisk(webhookConfigFile string, policy *auditv1beta1.Policy) error {
	// creates target folder if not already exists
	if err := os.MkdirAll(filepath.Dir(webhookConfigFile), 0700); err != nil {
		return fmt.Errorf("failed to create directory %q: %v", filepath.Dir(webhookConfigFile), err)
	}

	// Registers auditv1beta1 with the runtime Scheme
	auditv1beta1.AddToScheme(scheme.Scheme)

	// writes the policy to disk
	serialized, err := util.MarshalToYaml(policy, auditv1beta1.SchemeGroupVersion)
	if err != nil {
		return fmt.Errorf("failed to marshal audit webhook config to YAML: %v", err)
	}

	if err := ioutil.WriteFile(webhookConfigFile, serialized, 0600); err != nil {
		return fmt.Errorf("failed to write audit webhook config to %v: %v", webhookConfigFile, err)
	}

	return nil
}
#+end_src
* tests
** [[file:app/apis/kubeadm/fuzzer/fuzzer.go::obj.AuditPolicyConfiguration%20=%20kubeadm.AuditPolicyConfiguration{][app/apis/kubeadm/fuzzer/fuzzer.go::obj.AuditPolicyConfiguration =]]

Fuzzer is looking for sample data types to generate fuzzer functions.
** [[file:app/phases/controlplane/volumes_test.go::Name:%20"audit",][app/phases/controlplane/volumes_test.go::Name: "audit"]]

What will the mount be called?

I see audit audit-log
I'm unsure if the audit KubAuditPolicyVolumeName of audit, is a single volume with a subdir I can place the webhook.yml into.
** [[file:app/phases/controlplane/volumes_test.go::volMountMap%5Bkubeadmconstants.KubeAPIServer%5D%5B"audit"%5D%20=%20v1.VolumeMount{][app/phases/controlplane/volumes_test.go::volMountMap{...}{"audit"} = v1.VolumeMount]]

I think having a different name, within the same volume mount _should_ work.
** [[file:app/phases/controlplane/volumes_test.go::AuditPolicyConfiguration:%20kubeadmapi.AuditPolicyConfiguration{][app/phases/controlplane/volumes_test.go::AuditPolicyConfiguration:]]

Added the other file we add on disk
** [[file:app/util/audit/utils_test.go::func%20TestCreateDefaultAuditLogPolicy(t%20*testing.T)%20{][app/util/audit/utils_test.go::func TestCreateDefaultAuditLogPolicy(]]

A default AuditWebhookConfigFile is basically an empty file...
Let's figure out if the mount stuff works if we disable it's creation.... less tests and code.
** [[file:app/cmd/upgrade/common_test.go::auditPolicy:][app/cmd/upgrade/common_test.go::auditPolicy:]]

It looks like this is to test upgrades.... not sure what we should test for here... possible changing the webhook endpoint?
** [[file:app/phases/controlplane/manifests_test.go::auditpolicyconfiguration][app/phases/controlplane/manifests_test.go::auditpolicyconfiguration]]

Tests command line arguments... should explore this a bit once we get it working.

# Local Variables:
# eval: (org-babel-do-load-languages 'org-babel-load-languages '((go . nil)))
# End: