Getting full results of audit runs without log parsing

[stek29]

Describe the solution you'd like
Currently the only way to reliably obtain all constraint violations from gatekeeper audit is to parse its logs, searching for audit runs.
It would be nice to have a way to generate JSON reports in a file on each audit run, so they can be processed and shipped by a sidecar container, without having to parse Gatekeeper logs.

Anything else you would like to add:
It should probably be an optional feature, disabled by default.
I guess writing each report into separate files with audit_id in filename is a feasible option.
I'm not sure on whether Gatekeeper should rotate these files on its own (I'd say no), and whether some sort of callback is needed to notify whatever is watching for these reports about new report being created.

[stek29]

I can work on this issue if you're ok with this idea and are willing to help with reviews/suggestions, btw :)

[maxsmythe]

I like the suggestion! @ritazh @sozercan for input as well.

Another possible mechanism for shipping results could be pubsub, though that would be less atomic.

Rotation might be necessary just to avoid running out of disk if the sidecar dies, but if this defaults to off, there's room for discovering if that's truly necessary. I can see how rotation could lead to missing audit results.

[maxsmythe]

#1037 is an older issue that seems related

[ritazh]

+1 on this proposal and I’m interested in a detailed design and how it could fit with the pub sub model we have discussed in the past.

Since this is a dup of #1037, I will close this for now so we can continue the discussion in #1037 as that issue has alot of context and prior considerations from others already.

Feel free to reopen if you feel it’s different.

[stek29]

in case anyone stumbles into this issue: it's a dup of #1037, not #1034 :)

[stek29]

I guess pubsub will do for me, but I'm more interested in audit "reports" rather than stream of audit events.