Merge pull request #77 from ormequ/master

Add audit logs parameters for create/update/get/list cluster operations
selectel · Oct 16, 2024 · fe2a6e9 · fe2a6e9
2 parents bc9e167 + 981c491
commit fe2a6e9
Show file tree

Hide file tree

Showing 3 changed files with 210 additions and 27 deletions.
diff --git a/pkg/v1/cluster/requests_opts.go b/pkg/v1/cluster/requests_opts.go
@@ -48,7 +48,7 @@ type CreateOpts struct {
 	Zonal *bool `json:"zonal,omitempty"`
 
 	// KubernetesOptions represents additional k8s options such as pod security policy,
-	// feature gates (Alpha stage only) and admission controllers.
+	// feature gates, admission controllers and audit logs.
 	KubernetesOptions *KubernetesOptions `json:"kubernetes_options,omitempty"`
 
 	// PrivateKubeAPI specifies if kube API should be available from the Internet or not.
@@ -71,6 +71,6 @@ type UpdateOpts struct {
 	EnablePatchVersionAutoUpgrade *bool `json:"enable_patch_version_auto_upgrade,omitempty"`
 
 	// KubernetesOptions represents additional k8s options such as pod security policy,
-	// feature gates (Alpha stage only) and admission controllers.
+	// feature gates, admission controllers and audit logs.
 	KubernetesOptions *KubernetesOptions `json:"kubernetes_options,omitempty"`
 }
diff --git a/pkg/v1/cluster/schemas.go b/pkg/v1/cluster/schemas.go
@@ -123,7 +123,7 @@ type View struct {
 	Zonal bool `json:"zonal"`
 
 	// KubernetesOptions represents additional k8s options such as pod security policy,
-	// feature gates (Alpha stage only) and admission controllers.
+	// feature gates, admission controllers and audit logs.
 	KubernetesOptions *KubernetesOptions `json:"kubernetes_options,omitempty"`
 
 	PrivateKubeAPI bool `json:"private_kube_api"`
@@ -152,7 +152,7 @@ func (result *View) UnmarshalJSON(b []byte) error {
 }
 
 // KubernetesOptions represents additional k8s options such as pod security policy,
-// feature gates (Alpha stage only) and admission controllers.
+// feature gates, admission controllers and audit logs.
 type KubernetesOptions struct {
 	// EnablePodSecurityPolicy indicates if PodSecurityPolicy admission controller
 	// must be turned on/off.
@@ -163,6 +163,25 @@ type KubernetesOptions struct {
 
 	// AdmissionControllers represents admission controllers that should be enabled.
 	AdmissionControllers []string `json:"admission_controllers"`
+
+	// AuditLogs represents configuration of kubernetes audit logs in the cluster.
+	// More: https://docs.selectel.ru/en/cloud/managed-kubernetes/clusters/logs/#configure-integration-with-external-system
+	AuditLogs AuditLogs `json:"audit_logs"`
+}
+
+type AuditLogs struct {
+	// Enabled indicates whether kubernetes audit logs should be collected
+	// and pushed into SIEM system (e.g. logstash).
+	// False by default.
+	Enabled bool `json:"enabled"`
+
+	// SecretName contains name of the kubernetes secret in namespace kube-system
+	// with credentials of SIEM system where logs should be pushed.
+	// Fields of the secret: host, port, username (optional), password (optional), ca.crt (optional).
+	// This field is optional. By default, used "mks-audit-logs".
+	// Secret name should be as a DNS subdomain name as defined in RFC 1123.
+	// More: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
+	SecretName string `json:"secret_name"`
 }
 
 // KubeconfigFields is a struct that contains Kubeconfigs parsed fields and raw kubeconfig.