Conversation
cwrau
requested review from
marvinWolff,
tasches and
teutonet-bot
as code owners
WalkthroughA new Kubernetes audit policy configuration file, Changes
Sequence Diagram(s)sequenceDiagram
participant User
participant HelmTemplates
participant K8sAPIServer
User->>HelmTemplates: Deploy cluster with Helm
HelmTemplates->>K8sAPIServer: Configure API server with audit-policy-file and audit-log-path
K8sAPIServer->>K8sAPIServer: Load audit-config.yaml for audit logging
K8sAPIServer-->>User: API server runs with audit logging enabled
Poem
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (1)
charts/t8s-cluster/files/audit-config.yaml (1)
1-10: Good baseline audit policy for Kubernetes API Server.This introduces a basic Kubernetes audit policy that logs metadata for all API requests, omitting only the RequestReceived stage. The Metadata logging level captures request details like user, timestamp, resource, and verb, which is a good starting point for audit compliance.
For future enhancements, consider implementing a more granular audit policy with different audit levels for sensitive operations. For example:
apiVersion: audit.k8s.io/v1 kind: Policy # Long-running requests like watches will not generate an audit event in RequestReceived. omitStages: - "RequestReceived" rules: + # Log RequestResponse level for sensitive resources like secrets + - level: RequestResponse + resources: + - group: "" + resources: ["secrets"] + # Log Request level for configmaps and service accounts operations + - level: Request + resources: + - group: "" + resources: ["configmaps", "serviceaccounts"] - level: Metadata verbs: [] # All verbs resources: [] # All resources
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
charts/t8s-cluster/files/audit-config.yaml(1 hunks)charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl(5 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (3)
- GitHub Check: generateDiffCommentBody
- GitHub Check: lint helm chart (t8s-cluster)
- GitHub Check: wait-for-checks
🔇 Additional comments (5)
charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl (5)
170-172: LGTM. Added audit config path template.This template helper correctly constructs the full path to the audit configuration file by combining the base Kubernetes config path with the audit config filename.
186-188: LGTM. Added audit config filename template.This template helper defines the filename of the audit configuration file as "audit-config.yaml", matching the newly added file in the chart.
202-203: LGTM. API server arguments for audit logging configured.These changes correctly configure the API server to use the audit policy file and to send audit logs to standard output (indicated by "-"). This is the recommended approach for container environments where logs are typically collected from stdout.
213-220: LGTM. Added audit configuration to API server static files.The audit configuration file is now properly included in the static files dictionary for the API server, ensuring it's included in the rendered manifests.
231-234: Fixed context propagation to authentication config template.This fixes the context being passed to the authentication config content template, ensuring the correct context is used.
🤖 I have diffed this beep boop"/$namespace/$kind/$name.yaml" for normal resources
|
🤖 I have created a release *beep* *boop* --- ## [9.3.0](t8s-cluster-v9.2.1...t8s-cluster-v9.3.0) (2025-06-06) ### Features * **t8s-cluster:** add rbac for teuto staff ([#1498](#1498)) ([9e0a9e2](9e0a9e2)) * **t8s-cluster:** enable audit logging ([#1440](#1440)) ([dcb28ca](dcb28ca)) * **t8s-cluster:** make apiserver resources configurable ([#1485](#1485)) ([3126661](3126661)) * **t8s-cluster:** use new pullPolicy template ([#1383](#1383)) ([6b253bd](6b253bd)) ### Miscellaneous Chores * **t8s-cluster:** pin versions ([#1482](#1482)) ([372c92b](372c92b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Added RBAC for Teuto staff. - Enabled audit logging. - Made apiserver resource configurations customizable. - Adopted a new pullPolicy template. - **Enhancements** - Updated OpenStack Cinder CSI plugin and related CSI component images to newer versions. - Improved documentation for control plane resource configuration and security group rule options. - **Chores** - Updated chart version to 9.3.0 and pinned image versions. - Switched CSI image references and license entries from k8s.gcr.io to registry.k8s.io. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Chris Werner Rau <cwr@teuto.net>
Summary by CodeRabbit