Enable Audit Logs for Tinkerbell

pkg/providers/tinkerbell/config/template-cp.yaml

@@ -96,8 +96,28 @@ spec:
 {{- if .apiserverExtraArgs }}
       apiServer:
         extraArgs:
+          audit-policy-file: /etc/kubernetes/audit-policy.yaml
+          audit-log-path: /var/log/kubernetes/api-audit.log
+          audit-log-maxage: "30"
+          audit-log-maxbackup: "10"
+          audit-log-maxsize: "512"
 {{ .apiserverExtraArgs.ToYaml | indent 10 }}
 {{- end }}
+        extraVolumes:
+{{- if (eq .format "bottlerocket") }}
+        - hostPath: /var/lib/kubeadm/audit-policy.yaml
+{{- else }}
+        - hostPath: /etc/kubernetes/audit-policy.yaml
+{{- end }}
+          mountPath: /etc/kubernetes/audit-policy.yaml
+          name: audit-policy
+          pathType: File
+          readOnly: true
+        - hostPath: /var/log/kubernetes
+          mountPath: /var/log/kubernetes
+          name: audit-log-dir
+          pathType: DirectoryOrCreate
+          readOnly: false
 {{- if .awsIamAuth}}
         extraVolumes:
           - hostPath: /var/lib/kubeadm/aws-iam-authenticator/
@@ -316,6 +336,9 @@ spec:
         owner: root:root
         path: /var/lib/kubeadm/aws-iam-authenticator/pki/key.pem
 {{- end}}
+{{ .auditPolicy | indent 8 }}
+      owner: root:root
+      path: /etc/kubernetes/audit-policy.yaml
 {{- if (ne .format "bottlerocket") }}
 {{- if .proxyConfig }}
       - content: |

pkg/providers/tinkerbell/template.go

@@ -410,6 +410,12 @@ func buildTemplateMapCP(
 		"cpSkipLoadBalancerDeployment":  clusterSpec.Cluster.Spec.ControlPlaneConfiguration.SkipLoadBalancerDeployment,
 	}
 
+	auditPolicy, err := common.GetAuditPolicy(clusterSpec.Cluster.Spec.KubernetesVersion)
+	if err != nil {
+		return nil, err
+	}
+	values["auditPolicy"] = auditPolicy
+
 	if clusterSpec.Cluster.Spec.ControlPlaneConfiguration.UpgradeRolloutStrategy != nil {
 		values["upgradeRolloutStrategy"] = true
 		values["maxSurge"] = clusterSpec.Cluster.Spec.ControlPlaneConfiguration.UpgradeRolloutStrategy.RollingUpdate.MaxSurge