fix: emit events in involved object namespace

Signed-off-by: Craig Trought <[email protected]>

cmd/build/helmify/static/README.md

@@ -141,8 +141,8 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
 | mutatingWebhookObjectSelector                 | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set.                                          | `{}`                                                                      |
 | mutatingWebhookTimeoutSeconds                 | The timeout for the mutating webhook in seconds                                                                                                                                                                                                     | `3`                                                                       |
 | mutatingWebhookCustomRules                    | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced.                                                                                                 | `{}`                                                                      |
-| emitAdmissionEvents                           | Emit K8s events in gatekeeper namespace for admission violations (alpha feature)                                                                                                                                                                    | `false`                                                                   |
-| emitAuditEvents                               | Emit K8s events in gatekeeper namespace for audit violations (alpha feature)                                                                                                                                                                        | `false`                                                                   |
+| emitAdmissionEvents                           | Emit K8s events in the involved namespace for admission violations (alpha feature)                                                                                                                                                                    | `false`                                                                   |
+| emitAuditEvents                               | Emit K8s events in the involved namespace for audit violations (alpha feature)                                                                                                                                                                        | `false`                                                                   |
 | logDenies                                     | Log detailed info on each deny                                                                                                                                                                                                                      | `false`                                                                   |
 | logLevel                                      | Minimum log level                                                                                                                                                                                                                                   | `INFO`                                                                    |
 | image.pullPolicy                              | The image pull policy                                                                                                                                                                                                                               | `IfNotPresent`                                                            |

pkg/audit/manager.go

@@ -57,7 +57,7 @@ var (
 	constraintViolationsLimit = flag.Uint("constraint-violations-limit", defaultConstraintViolationsLimit, "limit of number of violations per constraint. defaulted to 20 violations if unspecified")
 	auditChunkSize            = flag.Uint64("audit-chunk-size", defaultListLimit, "(alpha) Kubernetes API chunking List results when retrieving cluster resources using discovery client. defaulted to 500 if unspecified")
 	auditFromCache            = flag.Bool("audit-from-cache", false, "pull resources from OPA cache when auditing")
-	emitAuditEvents           = flag.Bool("emit-audit-events", false, "(alpha) emit Kubernetes events in gatekeeper namespace with detailed info for each violation from an audit")
+	emitAuditEvents           = flag.Bool("emit-audit-events", false, "(alpha) emit Kubernetes events in the involved namespace with detailed info for each violation from an audit")
 	auditMatchKindOnly        = flag.Bool("audit-match-kind-only", false, "only use kinds specified in all constraints for auditing cluster resources. if kind is not specified in any of the constraints, it will audit all resources (same as setting this flag to false)")
 	apiCacheDir               = flag.String("api-cache-dir", defaultAPICacheDir, "The directory where audit from api server cache are stored, defaults to /tmp/audit")
 	emptyAuditResults         []updateListEntry
@@ -1053,17 +1053,17 @@ func emitEvent(constraint *unstructured.Unstructured,
 		logging.ResourceName:         rname,
 	}
 	reason := "AuditViolation"
-	ref := getViolationRef(gkNamespace, resourceGroupVersionKind.Kind, rname, rnamespace, constraint.GetKind(), constraint.GetName(), constraint.GetNamespace())
+	ref := getViolationRef(resourceGroupVersionKind.Kind, rname, rnamespace, constraint.GetKind(), constraint.GetName(), constraint.GetNamespace())
 
 	eventRecorder.AnnotatedEventf(ref, annotations, corev1.EventTypeWarning, reason, "Timestamp: %s, Resource Namespace: %s, Constraint: %s, Message: %s", timestamp, rnamespace, constraint.GetName(), message)
 }
 
-func getViolationRef(gkNamespace, rkind, rname, rnamespace, ckind, cname, cnamespace string) *corev1.ObjectReference {
+func getViolationRef(rkind, rname, rnamespace, ckind, cname, cnamespace string) *corev1.ObjectReference {
 	return &corev1.ObjectReference{
 		Kind:      rkind,
 		Name:      rname,
 		UID:       types.UID(rkind + "/" + rnamespace + "/" + rname + "/" + ckind + "/" + cnamespace + "/" + cname),
-		Namespace: gkNamespace,
+		Namespace: rnamespace,
 	}
 }
 

pkg/controller/config/config_controller.go

@@ -193,6 +193,7 @@ type ReconcileConfig struct {
 // +kubebuilder:rbac:groups=policy,resources=podsecuritypolicies,resourceNames=gatekeeper-admin,verbs=use
 // +kubebuilder:rbac:groups=config.gatekeeper.sh,resources=configs,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=config.gatekeeper.sh,resources=configs/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups="",resources=events,verbs=create;patch;
 
 // Reconcile reads that state of the cluster for a Config object and makes changes based on the state read
 // and what is in the Config.Spec

pkg/webhook/common.go

@@ -56,7 +56,7 @@ var (
 	deserializer                       = codecs.UniversalDeserializer()
 	disableEnforcementActionValidation = flag.Bool("disable-enforcementaction-validation", false, "disable validation of the enforcementAction field of a constraint")
 	logDenies                          = flag.Bool("log-denies", false, "log detailed info on each deny")
-	emitAdmissionEvents                = flag.Bool("emit-admission-events", false, "(alpha) emit Kubernetes events in gatekeeper namespace for each admission violation")
+	emitAdmissionEvents                = flag.Bool("emit-admission-events", false, "(alpha) emit Kubernetes events in the involved namespace for each admission violation")
 	tlsMinVersion                      = flag.String("tls-min-version", "1.3", "minimum version of TLS supported")
 	serviceaccount                     = fmt.Sprintf("system:serviceaccount:%s:%s", util.GetNamespace(), serviceAccountName)
 	// webhookName is deprecated, set this on the manifest YAML if needed".

pkg/webhook/policy.go

@@ -299,7 +299,6 @@ func (h *validationHandler) getValidationMessages(res []*rtypes.Result, req *adm
 				reason = "FailedAdmission"
 			}
 			ref := getViolationRef(
-				h.gkNamespace,
 				req.AdmissionRequest.Kind.Kind,
 				resourceName,
 				req.AdmissionRequest.Namespace,
@@ -613,12 +612,12 @@ func createReviewForResultant(obj *unstructured.Unstructured, ns *corev1.Namespa
 	}
 }
 
-func getViolationRef(gkNamespace, rkind, rname, rnamespace, ckind, cname, cnamespace string) *corev1.ObjectReference {
+func getViolationRef(rkind, rname, rnamespace, ckind, cname, cnamespace string) *corev1.ObjectReference {
 	return &corev1.ObjectReference{
 		Kind:      rkind,
 		Name:      rname,
 		UID:       types.UID(rkind + "/" + rnamespace + "/" + rname + "/" + ckind + "/" + cnamespace + "/" + cname),
-		Namespace: gkNamespace,
+		Namespace: rnamespace,
 	}
 }
 

website/docs/customize-startup.md

@@ -23,9 +23,9 @@ The `--disable-opa-builtin` flag disables specific [OPA built-ins functions](htt
 
 ## [Alpha] Emit admission and audit events
 
-The `--emit-admission-events` flag enables the emission of all admission violations as Kubernetes events in the Gatekeeper namespace. This flag is in alpha stage and it is set to `false` by default.
+The `--emit-admission-events` flag enables the emission of all admission violations as Kubernetes events in the involved objects namespace. This flag is in alpha stage and it is set to `false` by default.
 
-The `--emit-audit-events` flag enables the emission of all audit violation as Kubernetes events in the Gatekeeper namespace. This flag is in alpha stage and it is set to `false` by default.
+The `--emit-audit-events` flag enables the emission of all audit violation as Kubernetes events in the involved objects namespace. This flag is in alpha stage and it is set to `false` by default.
 
 There are three types of events that are emitted by Gatekeeper when the above flags are enabled: