Implement Comprehensive Audit Logging for Enhanced Security and Compliance

[pavan02]

Summary

We propose implementing more robust audit logging feature for Argo Workflows to enhance security, traceability, and compliance. This feature should capture detailed information about all significant events and actions within the system.

I'm thinking of adding a dedicated api interceptor, to capture detailed information including but not limited to subject, request details, response details. The level of details could be configureable/customizable.

argo-workflows/server/apiserver/argoserver.go

Lines 314 to 321 in a776b45

	grpc.UnaryInterceptor(grpc_middleware.ChainUnaryServer(
	grpc_prometheus.UnaryServerInterceptor,
	grpc_logrus.UnaryServerInterceptor(serverLog),
	grpcutil.PanicLoggerUnaryServerInterceptor(serverLog),
	grpcutil.ErrorTranslationUnaryServerInterceptor,
	as.gatekeeper.UnaryServerInterceptor(),
	grpcutil.RatelimitUnaryServerInterceptor(as.apiRateLimiter),
	grpcutil.SetVersionHeaderUnaryServerInterceptor(argo.GetVersion()),

Use Cases

Meet more security and compliance requirements.

[pavan02]

I'm happy to take up this ticket, but I'll probably need some help with getting PR merged.

[Joibel]

Can you give more details on what you intend here:

• What will this capture exactly? (By implication, which events will you not capture)?
• How will the audit log be delivered?
• How will this differ from the existing structured log output
• Is this just an argo-server feature (this is sort of implied by your words), or will it log events that only the workflow-controller sees?
• Can it be effective in an environment where there are other sources of workflow runs than the argo-server - e.g. kubectl directly, or argo-events?

[blkperl]

@pavan02 please note there is a proposal to remove gRPC - #13542