🌱 pkg/authorization: enable audit logging for SAR requests

[s-urbaniak]

Summary

This PR:

• adds domain annotation for audit logging: this allows separating regular workspace requests (request.auth.kcp.io domain) vs. SAR requests (sar.auth.kcp.io)
• in case of SAR request: audit are created for the actual SAR authorization review and not for the create authorization request. This allows debugging why a SAR denies.
• adds numbering of authorizers in audit logs so the ordering is clear
• removes audit logging of delegation reasons for more concise audit log entries. Reasons of delegated authorizers can be inspected in the corresponding audit annotation of the delegated authorizer.

Audit example for a SAR request:

  "annotations": {
    "apiserver.latency.k8s.io/response-write": "3µs",
    "apiserver.latency.k8s.io/serialize-response-object": "155.625µs",
    "apiserver.latency.k8s.io/total": "48.648838125s",
    "apiserver.latency.k8s.io/transform-response-object": "9.709µs",
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": "access granted",
    "request.auth.kcp.io/01-requiredgroups-decision": "Allowed",
    "request.auth.kcp.io/01-requiredgroups-reason": "delegating due to logical cluster does not require groups",
    "request.auth.kcp.io/02-content-decision": "Allowed",
    "request.auth.kcp.io/02-content-reason": "delegating due to user logical cluster access",
    "request.auth.kcp.io/03-systemcrd-decision": "Allowed",
    "request.auth.kcp.io/03-systemcrd-reason": "delegating due to no system CRD violation",
    "request.auth.kcp.io/04-maxpermissionpolicy-decision": "Allowed",
    "request.auth.kcp.io/04-maxpermissionpolicy-reason": "05-local: access granted",
    "request.auth.kcp.io/05-bootstrap-decision": "NoOpinion",
    "request.auth.kcp.io/05-bootstrap-reason": "bootstrap policy: ",
    "request.auth.kcp.io/05-local-decision": "Allowed",
    "request.auth.kcp.io/05-local-reason": "local cluster \"2tgmp7irk229vwdu\" policy: RBAC: allowed by ClusterRoleBinding \"workspace-admin-fhvwv\" of ClusterRole \"cluster-admin\" to User \"user-1\"",
    "sar.auth.kcp.io/01-requiredgroups-decision": "Allowed",
    "sar.auth.kcp.io/01-requiredgroups-reason": "delegating due to logical cluster does not require groups",
    "sar.auth.kcp.io/02-content-decision": "Allowed",
    "sar.auth.kcp.io/02-content-reason": "delegating due to user logical cluster access",
    "sar.auth.kcp.io/03-systemcrd-decision": "Allowed",
    "sar.auth.kcp.io/03-systemcrd-reason": "delegating due to no system CRD violation",
    "sar.auth.kcp.io/04-maxpermissionpolicy-decision": "Allowed",
    "sar.auth.kcp.io/04-maxpermissionpolicy-reason": "05-local: access granted",
    "sar.auth.kcp.io/05-bootstrap-decision": "NoOpinion",
    "sar.auth.kcp.io/05-bootstrap-reason": "bootstrap policy: ",
    "sar.auth.kcp.io/05-local-decision": "Allowed",
    "sar.auth.kcp.io/05-local-reason": "local cluster \"2tgmp7irk229vwdu\" policy: RBAC: allowed by ClusterRoleBinding \"user-1-configmap-reader\" of ClusterRole \"configmap-reader\" to User \"user-1\"",
    "tenancy.kcp.io/workspace": "2tgmp7irk229vwdu"
  }

Related issue(s)

N/A

[s-urbaniak]

/retest

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ncdc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ncdc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment