diff --git a/pkg/audit/manager.go b/pkg/audit/manager.go index 4cfa2d99f40..deb2bd7744a 100644 --- a/pkg/audit/manager.go +++ b/pkg/audit/manager.go @@ -53,7 +53,6 @@ const ( defaultConstraintViolationsLimit = 20 defaultListLimit = 500 defaultAPICacheDir = "/tmp/audit" - defaultConnection = "audit-connection" defaultChannel = "audit-channel" ) @@ -66,7 +65,6 @@ var ( auditEventsInvolvedNamespace = flag.Bool("audit-events-involved-namespace", false, "emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will still follow the default behavior") auditMatchKindOnly = flag.Bool("audit-match-kind-only", false, "only use kinds specified in all constraints for auditing cluster resources. if kind is not specified in any of the constraints, it will audit all resources (same as setting this flag to false)") apiCacheDir = flag.String("api-cache-dir", defaultAPICacheDir, "The directory where audit from api server cache are stored, defaults to /tmp/audit") - auditConnection = flag.String("audit-connection", defaultConnection, "Connection name for publishing audit violation messages") auditChannel = flag.String("audit-channel", defaultChannel, "Channel name for publishing audit violation messages") emptyAuditResults []updateListEntry logStatsAudit = flag.Bool("log-stats-audit", false, "(alpha) log stats metrics for the audit run") @@ -801,7 +799,7 @@ func (am *Manager) addAuditResponsesToUpdateLists( totalViolationsPerEnforcementAction[ea]++ logViolation(am.log, r.Constraint, ea, gvk, namespace, name, r.Msg, details, r.obj.GetLabels()) if *pubsubController.PubsubEnabled { - err := am.pubsubSystem.Publish(context.Background(), *auditConnection, *auditChannel, violationMsg(r.Constraint, ea, gvk, namespace, name, r.Msg, details, r.obj.GetLabels(), timestamp)) + err := am.pubsubSystem.Publish(context.Background(), *pubsubController.AuditConnection, *auditChannel, violationMsg(r.Constraint, ea, gvk, namespace, name, r.Msg, details, r.obj.GetLabels(), timestamp)) if err != nil { am.log.Error(err, "pubsub audit Publishing") } diff --git a/pkg/controller/pubsub/pubsub_config_controller.go b/pkg/controller/pubsub/pubsub_config_controller.go index d68e9b16bc1..8fbaf0014ab 100644 --- a/pkg/controller/pubsub/pubsub_config_controller.go +++ b/pkg/controller/pubsub/pubsub_config_controller.go @@ -29,9 +29,12 @@ import ( "sigs.k8s.io/controller-runtime/pkg/source" ) +const defaultConnection = "audit-connection" + var ( - PubsubEnabled = flag.Bool("enable-pub-sub", false, "Enabled pubsub to publish messages") - log = logf.Log.WithName("controller").WithValues(logging.Process, "pubsub_controller") + PubsubEnabled = flag.Bool("enable-pub-sub", false, "Enabled pubsub to publish messages") + AuditConnection = flag.String("audit-connection", defaultConnection, "Connection name for publishing audit violation messages") + log = logf.Log.WithName("controller").WithValues(logging.Process, "pubsub_controller") ) type Adder struct { @@ -89,16 +92,16 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error { &handler.EnqueueRequestForObject{}, predicate.Funcs{ CreateFunc: func(e event.CreateEvent) bool { - return e.Object.GetNamespace() == util.GetNamespace() + return e.Object.GetNamespace() == util.GetNamespace() && AuditConnection != nil && e.Object.GetName() == *AuditConnection }, UpdateFunc: func(e event.UpdateEvent) bool { - return e.ObjectNew.GetNamespace() == util.GetNamespace() + return e.ObjectNew.GetNamespace() == util.GetNamespace() && AuditConnection != nil && e.ObjectNew.GetName() == *AuditConnection }, DeleteFunc: func(e event.DeleteEvent) bool { - return e.Object.GetNamespace() == util.GetNamespace() + return e.Object.GetNamespace() == util.GetNamespace() && AuditConnection != nil && e.Object.GetName() == *AuditConnection }, GenericFunc: func(e event.GenericEvent) bool { - return e.Object.GetNamespace() == util.GetNamespace() + return e.Object.GetNamespace() == util.GetNamespace() && AuditConnection != nil && e.Object.GetName() == *AuditConnection }, }, )