From cd16b0fd4da3b061d8a841305266bc374fc2a5ea Mon Sep 17 00:00:00 2001
From: Tanvir Tatla <tatlat@amazon.com>
Date: Tue, 3 Oct 2023 09:29:34 -0700
Subject: [PATCH] Enable Audit Logs for Tinkerbell

---
 .../tinkerbell/config/template-cp.yaml        | 23 +++++++++++++++++++
 pkg/providers/tinkerbell/template.go          |  6 +++++
 2 files changed, 29 insertions(+)

diff --git a/pkg/providers/tinkerbell/config/template-cp.yaml b/pkg/providers/tinkerbell/config/template-cp.yaml
index f3b3cca9ebfc..d49cbde78520 100644
--- a/pkg/providers/tinkerbell/config/template-cp.yaml
+++ b/pkg/providers/tinkerbell/config/template-cp.yaml
@@ -96,8 +96,28 @@ spec:
 {{- if .apiserverExtraArgs }}
       apiServer:
         extraArgs:
+          audit-policy-file: /etc/kubernetes/audit-policy.yaml
+          audit-log-path: /var/log/kubernetes/api-audit.log
+          audit-log-maxage: "30"
+          audit-log-maxbackup: "10"
+          audit-log-maxsize: "512"
 {{ .apiserverExtraArgs.ToYaml | indent 10 }}
 {{- end }}
+        extraVolumes:
+{{- if (eq .format "bottlerocket") }}
+        - hostPath: /var/lib/kubeadm/audit-policy.yaml
+{{- else }}
+        - hostPath: /etc/kubernetes/audit-policy.yaml
+{{- end }}
+          mountPath: /etc/kubernetes/audit-policy.yaml
+          name: audit-policy
+          pathType: File
+          readOnly: true
+        - hostPath: /var/log/kubernetes
+          mountPath: /var/log/kubernetes
+          name: audit-log-dir
+          pathType: DirectoryOrCreate
+          readOnly: false
 {{- if .awsIamAuth}}
         extraVolumes:
           - hostPath: /var/lib/kubeadm/aws-iam-authenticator/
@@ -316,6 +336,9 @@ spec:
         owner: root:root
         path: /var/lib/kubeadm/aws-iam-authenticator/pki/key.pem
 {{- end}}
+{{ .auditPolicy | indent 8 }}
+      owner: root:root
+      path: /etc/kubernetes/audit-policy.yaml
 {{- if (ne .format "bottlerocket") }}
 {{- if .proxyConfig }}
       - content: |
diff --git a/pkg/providers/tinkerbell/template.go b/pkg/providers/tinkerbell/template.go
index e3ca2a529cbf..9b920a887454 100644
--- a/pkg/providers/tinkerbell/template.go
+++ b/pkg/providers/tinkerbell/template.go
@@ -410,6 +410,12 @@ func buildTemplateMapCP(
 		"cpSkipLoadBalancerDeployment":  clusterSpec.Cluster.Spec.ControlPlaneConfiguration.SkipLoadBalancerDeployment,
 	}
 
+	auditPolicy, err := common.GetAuditPolicy(clusterSpec.Cluster.Spec.KubernetesVersion)
+	if err != nil {
+		return nil, err
+	}
+	values["auditPolicy"] = auditPolicy
+
 	if clusterSpec.Cluster.Spec.ControlPlaneConfiguration.UpgradeRolloutStrategy != nil {
 		values["upgradeRolloutStrategy"] = true
 		values["maxSurge"] = clusterSpec.Cluster.Spec.ControlPlaneConfiguration.UpgradeRolloutStrategy.RollingUpdate.MaxSurge