fix(audit): record integrity check event for d8-virtualization serviceaccounts (#1637)

diafour · web-flow · commit 01521b2ccf1d · 2025-10-30T12:55:50.000+03:00
Do not ignore integrity checks audit events from d8-virtualizatin serviceaccounts.

Integrity check event was not recorded. Critical for CSE.

Signed-off-by: Ivan Mikheykin &lt;ivan.mikheykin@flant.com&gt;
diff --git a/images/virtualization-artifact/pkg/audit/events/integrity/integrity_check_vm.go b/images/virtualization-artifact/pkg/audit/events/integrity/integrity_check_vm.go
@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"strings"
 
+	authnv1 "k8s.io/api/authentication/v1"
 	"k8s.io/apiserver/pkg/apis/audit"
 
 	"github.com/deckhouse/virtualization-controller/pkg/audit/events"
@@ -55,8 +56,7 @@ func (m *IntegrityCheckVM) IsMatched() bool {
 		return false
 	}
 
-	if strings.HasPrefix(m.event.User.Username, "system:") &&
-		!strings.HasPrefix(m.event.User.Username, "system:serviceaccount:d8-service-accounts") {
+	if m.ignoreForSystemUsers(m.event.User) {
 		return false
 	}
 
@@ -92,3 +92,16 @@ func (m *IntegrityCheckVM) Fill() error {
 
 	return nil
 }
+
+func (m *IntegrityCheckVM) ignoreForSystemUsers(userInfo authnv1.UserInfo) bool {
+	// Do not ignore for d8 service accounts.
+	if strings.HasPrefix(userInfo.Username, "system:serviceaccount:d8-service-accounts") {
+		return false
+	}
+	// Do not ignore for virtualization controller.
+	if strings.HasPrefix(userInfo.Username, "system:serviceaccount:d8-virtualization") {
+		return false
+	}
+	// Ignore for all other system users, not ignore for non-system users.
+	return strings.HasPrefix(m.event.User.Username, "system:")
+}
diff --git a/images/virtualization-artifact/werf.inc.yaml b/images/virtualization-artifact/werf.inc.yaml
@@ -40,18 +40,18 @@ shell:
   - |
     echo "Build virtualization-controller binary"
     {{- $_ := set $ "ProjectName" (list $.ImageName "virtualization-controller" | join "/") }}
-    
+
     {{- if eq $.DEBUG_COMPONENT "delve/virtualization-controller" }}
     go build -tags {{ .MODULE_EDITION }} -v -a -o /out/virtualization-controller ./cmd/virtualization-controller
     {{- else }}
     {{-   $buildCommand := printf "go build -ldflags=\"-s -w\" -tags %s -v -a -o /out/virtualization-controller ./cmd/virtualization-controller" .MODULE_EDITION -}}
     {{-   include "image-build.build" (set $ "BuildCommand" $buildCommand) | nindent 4 }}
     {{- end }}
-    
+
   - |
     echo "Build virtualization-api binary"
     {{- $_ := set $ "ProjectName" (list $.ImageName "virtualization-api" | join "/") }}
-    
+
     {{- if eq $.DEBUG_COMPONENT "delve/virtualization-api" }}
     go build -v -o /out/virtualization-api ./cmd/virtualization-api
     {{- else }}
