Skip to content

Commit 13630a6

Browse files
jimmidysonjimmidyson
authored
fix: Update to latest audit policy (#145)
1 parent 4a3daff commit 13630a6

File tree

1 file changed

+11
-6
lines changed

1 file changed

+11
-6
lines changed

pkg/handlers/auditpolicy/embedded/apiserver-audit-policy.yaml

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Taken from https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh
1+
# Taken from https://github.com/kubernetes/kubernetes/blob/v1.28.1/cluster/gce/gci/configure-helper.sh#L1101
22
# Recommended in Kubernetes docs
33
apiVersion: audit.k8s.io/v1
44
kind: Policy
@@ -35,6 +35,7 @@ rules:
3535
- level: None
3636
users:
3737
- system:kube-controller-manager
38+
- system:cloud-controller-manager
3839
- system:kube-scheduler
3940
- system:serviceaccount:kube-system:endpoint-controller
4041
verbs: ["get", "update"]
@@ -59,20 +60,24 @@ rules:
5960
- level: None
6061
users:
6162
- system:kube-controller-manager
63+
- system:cloud-controller-manager
6264
verbs: ["get", "list"]
6365
resources:
6466
- group: "metrics.k8s.io"
67+
6568
# Don't log these read-only URLs.
6669
- level: None
6770
nonResourceURLs:
6871
- /healthz*
6972
- /version
7073
- /swagger*
71-
# Don't log events requests.
74+
75+
# Don't log events requests because of performance impact.
7276
- level: None
7377
resources:
7478
- group: "" # core
7579
resources: ["events"]
80+
7681
# node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes
7782
- level: Request
7883
users: ["kubelet", "system:node-problem-detector", "system:serviceaccount:kube-system:node-problem-detector"]
@@ -90,18 +95,20 @@ rules:
9095
resources: ["nodes/status", "pods/status"]
9196
omitStages:
9297
- "RequestReceived"
98+
9399
# deletecollection calls can be large, don't log responses for expected namespace deletions
94100
- level: Request
95101
users: ["system:serviceaccount:kube-system:namespace-controller"]
96102
verbs: ["deletecollection"]
97103
omitStages:
98104
- "RequestReceived"
99-
# Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
105+
106+
# Secrets, ConfigMaps, TokenRequest and TokenReviews can contain sensitive & binary data,
100107
# so only log at the Metadata level.
101108
- level: Metadata
102109
resources:
103110
- group: "" # core
104-
resources: ["secrets", "configmaps"]
111+
resources: ["secrets", "configmaps", "serviceaccounts/token"]
105112
- group: authentication.k8s.io
106113
resources: ["tokenreviews"]
107114
omitStages:
@@ -127,7 +134,6 @@ rules:
127134
- group: "policy"
128135
- group: "rbac.authorization.k8s.io"
129136
- group: "scheduling.k8s.io"
130-
- group: "settings.k8s.io"
131137
- group: "storage.k8s.io"
132138
omitStages:
133139
- "RequestReceived"
@@ -151,7 +157,6 @@ rules:
151157
- group: "policy"
152158
- group: "rbac.authorization.k8s.io"
153159
- group: "scheduling.k8s.io"
154-
- group: "settings.k8s.io"
155160
- group: "storage.k8s.io"
156161
omitStages:
157162
- "RequestReceived"

0 commit comments

Comments
 (0)