Deploying Auditing Extension Locally ​
Setup without Gardener Operator ​
Prerequisites ​
- Make sure that you have a running local Gardener setup. The steps to complete this can be found in the Deploying Gardener Locally guide.
Setting up the Auditing Extension ​
Make sure that your KUBECONFIG environment variable is targeting the local Gardener cluster. When this is ensured, run:
make extension-upThe corresponding make target will build the extension image, load it into the kind cluster Nodes, and deploy the auditing ControllerDeployment and ControllerRegistration resources. The container image in the ControllerDeployment will be the image that was build and loaded into the kind cluster Nodes.
In addition to than an echo server will be deployed in its own Namespace which can be used as a dummy auditlogging backend.
The make target will then deploy the auditing admission component. It will build the admission image, load it into the kind cluster Nodes, and finally install the admission component charts to the kind cluster.
Creating a Shoot Cluster ​
Create a secret containing the credentials used for mTLS.
bashkubectl -n garden-local create secret generic echo-server-creds \ --from-file=ca.crt=example/local-setup/dev/certs/ca.crt \ --from-file=client.crt=example/local-setup/dev/certs/client.crt \ --from-file=client.key=example/local-setup/dev/certs/client.keyDeploy an auditing policy.
example/local-setup/audit-policy.yamlcontains a Policy specification:bashkubectl apply -f example/local-setup/audit-policy.yamlCreate a Shoot cluster.
example/local-setup/shoot.yamlcontains a Shoot specification with theauditingextension:bashkubectl apply -f example/local-setup/shoot.yamlOnce the Shoot namespace is created in the seed cluster create a NetworkPolicy which will allow traffic from the auditlog forwarder to the echo server.
example/local-setup/netpol.yamlcontains a NetworkPolicy allowing communication between the auditlog forwarder and the echo server:bashkubectl apply -f example/local-setup/netpol.yaml
Setup with Gardener Operator ​
Alternatively, you can deploy the auditing extension in the gardener-operator local setup. To do this, make sure you are have a running local setup based on Alternative Way to Set Up Garden and Seed Leveraging gardener-operator. The KUBECONFIG environment variable should target the operator local KinD cluster (i.e. <path_to_gardener_project>/example/gardener-local/kind/multi-zone/kubeconfig).
export KUBECONFIG=$(pwd)/../gardener/example/gardener-local/kind/multi-zone/kubeconfigCreating the auditing Extension.operator.gardener.cloud resource: ​
make extension-operator-upThe corresponding make target will build the auditing admission and extension container images, OCI artifacts for the admission runtime and application charts, and the extension chart. Then, the container images and the OCI artifacts are pushed into the default skaffold registry (i.e. registry.local.gardener.cloud:5001). Next, the auditing Extension.operator.gardener.cloud resource is deployed into the KinD cluster. Based on this resource the gardener-operator will deploy the auditing admission component, as well as the auditing ControllerDeployment and ControllerRegistration resources.
Creating a Shoot Cluster ​
Target the Garden cluster.
bashexport KUBECONFIG=$(pwd)/../gardener/dev-setup/kubeconfigs/virtual-garden/kubeconfigCreate a secret containing the credentials used for mTLS.
bashkubectl -n garden-local create secret generic echo-server-creds \ --from-file=ca.crt=example/local-setup/dev/certs/ca.crt \ --from-file=client.crt=example/local-setup/dev/certs/client.crt \ --from-file=client.key=example/local-setup/dev/certs/client.keyDeploy an auditing policy.
example/local-setup/audit-policy.yamlcontains a Policy specification:bashkubectl apply -f example/local-setup/audit-policy.yamlCreate a Shoot cluster.
example/local-setup/shoot.yamlcontains a Shoot specification with theauditingextension:bashkubectl apply -f example/local-setup/shoot.yamlOnce the Shoot namespace is created in the seed cluster create a NetworkPolicy which will allow traffic from the auditlog forwarder to the echo server.
example/local-setup/netpol.yamlcontains a NetworkPolicy allowing communication between the auditlog forwarder and the echo server:bashkubectl --kubeconfig $(pwd)/../gardener/example/gardener-local/kind/multi-zone/kubeconfig apply -f example/local-setup/netpol.yaml
Enable the extension for the Garden cluster ​
Target the runtime cluster
bashexport KUBECONFIG=$(pwd)/../gardener/example/gardener-local/kind/multi-zone/kubeconfigCreate a secret containing the credentials used for mTLS.
bashkubectl -n garden create secret generic echo-server-creds \ --from-file=ca.crt=example/local-setup/dev/certs/ca.crt \ --from-file=client.crt=example/local-setup/dev/certs/client.crt \ --from-file=client.key=example/local-setup/dev/certs/client.keyApply audit and network policies
bashkubectl apply -f example/local-setup/garden/audit-policy.yaml kubectl apply -f example/local-setup/garden/audit-policy-garden.yaml kubectl apply -f example/local-setup/garden/netpol.yamlPatch the
Gardenresource to enable the extensionUse
kubectl patchto add the auditing extension configuration to the existing Garden resource:bashkubectl patch garden local --type=merge -p ' spec: extensions: - type: auditing providerConfig: apiVersion: auditing.extensions.gardener.cloud/v1alpha1 kind: AuditConfiguration backends: - http: url: https://echo-server.echo-server.svc.cluster.local tls: secretReferenceName: audit-mtls-creds resources: - name: audit-mtls-creds resourceRef: apiVersion: v1 kind: Secret name: echo-server-creds virtualCluster: kubernetes: kubeAPIServer: auditConfig: auditPolicy: configMapRef: name: audit-policy gardener: gardenerAPIServer: auditConfig: auditPolicy: configMapRef: name: audit-policy-garden 'NOTE
This patch merges the auditing extension configuration with the existing Garden spec. If other extensions are already configured, they will be preserved. The URL points to the local echo-server deployed in the setup, and the secret references the
echo-server-credscreated in step 2.Verify the extension is enabled:
bashkubectl get garden local -o jsonpath='{.spec.extensions[?(@.type=="auditing")]}'
Delete the auditing Extension.operator.gardener.cloud resource ​
Delete any shoots using the extension.
bashkubectl -n garden-local annotate shoot local confirmation.gardener.cloud/deletion=true kubectl -n garden-local delete shoot local --wait=falseDisable the extension if configured for the Garden cluster.
bashkubectl patch garden local --type=json -p '[ {"op": "test", "path": "/spec/extensions/0/type", "value": "auditing"}, {"op": "remove", "path": "/spec/extensions/0"}, {"op": "test", "path": "/spec/resources/0/name", "value": "audit-mtls-creds"}, {"op": "remove", "path": "/spec/resources/0"}, {"op": "remove", "path": "/spec/virtualCluster/kubernetes/kubeAPIServer/auditConfig"}, {"op": "remove", "path": "/spec/virtualCluster/gardener/gardenerAPIServer/auditConfig"} ]'Make sure the environment variable
KUBECONFIGpoints to the operator's local KinD cluster and then run:bashmake extension-operator-downThe corresponding make target will delete the
Extension.operator.gardener.cloudresource. Consequently, the gardener-operator will delete the auditing admission component and auditing ControllerDeployment and ControllerRegistration resources.Finally delete the
ValidatingWebhookConfigurationfrom the Virtual Garden cluster.bashkubectl --kubeconfig $(pwd)/../gardener/dev-setup/kubeconfigs/virtual-garden/kubeconfig delete validatingwebhookconfiguration gardener-extension-auditing-admission --ignore-not-found