stem95su: scheduled Drive->site sync CronJob (every 10m)

CronJob stem95su-gdrive-sync (*/10) mounts the content PVC RW and
rclone-syncs the read-only Drive folder "claude" (stem claude/files) onto
it (rclone/rclone:1.74.3, scope=drive.readonly, empty-source guard +
--max-delete 25). ESO ExternalSecret stem95su-rclone <- Vault
secret/stem95su. Requires the GCP OAuth app published to Production or the
refresh token expires ~weekly.

Lands the gdrive-sync stack on master (it had landed on a feature branch
by accident on the shared devvm checkout).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/rbac/modules/rbac/audit-policy.tf

@@ -1,174 +0,0 @@
-# Deploy audit policy to k8s-master and configure kube-apiserver to use it.
-# Audit logs are written to /var/log/kubernetes/audit.log on the master node.
-# Alloy (log collector DaemonSet) will pick them up and ship to Loki.
-
-resource "null_resource" "audit_policy" {
-  connection {
-    type        = "ssh"
-    user        = "wizard"
-    host        = var.k8s_master_host
-    private_key = var.ssh_private_key
-  }
-
-  # Upload audit policy file
-  provisioner "file" {
-    content = yamlencode({
-      apiVersion = "audit.k8s.io/v1"
-      kind       = "Policy"
-      rules = [
-        {
-          # Don't log requests to the API discovery endpoints (very noisy)
-          level = "None"
-          resources = [{
-            group     = ""
-            resources = ["endpoints", "services", "services/status"]
-          }]
-          users = ["system:kube-proxy"]
-        },
-        {
-          # Don't log watch requests (very noisy)
-          level = "None"
-          verbs = ["watch"]
-        },
-        {
-          # Don't log health checks
-          level           = "None"
-          nonResourceURLs = ["/healthz*", "/readyz*", "/livez*"]
-        },
-        {
-          # Log secret access at Metadata level only (no request/response bodies)
-          level = "Metadata"
-          resources = [{
-            group     = ""
-            resources = ["secrets"]
-          }]
-        },
-        {
-          # Log all other mutating requests at RequestResponse level
-          level = "RequestResponse"
-          verbs = ["create", "update", "patch", "delete"]
-        },
-        {
-          # Log read requests at Metadata level
-          level = "Metadata"
-          verbs = ["get", "list"]
-        },
-      ]
-    })
-    destination = "/tmp/audit-policy.yaml"
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      # Move audit policy to proper location
-      "sudo mkdir -p /etc/kubernetes/policies",
-      "sudo mv /tmp/audit-policy.yaml /etc/kubernetes/policies/audit-policy.yaml",
-      "sudo chown root:root /etc/kubernetes/policies/audit-policy.yaml",
-
-      # Create audit log directory
-      "sudo mkdir -p /var/log/kubernetes",
-
-      # Idempotently add audit flags, volumes, and volumeMounts using Python
-      # to avoid sed duplication bugs on re-runs
-      <<-SCRIPT
-      sudo python3 -c "
-import yaml
-
-path = '/etc/kubernetes/manifests/kube-apiserver.yaml'
-with open(path) as f:
-    doc = yaml.safe_load(f)
-
-container = doc['spec']['containers'][0]
-cmd = container['command']
-
-# Add audit flags if missing
-audit_flags = {
-    '--audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml': True,
-    '--audit-log-path=/var/log/kubernetes/audit.log': True,
-    '--audit-log-maxage=7': True,
-    '--audit-log-maxbackup=3': True,
-    '--audit-log-maxsize=100': True,
-}
-existing = set(cmd)
-for flag in audit_flags:
-    if flag not in existing:
-        cmd.append(flag)
-
-# Add volumes if missing (deduplicate by name)
-vol_names = {v['name'] for v in doc['spec']['volumes']}
-for vol in [
-    {'name': 'audit-policy', 'hostPath': {'path': '/etc/kubernetes/policies', 'type': 'DirectoryOrCreate'}},
-    {'name': 'audit-log', 'hostPath': {'path': '/var/log/kubernetes', 'type': 'DirectoryOrCreate'}},
-]:
-    if vol['name'] not in vol_names:
-        doc['spec']['volumes'].append(vol)
-        vol_names.add(vol['name'])
-
-# Add volumeMounts if missing (deduplicate by mountPath)
-mount_paths = {vm['mountPath'] for vm in container['volumeMounts']}
-for vm in [
-    {'mountPath': '/etc/kubernetes/policies', 'name': 'audit-policy', 'readOnly': True},
-    {'mountPath': '/var/log/kubernetes', 'name': 'audit-log'},
-]:
-    if vm['mountPath'] not in mount_paths:
-        container['volumeMounts'].append(vm)
-        mount_paths.add(vm['mountPath'])
-
-with open(path, 'w') as f:
-    yaml.dump(doc, f, default_flow_style=False, sort_keys=False)
-
-print('Audit config applied (idempotent)')
-"
-      SCRIPT
-      ,
-
-      # Wait for API server to restart
-      "echo 'Waiting for API server to restart with audit logging...'",
-      "sleep 30",
-      "sudo kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes || echo 'API server still restarting'",
-    ]
-  }
-
-  triggers = {
-    policy_version = "v1" # Bump to force re-apply of manifest flags
-    policy_hash = sha256(yamlencode({
-      apiVersion = "audit.k8s.io/v1"
-      kind       = "Policy"
-      rules = [
-        {
-          level = "None"
-          resources = [{
-            group     = ""
-            resources = ["endpoints", "services", "services/status"]
-          }]
-          users = ["system:kube-proxy"]
-        },
-        {
-          level = "None"
-          verbs = ["watch"]
-        },
-        {
-          level           = "None"
-          nonResourceURLs = ["/healthz*", "/readyz*", "/livez*"]
-        },
-        {
-          level = "Metadata"
-          resources = [{
-            group     = ""
-            resources = ["secrets"]
-          }]
-        },
-        {
-          level = "RequestResponse"
-          verbs = ["create", "update", "patch", "delete"]
-        },
-        {
-          level = "Metadata"
-          verbs = ["get", "list"]
-        },
-      ]
-    }))
-  }
-
-  depends_on = [null_resource.apiserver_oidc_config]
-}