[apiserver] add audit logging options for policy file and log rotation

dilyevsky · dilyevsky · commit c63e7d5b4a60 · 2026-03-19T17:55:18.000-07:00
Add WithAuditPolicyFile, WithAuditLogPath, and WithAuditLogRotation
options to wire k8s apiserver audit middleware with lumberjack-based
rotation. When a policy file is provided, audit events are written
as JSON to disk filtered by the policy rules.
diff --git a/pkg/apiserver/manager.go b/pkg/apiserver/manager.go
@@ -244,6 +244,11 @@ type options struct {
 	openAPIDefinitions     common.GetOpenAPIDefinitions
 	addToScheme            func(*runtime.Scheme) error
 	admissionPlugins       []admissionPlugin
+	auditPolicyFile    string
+	auditLogPath       string
+	auditLogMaxAge     int // days
+	auditLogMaxBackups int
+	auditLogMaxSizeMB  int // megabytes
 }
 
 type admissionPlugin struct {
@@ -464,6 +469,26 @@ func WithAdmissionPlugin(name string, factory admission.Factory) Option {
 	}
 }
 
+// WithAuditPolicyFile sets the path to an audit policy YAML file.
+// When set, the apiserver will emit audit events filtered by the policy.
+func WithAuditPolicyFile(path string) Option {
+	return func(o *options) { o.auditPolicyFile = path }
+}
+
+// WithAuditLogPath sets the file path for audit log output.
+func WithAuditLogPath(path string) Option {
+	return func(o *options) { o.auditLogPath = path }
+}
+
+// WithAuditLogRotation configures lumberjack-based rotation for the audit log.
+func WithAuditLogRotation(maxAgeDays, maxBackups, maxSizeMB int) Option {
+	return func(o *options) {
+		o.auditLogMaxAge = maxAgeDays
+		o.auditLogMaxBackups = maxBackups
+		o.auditLogMaxSizeMB = maxSizeMB
+	}
+}
+
 func defaultResources() []resource.Object {
 	// Higher versions need to be registered first as storage resources.
 	return []resource.Object{
@@ -974,6 +999,22 @@ func start(
 					o.RecommendedOptions.Authorization = nil
 				}
 
+				if opts.auditPolicyFile != "" {
+					o.RecommendedOptions.Audit = apiserveropts.NewAuditOptions()
+					o.RecommendedOptions.Audit.PolicyFile = opts.auditPolicyFile
+					o.RecommendedOptions.Audit.LogOptions.Path = opts.auditLogPath
+					o.RecommendedOptions.Audit.LogOptions.Format = "json"
+					if opts.auditLogMaxAge > 0 {
+						o.RecommendedOptions.Audit.LogOptions.MaxAge = opts.auditLogMaxAge
+					}
+					if opts.auditLogMaxBackups > 0 {
+						o.RecommendedOptions.Audit.LogOptions.MaxBackups = opts.auditLogMaxBackups
+					}
+					if opts.auditLogMaxSizeMB > 0 {
+						o.RecommendedOptions.Audit.LogOptions.MaxSize = opts.auditLogMaxSizeMB
+					}
+				}
+
 				return o
 			}).
 			WithConfigFns(func(c *apiserver.RecommendedConfig) *apiserver.RecommendedConfig {
