feat: add activity rules for system-created default DNS records

scotwells · claude · scotwells · commit 68d68fb8d4d2 · 2026-03-11T16:40:50.000-05:00
Add audit rules matching system:* users creating DNSRecordSet resources
so that auto-created SOA and NS records appear in the activity timeline
as "Default SOA record created for example.com" instead of being
silently filtered out.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/config/milo/activity/policies/dnsrecordset-policy.yaml b/config/milo/activity/policies/dnsrecordset-policy.yaml
@@ -135,10 +135,16 @@ spec:
       match: "!audit.user.username.startsWith('system:') && audit.verb in ['update', 'patch'] && !has(audit.objectRef.subresource)"
       summary: "{{ actor }} updated {{ link('a DNS record', audit.objectRef) }}"
 
-    # Status subresource updates are system-initiated and typically not shown to users
-    # - name: update-status
-    #   match: "!audit.user.username.startsWith('system:') && audit.verb in ['update', 'patch'] && audit.objectRef.subresource == 'status'"
-    #   summary: "System updated status of {{ link(audit.objectRef.name, audit.objectRef) }}"
+    # ----- SYSTEM CREATE RULES -----
+    # System-created records (SOA, NS) with display annotations
+    - name: system-create-annotated
+      match: "audit.user.username.startsWith('system:') && audit.verb == 'create' && has(audit.responseObject.metadata.annotations) && 'dns.networking.miloapis.com/display-name' in audit.responseObject.metadata.annotations && has(audit.requestObject.spec)"
+      summary: "Default {{ audit.requestObject.spec.recordType }} record created for {{ link(audit.responseObject.metadata.annotations['dns.networking.miloapis.com/display-name'], audit.objectRef) }}"
+
+    # System-created records with spec but no display annotations
+    - name: system-create-from-request
+      match: "audit.user.username.startsWith('system:') && audit.verb == 'create' && has(audit.requestObject.spec)"
+      summary: "Default {{ audit.requestObject.spec.recordType }} record created for {{ link(audit.objectRef.name, audit.objectRef) }}"
 
   # Event rules for controller-emitted Kubernetes events.
   # These capture async outcomes that audit logs cannot represent.
