Record pod events for all server calls

deploy/server-rbac.yaml

@@ -23,7 +23,7 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: kiam-server
+  name: kiam-read
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -32,3 +32,28 @@ subjects:
 - kind: ServiceAccount
   name: kiam-server
   namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kiam-write
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: kiam-write
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kiam-write
+subjects:
+- kind: ServiceAccount
+  name: kiam-server
+  namespace: kube-system

pkg/server/server.go

@@ -32,11 +32,11 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/tools/record"
-	"k8s.io/client-go/tools/reference"
 )
 
 // Config controls the setup of the gRPC server
@@ -96,12 +96,16 @@ func (k *KiamServer) GetPodCredentials(ctx context.Context, req *pb.GetPodCreden
 
 	if !decision.IsAllowed() {
 		logger.WithField("policy.explanation", decision.Explanation()).Errorf("pod denied by policy")
+		k.recordEvent(pod, v1.EventTypeWarning, "KiamRoleForbidden",
+			fmt.Sprintf("failed assuming role %q: %s", req.Role, decision.Explanation()))
 		return nil, ErrPolicyForbidden
 	}
 
 	creds, err := k.credentialsProvider.CredentialsForRole(ctx, req.Role)
 	if err != nil {
 		logger.Errorf("error retrieving credentials: %s", err.Error())
+		k.recordEvent(pod, v1.EventTypeWarning, "KiamCredentialError",
+			fmt.Sprintf("failed retrieving credentials: %s", err))
 		return nil, err
 	}
 
@@ -139,16 +143,8 @@ func (k *KiamServer) GetPodRole(ctx context.Context, req *pb.GetPodRoleRequest)
 	}
 
 	role := k8s.PodRole(pod)
-	ref, err := reference.GetReference(scheme.Scheme, pod)
-	if err != nil {
-		logger.Errorf("error getting reference for pod %q: %s", pod.Name, err)
-		return nil, err
-	}
 
 	logger.WithField("pod.iam.role", role).Infof("found role")
-	k.eventRecorder.Event(ref, v1.EventTypeNormal, "KiamRoleFound",
-		fmt.Sprintf("Role: %q found for pod: %q", role, pod.Name))
-
 	return &pb.Role{Name: role}, nil
 }
 
@@ -284,3 +280,10 @@ func eventRecorder(kubeClient *kubernetes.Clientset) record.EventRecorder {
 
 	return broadcaster.NewRecorder(scheme.Scheme, source)
 }
+
+func (k *KiamServer) recordEvent(object runtime.Object, eventtype, reason, message string) {
+	if k.eventRecorder == nil {
+		return
+	}
+	k.eventRecorder.Event(object, eventtype, reason, message)
+}

pkg/server/server_test.go

@@ -2,13 +2,14 @@ package server
 
 import (
 	"context"
+	"testing"
+	"time"
+
 	"github.com/uswitch/kiam/pkg/aws/sts"
 	"github.com/uswitch/kiam/pkg/k8s"
 	"github.com/uswitch/kiam/pkg/testutil"
 	pb "github.com/uswitch/kiam/proto"
 	kt "k8s.io/client-go/tools/cache/testing"
-	"testing"
-	"time"
 )
 
 const (