feat: Emit events in the involved objects namespace

Makefile

@@ -60,6 +60,7 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
 \n        - --port=8443\
 \n        - --logtostderr\
 \n        - --emit-admission-events\
+\n        - --admission-events-involved-namespace\
 \n        - --exempt-namespace=${GATEKEEPER_NAMESPACE}\
 \n        - --operation=webhook\
 \n        - --operation=mutation-webhook\
@@ -80,6 +81,7 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
 \n        name: manager\
 \n        args:\
 \n        - --emit-audit-events\
+\n        - --audit-events-involved-namespace\
 \n        - --operation=audit\
 \n        - --operation=status\
 \n        - --operation=mutation-status\
@@ -185,6 +187,8 @@ e2e-helm-deploy: e2e-helm-install
 		--set postInstall.probeWebhook.enabled=true \
 		--set emitAdmissionEvents=true \
 		--set emitAuditEvents=true \
+		--set admissionEventsInvolvedNamespace=true \
+		--set auditEventsInvolvedNamespace=true \
 		--set disabledBuiltins={http.send} \
 		--set logMutations=true \
 		--set mutationAnnotations=true;\
@@ -196,6 +200,8 @@ e2e-helm-upgrade-init: e2e-helm-install
 		--debug --wait \
 		--set emitAdmissionEvents=true \
 		--set emitAuditEvents=true \
+		--set admissionEventsInvolvedNamespace=true \
+		--set auditEventsInvolvedNamespace=true \
 		--set postInstall.labelNamespace.enabled=true \
 		--set postInstall.probeWebhook.enabled=true \
 		--set disabledBuiltins={http.send} \
@@ -217,6 +223,8 @@ e2e-helm-upgrade:
 		--set postInstall.probeWebhook.enabled=true \
 		--set emitAdmissionEvents=true \
 		--set emitAuditEvents=true \
+		--set admissionEventsInvolvedNamespace=true \
+		--set auditEventsInvolvedNamespace=true \
 		--set disabledBuiltins={http.send} \
 		--set logMutations=true \
 		--set mutationAnnotations=true;\

cmd/build/helmify/kustomize-for-helm.yaml

@@ -76,6 +76,7 @@ spec:
             - --logtostderr
             - --log-denies={{ .Values.logDenies }}
             - --emit-admission-events={{ .Values.emitAdmissionEvents }}
+            - --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }}
             - --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }}
             - --exempt-namespace={{ .Release.Namespace }}
             - --operation=webhook
@@ -158,6 +159,7 @@ spec:
             - --audit-chunk-size={{ .Values.auditChunkSize }}
             - --audit-match-kind-only={{ .Values.auditMatchKindOnly }}
             - --emit-audit-events={{ .Values.emitAuditEvents }}
+            - --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }}
             - --operation=audit
             - --operation=status
             - HELMSUBST_MUTATION_STATUS_ENABLED_ARG

cmd/build/helmify/static/README.md

@@ -147,8 +147,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
 | mutatingWebhookObjectSelector                 | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set.                                          | `{}`                                                                      |
 | mutatingWebhookTimeoutSeconds                 | The timeout for the mutating webhook in seconds                                                                                                                                                                                                     | `3`                                                                       |
 | mutatingWebhookCustomRules                    | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced.                                                                                                 | `{}`                                                                      |
-| emitAdmissionEvents                           | Emit K8s events in gatekeeper namespace for admission violations (alpha feature)                                                                                                                                                                    | `false`                                                                   |
-| emitAuditEvents                               | Emit K8s events in gatekeeper namespace for audit violations (alpha feature)                                                                                                                                                                        | `false`                                                                   |
+| emitAdmissionEvents                           | Emit K8s events in configurable namespace for admission violations (alpha feature)                                                                                                                                                                    | `false`                                                                   |
+| emitAuditEvents                               | Emit K8s events in configurable namespace for audit violations (alpha feature)                                                                                                                                                                        | `false`                                                                   |
+| auditEventsInvolvedNamespace                               | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in                                                                                                                                                                       | `false`                                                                   |
+| admissionEventsInvolvedNamespace                               | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in                                                                                                                                                                        | `false`                                                                   |
 | logDenies                                     | Log detailed info on each deny                                                                                                                                                                                                                      | `false`                                                                   |
 | logLevel                                      | Minimum log level                                                                                                                                                                                                                                   | `INFO`                                                                    |
 | image.pullPolicy                              | The image pull policy                                                                                                                                                                                                                               | `IfNotPresent`                                                            |

cmd/build/helmify/static/values.yaml

@@ -34,6 +34,8 @@ logDenies: false
 logMutations: false
 emitAdmissionEvents: false
 emitAuditEvents: false
+admissionEventsInvolvedNamespace: false
+auditEventsInvolvedNamespace: false
 resourceQuota: true
 image:
   repository: openpolicyagent/gatekeeper

config/rbac/role.yaml

@@ -5,6 +5,13 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 - apiGroups:
   - '*'
   resources:

manifest_staging/charts/gatekeeper/README.md

@@ -147,8 +147,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
 | mutatingWebhookObjectSelector                 | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set.                                          | `{}`                                                                      |
 | mutatingWebhookTimeoutSeconds                 | The timeout for the mutating webhook in seconds                                                                                                                                                                                                     | `3`                                                                       |
 | mutatingWebhookCustomRules                    | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced.                                                                                                 | `{}`                                                                      |
-| emitAdmissionEvents                           | Emit K8s events in gatekeeper namespace for admission violations (alpha feature)                                                                                                                                                                    | `false`                                                                   |
-| emitAuditEvents                               | Emit K8s events in gatekeeper namespace for audit violations (alpha feature)                                                                                                                                                                        | `false`                                                                   |
+| emitAdmissionEvents                           | Emit K8s events in configurable namespace for admission violations (alpha feature)                                                                                                                                                                    | `false`                                                                   |
+| emitAuditEvents                               | Emit K8s events in configurable namespace for audit violations (alpha feature)                                                                                                                                                                        | `false`                                                                   |
+| auditEventsInvolvedNamespace                               | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in                                                                                                                                                                       | `false`                                                                   |
+| admissionEventsInvolvedNamespace                               | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in                                                                                                                                                                        | `false`                                                                   |
 | logDenies                                     | Log detailed info on each deny                                                                                                                                                                                                                      | `false`                                                                   |
 | logLevel                                      | Minimum log level                                                                                                                                                                                                                                   | `INFO`                                                                    |
 | image.pullPolicy                              | The image pull policy                                                                                                                                                                                                                               | `IfNotPresent`                                                            |

manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml

@@ -57,6 +57,7 @@ spec:
         - --audit-chunk-size={{ .Values.auditChunkSize }}
         - --audit-match-kind-only={{ .Values.auditMatchKindOnly }}
         - --emit-audit-events={{ .Values.emitAuditEvents }}
+        - --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }}
         - --operation=audit
         - --operation=status
         {{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }}

manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml

@@ -54,6 +54,7 @@ spec:
         - --logtostderr
         - --log-denies={{ .Values.logDenies }}
         - --emit-admission-events={{ .Values.emitAdmissionEvents }}
+        - --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }}
         - --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }}
         - --exempt-namespace={{ .Release.Namespace }}
         - --operation=webhook

manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml

@@ -11,6 +11,13 @@ metadata:
     release: '{{ .Release.Name }}'
   name: gatekeeper-manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 - apiGroups:
   - '*'
   resources:

manifest_staging/charts/gatekeeper/values.yaml

@@ -34,6 +34,8 @@ logDenies: false
 logMutations: false
 emitAdmissionEvents: false
 emitAuditEvents: false
+admissionEventsInvolvedNamespace: false
+auditEventsInvolvedNamespace: false
 resourceQuota: true
 image:
   repository: openpolicyagent/gatekeeper

manifest_staging/deploy/gatekeeper.yaml

@@ -3222,6 +3222,13 @@ metadata:
     gatekeeper.sh/system: "yes"
   name: gatekeeper-manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 - apiGroups:
   - '*'
   resources: