feat(webhook): Log all admission requests of CRDs (#465)

charts/manager/templates/webhooks.yaml

@@ -208,6 +208,7 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
+    - DELETE
     resources:
     - clusters
   sideEffects: None
@@ -228,6 +229,7 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
+    - DELETE
     resources:
     - organizations
   sideEffects: None
@@ -248,6 +250,7 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
+    - DELETE
     resources:
     - plugins
   sideEffects: None
@@ -289,6 +292,7 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
+    - DELETE
     resources:
     - pluginpresets
   sideEffects: None
@@ -330,6 +334,7 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
+    - DELETE
     resources:
     - teamrolebindings
   sideEffects: None
@@ -351,6 +356,7 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
+    - DELETE
     resources:
     - secrets
   sideEffects: None
@@ -371,6 +377,7 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
+    - DELETE
     resources:
     - teams
   sideEffects: None

pkg/admission/cluster_webhook.go

@@ -34,7 +34,7 @@ func DefaultCluster(_ context.Context, _ client.Client, _ runtime.Object) error
 	return nil
 }
 
-//+kubebuilder:webhook:path=/validate-greenhouse-sap-v1alpha1-cluster,mutating=false,failurePolicy=fail,sideEffects=None,groups=greenhouse.sap,resources=clusters,verbs=create;update,versions=v1alpha1,name=vcluster.kb.io,admissionReviewVersions=v1
+//+kubebuilder:webhook:path=/validate-greenhouse-sap-v1alpha1-cluster,mutating=false,failurePolicy=fail,sideEffects=None,groups=greenhouse.sap,resources=clusters,verbs=create;update;delete,versions=v1alpha1,name=vcluster.kb.io,admissionReviewVersions=v1
 
 func ValidateCreateCluster(_ context.Context, _ client.Client, _ runtime.Object) (admission.Warnings, error) {
 	return nil, nil

pkg/admission/organization_webhook.go

@@ -45,7 +45,7 @@ func DefaultOrganization(_ context.Context, _ client.Client, o runtime.Object) e
 	return nil
 }
 
-//+kubebuilder:webhook:path=/validate-greenhouse-sap-v1alpha1-organization,mutating=false,failurePolicy=fail,sideEffects=None,groups=greenhouse.sap,resources=organizations,verbs=create;update,versions=v1alpha1,name=vorganization.kb.io,admissionReviewVersions=v1
+//+kubebuilder:webhook:path=/validate-greenhouse-sap-v1alpha1-organization,mutating=false,failurePolicy=fail,sideEffects=None,groups=greenhouse.sap,resources=organizations,verbs=create;update;delete,versions=v1alpha1,name=vorganization.kb.io,admissionReviewVersions=v1
 
 func ValidateCreateOrganization(_ context.Context, _ client.Client, _ runtime.Object) (admission.Warnings, error) {
 	return nil, nil

pkg/admission/plugin_webhook.go

@@ -78,7 +78,7 @@ func DefaultPlugin(ctx context.Context, c client.Client, obj runtime.Object) err
 	return nil
 }
 
-//+kubebuilder:webhook:path=/validate-greenhouse-sap-v1alpha1-plugin,mutating=false,failurePolicy=fail,sideEffects=None,groups=greenhouse.sap,resources=plugins,verbs=create;update,versions=v1alpha1,name=vplugin.kb.io,admissionReviewVersions=v1
+//+kubebuilder:webhook:path=/validate-greenhouse-sap-v1alpha1-plugin,mutating=false,failurePolicy=fail,sideEffects=None,groups=greenhouse.sap,resources=plugins,verbs=create;update;delete,versions=v1alpha1,name=vplugin.kb.io,admissionReviewVersions=v1
 
 func ValidateCreatePlugin(ctx context.Context, c client.Client, obj runtime.Object) (admission.Warnings, error) {
 	plugin, ok := obj.(*greenhousev1alpha1.Plugin)

pkg/admission/pluginpreset_webhook.go

@@ -37,7 +37,7 @@ func DefaultPluginPreset(_ context.Context, _ client.Client, _ runtime.Object) e
 	return nil
 }
 
-//+kubebuilder:webhook:path=/validate-greenhouse-sap-v1alpha1-pluginpreset,mutating=false,failurePolicy=fail,sideEffects=None,groups=greenhouse.sap,resources=pluginpresets,verbs=create;update,versions=v1alpha1,name=vpluginpreset.kb.io,admissionReviewVersions=v1
+//+kubebuilder:webhook:path=/validate-greenhouse-sap-v1alpha1-pluginpreset,mutating=false,failurePolicy=fail,sideEffects=None,groups=greenhouse.sap,resources=pluginpresets,verbs=create;update;delete,versions=v1alpha1,name=vpluginpreset.kb.io,admissionReviewVersions=v1
 
 func ValidateCreatePluginPreset(ctx context.Context, c client.Client, o runtime.Object) (admission.Warnings, error) {
 	pluginPreset, ok := o.(*greenhousev1alpha1.PluginPreset)

pkg/admission/secret_webhook.go

@@ -39,7 +39,7 @@ func DefaultSecret(_ context.Context, _ client.Client, _ runtime.Object) error {
 	return nil
 }
 
-//+kubebuilder:webhook:path=/validate--v1-secret,mutating=false,failurePolicy=ignore,sideEffects=None,groups="",matchPolicy=Exact,resources=secrets,verbs=create;update,versions=v1,name=vsecret.kb.io,admissionReviewVersions=v1
+//+kubebuilder:webhook:path=/validate--v1-secret,mutating=false,failurePolicy=ignore,sideEffects=None,groups="",matchPolicy=Exact,resources=secrets,verbs=create;update;delete,versions=v1,name=vsecret.kb.io,admissionReviewVersions=v1
 
 func ValidateCreateSecret(_ context.Context, _ client.Client, o runtime.Object) (admission.Warnings, error) {
 	secret, ok := o.(*corev1.Secret)

pkg/admission/team_webhook.go

@@ -38,7 +38,7 @@ func DefaultTeam(_ context.Context, _ client.Client, _ runtime.Object) error {
 	return nil
 }
 
-//+kubebuilder:webhook:path=/validate-greenhouse-sap-v1alpha1-team,mutating=false,failurePolicy=fail,sideEffects=None,groups=greenhouse.sap,resources=teams,verbs=create;update,versions=v1alpha1,name=vteam.kb.io,admissionReviewVersions=v1
+//+kubebuilder:webhook:path=/validate-greenhouse-sap-v1alpha1-team,mutating=false,failurePolicy=fail,sideEffects=None,groups=greenhouse.sap,resources=teams,verbs=create;update;delete,versions=v1alpha1,name=vteam.kb.io,admissionReviewVersions=v1
 
 func ValidateCreateTeam(ctx context.Context, c client.Client, o runtime.Object) (admission.Warnings, error) {
 	team, ok := o.(*greenhousev1alpha1.Team)

pkg/admission/teamrolebinding_webhook.go

@@ -38,7 +38,7 @@ func DefaultRoleBinding(_ context.Context, _ client.Client, _ runtime.Object) er
 	return nil
 }
 
-//+kubebuilder:webhook:path=/validate-greenhouse-sap-v1alpha1-teamrolebinding,mutating=false,failurePolicy=fail,sideEffects=None,groups=greenhouse.sap,resources=teamrolebindings,verbs=create;update,versions=v1alpha1,name=vrolebinding.kb.io,admissionReviewVersions=v1
+//+kubebuilder:webhook:path=/validate-greenhouse-sap-v1alpha1-teamrolebinding,mutating=false,failurePolicy=fail,sideEffects=None,groups=greenhouse.sap,resources=teamrolebindings,verbs=create;update;delete,versions=v1alpha1,name=vrolebinding.kb.io,admissionReviewVersions=v1
 
 func ValidateCreateRoleBinding(ctx context.Context, c client.Client, o runtime.Object) (admission.Warnings, error) {
 	rb, ok := o.(*greenhousev1alpha1.TeamRoleBinding)

pkg/admission/utils.go

@@ -73,20 +73,23 @@ func setupCustomValidatorWithManager(mgr ctrl.Manager, webhookFuncs webhookFuncs
 }
 
 func (c *customValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	logAdmissionRequest(ctx)
 	if c.validateCreate == nil {
 		return nil, nil
 	}
 	return c.validateCreate(ctx, c.Client, obj)
 }
 
 func (c *customValidator) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+	logAdmissionRequest(ctx)
 	if c.validateUpdate == nil {
 		return nil, nil
 	}
 	return c.validateUpdate(ctx, c.Client, oldObj, newObj)
 }
 
 func (c *customValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	logAdmissionRequest(ctx)
 	if c.validateDelete == nil {
 		return nil, nil
 	}
@@ -99,3 +102,13 @@ func validateImmutableField(oldValue, newValue string, path *field.Path) *field.
 	}
 	return nil
 }
+
+// logAdmissionRequest logs the AdmissionRequest.
+// This is necessary to audit log the AdmissionRequest independently of the api server audit logs.
+func logAdmissionRequest(ctx context.Context) {
+	admissionRequest, err := admission.RequestFromContext(ctx)
+	if err != nil {
+		return
+	}
+	ctrl.Log.Info("AdmissionRequest", "Request", admissionRequest)
+}