Commit 0933f5c8 authored by Mik Vyatskov's avatar Mik Vyatskov

Switch default audit policy to beta and omit RequestReceived stage

parent 01154dd3
...@@ -499,7 +499,7 @@ function create-master-audit-policy { ...@@ -499,7 +499,7 @@ function create-master-audit-policy {
- group: "storage.k8s.io"' - group: "storage.k8s.io"'
cat <<EOF >"${path}" cat <<EOF >"${path}"
apiVersion: audit.k8s.io/v1alpha1 apiVersion: audit.k8s.io/v1beta1
kind: Policy kind: Policy
rules: rules:
# The following requests were manually identified as high-volume and low-risk, # The following requests were manually identified as high-volume and low-risk,
...@@ -509,7 +509,7 @@ rules: ...@@ -509,7 +509,7 @@ rules:
verbs: ["watch"] verbs: ["watch"]
resources: resources:
- group: "" # core - group: "" # core
resources: ["endpoints", "services"] resources: ["endpoints", "services", "services/status"]
- level: None - level: None
# Ingress controller reads `configmaps/ingress-uid` through the unsecured port. # Ingress controller reads `configmaps/ingress-uid` through the unsecured port.
# TODO(#46983): Change this to the ingress controller service account. # TODO(#46983): Change this to the ingress controller service account.
...@@ -524,13 +524,13 @@ rules: ...@@ -524,13 +524,13 @@ rules:
verbs: ["get"] verbs: ["get"]
resources: resources:
- group: "" # core - group: "" # core
resources: ["nodes"] resources: ["nodes", "nodes/status"]
- level: None - level: None
userGroups: ["system:nodes"] userGroups: ["system:nodes"]
verbs: ["get"] verbs: ["get"]
resources: resources:
- group: "" # core - group: "" # core
resources: ["nodes"] resources: ["nodes", "nodes/status"]
- level: None - level: None
users: users:
- system:kube-controller-manager - system:kube-controller-manager
...@@ -546,7 +546,7 @@ rules: ...@@ -546,7 +546,7 @@ rules:
verbs: ["get"] verbs: ["get"]
resources: resources:
- group: "" # core - group: "" # core
resources: ["namespaces"] resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
# Don't log these read-only URLs. # Don't log these read-only URLs.
- level: None - level: None
...@@ -569,15 +569,23 @@ rules: ...@@ -569,15 +569,23 @@ rules:
resources: ["secrets", "configmaps"] resources: ["secrets", "configmaps"]
- group: authentication.k8s.io - group: authentication.k8s.io
resources: ["tokenreviews"] resources: ["tokenreviews"]
omitStages:
- "RequestReceived"
# Get repsonses can be large; skip them. # Get repsonses can be large; skip them.
- level: Request - level: Request
verbs: ["get", "list", "watch"] verbs: ["get", "list", "watch"]
resources: ${known_apis} resources: ${known_apis}
omitStages:
- "RequestReceived"
# Default level for known APIs # Default level for known APIs
- level: RequestResponse - level: RequestResponse
resources: ${known_apis} resources: ${known_apis}
omitStages:
- "RequestReceived"
# Default level for all other requests. # Default level for all other requests.
- level: Metadata - level: Metadata
omitStages:
- "RequestReceived"
EOF EOF
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment