Advanced Auditing 1.12 umbrella bug

[x13n]

This is a continuation of #60392

API-related changes

• Graduate API to stable upgrade Audit api version to stable #65891
• Integration with admission
  • Annotate audit logs in remote admission webhooks
    @CaoShuFeng is working on this in support annotations for admission webhook #58679
• Add user-agent to audit events Add user-agent to audit-logging #64791

Bugfixes and improvements

• Completely remove legacy audit logging Promote AdvancedAuditing to GA #65862
• [Optional] Always retry audit webhook
• [Optional] Dynamic audit configuration

Policy changes

• Add a setting in audit policy that will allow rejecting API request when audit logging fails Add option to k8s apiserver to reject incoming requests upon audit failure #65763
• [Optional] GCE audit policy should be made re-usable by other setups
• [Optional] Audit policy should be tested (e.g. that it includes all core resources, more context)

To discuss

• [Optional] Auditing federation setups

I mostly carried over the unfinished work from 1.11 issue. Two things added: the ability to reject apiserver requests when audit logging fails (configurable via audit policy) and - optionally - recent proposal for dynamic audit configuration.

/kind feature
/sig auth
/area audit

cc @loburm @tallclair @soltysh

[CaoShuFeng]

Maybe add this: #64791

[piosz]

cc @destijl

[tallclair]

Add a setting in audit policy that will allow rejecting API request when audit logging fails

We already have that per-backend with Blocking mode. Is the idea that it would be nice to require blocking for only some highly-sensitive requests?

[tpepper]

/milestone v1.12

[x13n]

@CaoShuFeng I see Tim already added this.
@tallclair As far as I can tell, blocking will wait for audit event to be written, but upon a write failure (say, the webhook goes down, or the disk used for log backend is full) the request to API server will be processed anyway. The audit failure will only be written to the logs. I think that either:

• 'blocking' should mean that the request to API server fails if audit logging fails OR
• there should be a third option ('blocking-strict'? naming is hard) that would do that and existing 'blocking' will continue to behave as it does today.