add Audit webhook configuration options to RootShard/Shard objects

On-behalf-of: @SAP [email protected]

Author: xrstf

config/crd/bases/operator.kcp.io_rootshards.yaml

@@ -185,6 +185,80 @@ spec:
                       Defaults to the latest kcp release that the operator supports.
                     type: string
                 type: object
+              kcpConfiguration:
+                properties:
+                  audit:
+                    properties:
+                      webhook:
+                        properties:
+                          batchBufferSize:
+                            description: The size of the buffer to store events before
+                              batching and writing. Only used in batch mode.
+                            type: integer
+                          batchMaxSize:
+                            description: The maximum size of a batch. Only used in
+                              batch mode.
+                            type: integer
+                          batchMaxWait:
+                            description: |-
+                              The amount of time to wait before force writing the batch that hadn't reached the max size.
+                              Only used in batch mode.
+                            type: string
+                          batchThrottleBurst:
+                            description: |-
+                              Maximum number of requests sent at the same moment if ThrottleQPS was not utilized before.
+                              Only used in batch mode.
+                            type: integer
+                          batchThrottleEnable:
+                            description: Whether batching throttling is enabled. Only
+                              used in batch mode.
+                            type: boolean
+                          batchThrottleQPS:
+                            description: |-
+                              Maximum average number of batches per second. Only used in batch mode.
+                              This value is a floating point number, stored as a string (e.g. "3.1").
+                            type: string
+                          configSecretName:
+                            description: |-
+                              Name of a Kubernetes Secret that contains a kubeconfig formatted file that defines the
+                              audit webhook configuration.
+                            type: string
+                          initialBackoff:
+                            description: The amount of time to wait before retrying
+                              the first failed request.
+                            type: string
+                          mode:
+                            description: |-
+                              Strategy for sending audit events. Blocking indicates sending events should block server
+                              responses. Batch causes the backend to buffer and write events asynchronously.
+                            enum:
+                            - ""
+                            - batch
+                            - blocking
+                            - blocking-strict
+                            type: string
+                          truncateEnabled:
+                            description: Whether event and batch truncating is enabled.
+                            type: boolean
+                          truncateMaxBatchSize:
+                            description: |-
+                              Maximum size of the batch sent to the underlying backend. Actual serialized size can be
+                              several hundreds of bytes greater. If a batch exceeds this limit, it is split into several
+                              batches of smaller size.
+                            type: integer
+                          truncateMaxEventSize:
+                            description: |-
+                              Maximum size of the audit event sent to the underlying backend. If the size of an event
+                              is greater than this number, first request and response are removed, and if this doesn't
+                              reduce the size enough, event is discarded.
+                            type: integer
+                          version:
+                            description: API group and version used for serializing
+                              audit events written to webhook.
+                            type: string
+                        type: object
+                    type: object
+                type: object
               replicas:
                 description: Replicas configures how many instances of this shard
                   run in parallel. Defaults to 2 if not set.

config/crd/bases/operator.kcp.io_shards.yaml

@@ -110,6 +110,80 @@ spec:
                       Defaults to the latest kcp release that the operator supports.
                     type: string
                 type: object
+              kcpConfiguration:
+                properties:
+                  audit:
+                    properties:
+                      webhook:
+                        properties:
+                          batchBufferSize:
+                            description: The size of the buffer to store events before
+                              batching and writing. Only used in batch mode.
+                            type: integer
+                          batchMaxSize:
+                            description: The maximum size of a batch. Only used in
+                              batch mode.
+                            type: integer
+                          batchMaxWait:
+                            description: |-
+                              The amount of time to wait before force writing the batch that hadn't reached the max size.
+                              Only used in batch mode.
+                            type: string
+                          batchThrottleBurst:
+                            description: |-
+                              Maximum number of requests sent at the same moment if ThrottleQPS was not utilized before.
+                              Only used in batch mode.
+                            type: integer
+                          batchThrottleEnable:
+                            description: Whether batching throttling is enabled. Only
+                              used in batch mode.
+                            type: boolean
+                          batchThrottleQPS:
+                            description: |-
+                              Maximum average number of batches per second. Only used in batch mode.
+                              This value is a floating point number, stored as a string (e.g. "3.1").
+                            type: string
+                          configSecretName:
+                            description: |-
+                              Name of a Kubernetes Secret that contains a kubeconfig formatted file that defines the
+                              audit webhook configuration.
+                            type: string
+                          initialBackoff:
+                            description: The amount of time to wait before retrying
+                              the first failed request.
+                            type: string
+                          mode:
+                            description: |-
+                              Strategy for sending audit events. Blocking indicates sending events should block server
+                              responses. Batch causes the backend to buffer and write events asynchronously.
+                            enum:
+                            - ""
+                            - batch
+                            - blocking
+                            - blocking-strict
+                            type: string
+                          truncateEnabled:
+                            description: Whether event and batch truncating is enabled.
+                            type: boolean
+                          truncateMaxBatchSize:
+                            description: |-
+                              Maximum size of the batch sent to the underlying backend. Actual serialized size can be
+                              several hundreds of bytes greater. If a batch exceeds this limit, it is split into several
+                              batches of smaller size.
+                            type: integer
+                          truncateMaxEventSize:
+                            description: |-
+                              Maximum size of the audit event sent to the underlying backend. If the size of an event
+                              is greater than this number, first request and response are removed, and if this doesn't
+                              reduce the size enough, event is discarded.
+                            type: integer
+                          version:
+                            description: API group and version used for serializing
+                              audit events written to webhook.
+                            type: string
+                        type: object
+                    type: object
+                type: object
               replicas:
                 description: Replicas configures how many instances of this shard
                   run in parallel. Defaults to 2 if not set.

internal/resources/rootshard/deployment.go

@@ -168,6 +168,11 @@ func DeploymentReconciler(rootShard *operatorv1alpha1.RootShard) reconciling.Nam
 				dep.Spec.Replicas = ptr.To[int32](2)
 			}
 
+			dep, err := utils.ApplyAuditConfiguration(dep, *rootShard.Spec.KcpConfiguration.Audit)
+			if err != nil {
+				return nil, fmt.Errorf("failed to apply audit configuration: %w", err)
+			}
+
 			return dep, nil
 		}
 	}

internal/resources/shard/deployment.go

@@ -63,7 +63,6 @@ func getKubeconfigMountPath(certName operatorv1alpha1.Certificate) string {
 }
 
 func DeploymentReconciler(shard *operatorv1alpha1.Shard, rootShard *operatorv1alpha1.RootShard) reconciling.NamedDeploymentReconcilerFactory {
-
 	return func() (string, reconciling.DeploymentReconciler) {
 		return resources.GetShardDeploymentName(shard), func(dep *appsv1.Deployment) (*appsv1.Deployment, error) {
 			labels := resources.GetShardResourceLabels(shard)
@@ -166,6 +165,11 @@ func DeploymentReconciler(shard *operatorv1alpha1.Shard, rootShard *operatorv1al
 				dep.Spec.Replicas = ptr.To[int32](2)
 			}
 
+			dep, err := utils.ApplyAuditConfiguration(dep, *shard.Spec.KcpConfiguration.Audit)
+			if err != nil {
+				return nil, fmt.Errorf("failed to apply audit configuration: %w", err)
+			}
+
 			return dep, nil
 		}
 	}

internal/resources/utils/audit.go

@@ -0,0 +1,124 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package utils
+
+import (
+	"errors"
+	"fmt"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+
+	operatorv1alpha1 "github.com/kcp-dev/kcp-operator/sdk/apis/operator/v1alpha1"
+)
+
+func ApplyAuditConfiguration(deployment *appsv1.Deployment, config operatorv1alpha1.AuditSpec) (*appsv1.Deployment, error) {
+	if len(deployment.Spec.Template.Spec.Containers) == 0 {
+		return deployment, errors.New("Deployment does not contain any containers")
+	}
+
+	if config.Webhook == nil {
+		return deployment, nil
+	}
+
+	deployment, err := applyAuditWebhookConfiguration(deployment, *config.Webhook)
+	if err != nil {
+		return deployment, err
+	}
+
+	return deployment, nil
+}
+
+func applyAuditWebhookConfiguration(deployment *appsv1.Deployment, config operatorv1alpha1.AuditWebhookSpec) (*appsv1.Deployment, error) {
+	podSpec := deployment.Spec.Template.Spec
+
+	var extraArgs []string
+
+	if val := config.BatchBufferSize; val != 0 {
+		extraArgs = append(extraArgs, fmt.Sprintf("--audit-webhook-batch-buffer-size=%d", val))
+	}
+
+	if val := config.BatchMaxSize; val != 0 {
+		extraArgs = append(extraArgs, fmt.Sprintf("--audit-webhook-batch-max-size=%d", val))
+	}
+
+	if val := config.BatchMaxWait; val != nil {
+		extraArgs = append(extraArgs, fmt.Sprintf("--audit-webhook-batch-max-wait=%v", val.String()))
+	}
+
+	if val := config.BatchThrottleBurst; val != 0 {
+		extraArgs = append(extraArgs, fmt.Sprintf("--audit-webhook-batch-throttle-burst=%d", val))
+	}
+
+	if val := config.BatchThrottleEnable; val {
+		extraArgs = append(extraArgs, "--audit-webhook-batch-throttle-enable")
+	}
+
+	if val := config.BatchThrottleQPS; val != "" {
+		extraArgs = append(extraArgs, fmt.Sprintf("--audit-webhook-batch-throttle-qps=%s", val))
+	}
+
+	if val := config.InitialBackoff; val != nil {
+		extraArgs = append(extraArgs, fmt.Sprintf("--audit-webhook-initial-backoff=%v", val.String()))
+	}
+
+	if val := config.Mode; val != "" {
+		extraArgs = append(extraArgs, fmt.Sprintf("--audit-webhook-mode=%s", val))
+	}
+
+	if val := config.TruncateEnabled; val {
+		extraArgs = append(extraArgs, "--audit-webhook-truncate-enabled")
+	}
+
+	if val := config.TruncateMaxBatchSize; val != 0 {
+		extraArgs = append(extraArgs, fmt.Sprintf("--audit-webhook-truncate-max-batch-size=%d", val))
+	}
+
+	if val := config.TruncateMaxEventSize; val != 0 {
+		extraArgs = append(extraArgs, fmt.Sprintf("--audit-webhook-truncate-max-event-sizes=%d", val))
+	}
+
+	if val := config.Version; val != "" {
+		extraArgs = append(extraArgs, fmt.Sprintf("--audit-webhook-version=%s", val))
+	}
+
+	if val := config.ConfigSecretName; val != "" {
+		volumeName := "audit-webhook-config"
+		mountPath := "/etc/kcp/audit/webhook"
+
+		extraArgs = append(extraArgs, fmt.Sprintf("--audit-webhook-config-file=%s/kubeconfig", mountPath))
+		podSpec.Containers[0].VolumeMounts = append(podSpec.Containers[0].VolumeMounts, corev1.VolumeMount{
+			Name:      volumeName,
+			ReadOnly:  true,
+			MountPath: mountPath,
+		})
+
+		deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, corev1.Volume{
+			Name: volumeName,
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: val,
+				},
+			},
+		})
+	}
+
+	podSpec.Containers[0].Args = append(podSpec.Containers[0].Args, extraArgs...)
+	deployment.Spec.Template.Spec = podSpec
+
+	return deployment, nil
+}

sdk/apis/operator/v1alpha1/shard_types.go

@@ -37,6 +37,65 @@ type CommonShardSpec struct {
 
 	// Replicas configures how many instances of this shard run in parallel. Defaults to 2 if not set.
 	Replicas *int32 `json:"replicas,omitempty"`
+
+	KcpConfiguration KcpConfigurationSpec `json:"kcpConfiguration,omitempty"`
+}
+
+type KcpConfigurationSpec struct {
+	Audit *AuditSpec `json:"audit,omitempty"`
+}
+
+type AuditSpec struct {
+	Webhook *AuditWebhookSpec `json:"webhook,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="";batch;blocking;blocking-strict
+
+type AuditWebhookMode string
+
+const (
+	AuditWebhookBatchMode          AuditWebhookMode = "batch"
+	AuditWebhookBlockingMode       AuditWebhookMode = "blocking"
+	AuditWebhookBlockingStrictMode AuditWebhookMode = "blocking-strict"
+)
+
+type AuditWebhookSpec struct {
+	// The size of the buffer to store events before batching and writing. Only used in batch mode.
+	BatchBufferSize int `json:"batchBufferSize,omitempty"`
+	// The maximum size of a batch. Only used in batch mode.
+	BatchMaxSize int `json:"batchMaxSize,omitempty"`
+	// The amount of time to wait before force writing the batch that hadn't reached the max size.
+	// Only used in batch mode.
+	BatchMaxWait *metav1.Duration `json:"batchMaxWait,omitempty"`
+	// Maximum number of requests sent at the same moment if ThrottleQPS was not utilized before.
+	// Only used in batch mode.
+	BatchThrottleBurst int `json:"batchThrottleBurst,omitempty"`
+	// Whether batching throttling is enabled. Only used in batch mode.
+	BatchThrottleEnable bool `json:"batchThrottleEnable,omitempty"`
+	// Maximum average number of batches per second. Only used in batch mode.
+	// This value is a floating point number, stored as a string (e.g. "3.1").
+	BatchThrottleQPS string `json:"batchThrottleQPS,omitempty"`
+
+	// Name of a Kubernetes Secret that contains a kubeconfig formatted file that defines the
+	// audit webhook configuration.
+	ConfigSecretName string `json:"configSecretName,omitempty"`
+	// The amount of time to wait before retrying the first failed request.
+	InitialBackoff *metav1.Duration `json:"initialBackoff,omitempty"`
+	// Strategy for sending audit events. Blocking indicates sending events should block server
+	// responses. Batch causes the backend to buffer and write events asynchronously.
+	Mode AuditWebhookMode `json:"mode,omitempty"`
+	// Whether event and batch truncating is enabled.
+	TruncateEnabled bool `json:"truncateEnabled,omitempty"`
+	// Maximum size of the batch sent to the underlying backend. Actual serialized size can be
+	// several hundreds of bytes greater. If a batch exceeds this limit, it is split into several
+	// batches of smaller size.
+	TruncateMaxBatchSize int `json:"truncateMaxBatchSize,omitempty"`
+	// Maximum size of the audit event sent to the underlying backend. If the size of an event
+	// is greater than this number, first request and response are removed, and if this doesn't
+	// reduce the size enough, event is discarded.
+	TruncateMaxEventSize int `json:"truncateMaxEventSize,omitempty"`
+	// API group and version used for serializing audit events written to webhook.
+	Version string `json:"version,omitempty"`
 }
 
 // ShardStatus defines the observed state of Shard