✨ add Audit webhook configuration options to RootShard/Shard objects

[xrstf]

Summary

This PR adds new options to configure an external audit webhook. We chose to not support the local-volume audit logging options of kcp because unless we move to a StatefulSet, we won't be able to provision a PVC for each kcp replica Pod, and we cannot use the same PVC in multiple pods either.

This PR effectively wraps all of the following CLI flags:

      --audit-webhook-batch-buffer-size int         The size of the buffer to store events before batching and writing. Only used in batch mode. (default 10000)
      --audit-webhook-batch-max-size int            The maximum size of a batch. Only used in batch mode. (default 400)
      --audit-webhook-batch-max-wait duration       The amount of time to wait before force writing the batch that hadn't reached the max size. Only used in batch mode. (default 30s)
      --audit-webhook-batch-throttle-burst int      Maximum number of requests sent at the same moment if ThrottleQPS was not utilized before. Only used in batch mode. (default 15)
      --audit-webhook-batch-throttle-enable         Whether batching throttling is enabled. Only used in batch mode. (default true)
      --audit-webhook-batch-throttle-qps float32    Maximum average number of batches per second. Only used in batch mode. (default 10)
      --audit-webhook-config-file string            Path to a kubeconfig formatted file that defines the audit webhook configuration.
      --audit-webhook-initial-backoff duration      The amount of time to wait before retrying the first failed request. (default 10s)
      --audit-webhook-mode string                   Strategy for sending audit events. Blocking indicates sending events should block server responses. Batch causes the backend to buffer and write events asynchronously. Known modes are batch,blocking,blocking-strict. (default "batch")
      --audit-webhook-truncate-enabled              Whether event and batch truncating is enabled.
      --audit-webhook-truncate-max-batch-size int   Maximum size of the batch sent to the underlying backend. Actual serialized size can be several hundreds of bytes greater. If a batch exceeds this limit, it is split into several batches of smaller size. (default 10485760)
      --audit-webhook-truncate-max-event-size int   Maximum size of the audit event sent to the underlying backend. If the size of an event is greater than this number, first request and response are removed, and if this doesn't reduce the size enough, event is discarded. (default 102400)
      --audit-webhook-version string                API group and version used for serializing audit events written to webhook. (default "audit.k8s.io/v1")

I chose to not replicate the default values into the operator (neither in the code, nor in the comments) to prevent them becoming stale and not matching the actual kcp defaults anymore.

Related issue(s)

Fixes #13

Release Notes

Allow to configure an external audit webhook for kcp shards.

[embik]

I don't think I like this, everything in the shard spec is "kcp configuration", more or less. I know where this is coming from but I wouldn't make such a distinction between app config and orchestrator config (e.g. you could argue that the etcd key is also "kcp configuration"). I think we can have the audit key directly in the struct.

[xrstf]

Okay, changed.

[embik]

/approve

[kcp-ci-bot]

LGTM label has been added.

Git tree hash: a900e4c05221248e8bd7495ee47a7391aaa9ac64

[kcp-ci-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: embik

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [embik]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment