Skip to content

feat: Configurable audit log backend and policy#1564

Draft
dlipovetsky wants to merge 3 commits intomainfrom
dlipovetsky/configurable-audit-logging
Draft

feat: Configurable audit log backend and policy#1564
dlipovetsky wants to merge 3 commits intomainfrom
dlipovetsky/configurable-audit-logging

Conversation

@dlipovetsky
Copy link
Copy Markdown
Contributor

@dlipovetsky dlipovetsky commented Apr 4, 2026

What problem does this PR solve?:
Allows user to configure the audit log backend, and policy.

Adds types to the cluster configuration that mirror the relevant kube-apiserver flags.

Introduces the auditlog handler. This handler patches the control plane kubeadm configuration template with flags, and the audit policy, based on the cluster configuration.

TODO

  • Deploy the default audit policy as a ConfigMap in the controller namespace, so that it can be read and used in the patch. I like this, because it allows the user to configure the default policy. If the ConfigMap is not found, that would break cluster deployment, so that's a new risk. Open to ideas. We could continue to embed the default policy, for example.

Which issue(s) this PR fixes:
Fixes #

How Has This Been Tested?:

Special notes for your reviewer:

@dlipovetsky dlipovetsky force-pushed the dlipovetsky/configurable-audit-logging branch from 1d961dd to bf5629b Compare April 13, 2026 16:22
@dlipovetsky dlipovetsky force-pushed the dlipovetsky/configurable-audit-logging branch from 7de6559 to ad1ea9b Compare April 14, 2026 00:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dlipovetsky