Provides a Gardener extension for managing kube-apiserver audit logs for a shoot cluster.
The extension spins up a fluentbit-based audit sink in the seed's shoot namespace prior to starting the shoot's API server. Therefore, it is required to run this extension with the reconcile lifecycle policy BeforeKubeAPIServer
. Also the deletion has to happen BeforeKubeAPIServer
as otherwise the managed resources of this extension block the shoot deletion flow.
This sink has the ability to buffer audit logs to a persistent volume and send them to the supported backends.
A custom audit policy can be natively configured by Gardener in the shoot spec's API server configuration under .spec.kubernetes.kubeAPIServer.auditConfig.auditPolicy.configMapRef.name
.
This extension can be developed in the gardener-local devel environment.
make push-to-gardener-local
kubectl apply -k example/
example/shoot.yaml
and apply with kubectl -f example/shoot.yaml