dynamic audit configuration

[pbarker]

What this PR does / why we need it:
Implements dynamic audit configuration feature kubernetes/enhancements#600

Special notes for your reviewer:

The PR depends on the plugins PR #70021

This PR has performance implications when the feature is enabled. This was discussed in the KEP and will be benchmarked and evaluated before moving to beta.

Integration test can be found #69902

Issues that need to be completed before beta can be found #70816

Release note:

Adds DynamicAuditing feature which allows for the configuration of audit webhooks through the use of an AuditSink API object.

[neolit123]

please, change the release note from
Adds dynamic audit configuration -> Add dynamic audit configuration or even better - expand a little on what the feature does for users who don't know.

/kind feature
/sig auth

[neolit123]

oh and thanks for working on this! :)

[pbarker]

@tallclair @liggitt still have a couple tests to write but functionality is working, would love some early feedback if you have time 🙏

[neolit123]

went trough the whole DIFF.
the code seems well written to me as much as i understand the change.

added a couple of styling comments mostly.
👍

[fejta]

/uncc

Feel free to add me back when this is no longer wip

[pbarker]

/retest

[deads2k]

I only looked at the options wiring. Minor comments. Structure-wise, I think it fits in ok.

[deads2k]

** deads2k ** approved these changes 13 seconds ago

for the options.

[liggitt]

this is way easier to follow, thanks for cleaning it up

the questions around the default non-configurable namespaces chosen for recording events are the main blocker.

other than that, just a couple clarifications/comments requested

[liggitt]

/lgtm
/approve

[liggitt]

tagging based on options approval in
#67257 (comment)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: liggitt, pbarker

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• cmd/kube-apiserver/OWNERS [liggitt]
• pkg/features/OWNERS [liggitt]
• pkg/kubeapiserver/OWNERS [liggitt]
• staging/src/k8s.io/apiextensions-apiserver/OWNERS
• staging/src/k8s.io/apiserver/OWNERS [liggitt]
• staging/src/k8s.io/kube-aggregator/OWNERS
• staging/src/k8s.io/sample-apiserver/OWNERS [liggitt]
• test/integration/etcd/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

@pbarker: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-local-e2e-containerized	b793c3b	link	/test pull-kubernetes-local-e2e-containerized

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.