-
Kubernetes Submit Queue authored
Automatic merge from submit-queue (batch tested with PRs 46897, 46899, 46864, 46854, 46875) Write audit policy file for GCE/GKE configuration Setup the audit policy configuration for GCE & GKE. Here is the high level summary of the policy: - Default logging everything at `Metadata` - Known write APIs default to `RequestResponse` - Known read-only APIs default to `Request` - Except secrets & configmaps are logged at `Metadata` - Don't log events - Don't log `/version`, swagger or healthchecks In addition to the above, I spent time analyzing the noisiest lines in the audit log from a cluster that soaked for 24 hours (and ran a batch of e2e tests). Of those top requests, those that were identified as low-risk (all read-only, except update kube-system endpoints by controllers) are dropped. I suspect we'll want to tweak this a bit more once we've had a time to soak it on some real clusters. For kubernetes/features#22 /cc @sttts @ericchiang
ea4764bf
| Name |
Last commit
|
Last update |
|---|---|---|
| .. | ||
| container-linux | ||
| debian | ||
| gci | ||
| BUILD | ||
| OWNERS | ||
| config-common.sh | ||
| config-default.sh | ||
| config-test.sh | ||
| configure-vm.sh | ||
| cos | ||
| delete-stranded-load-balancers.sh | ||
| list-resources.sh | ||
| ubuntu | ||
| upgrade.sh | ||
| util.sh |