• Kubernetes Submit Queue's avatar
    Merge pull request #46897 from timstclair/audit-policy · ea4764bf
    Kubernetes Submit Queue authored
    Automatic merge from submit-queue (batch tested with PRs 46897, 46899, 46864, 46854, 46875)
    
    Write audit policy file for GCE/GKE configuration
    
    Setup the audit policy configuration for GCE & GKE. Here is the high level summary of the policy:
    
    - Default logging everything at `Metadata`
    - Known write APIs default to `RequestResponse`
    - Known read-only APIs default to `Request`
    - Except secrets & configmaps are logged at `Metadata`
    - Don't log events
    - Don't log `/version`, swagger or healthchecks
    
    In addition to the above, I spent time analyzing the noisiest lines in the audit log from a cluster that soaked for 24 hours (and ran a batch of e2e tests). Of those top requests, those that were identified as low-risk (all read-only, except update kube-system endpoints by controllers) are dropped.
    
    I suspect we'll want to tweak this a bit more once we've had a time to soak it on some real clusters.
    
    For kubernetes/features#22
    
    /cc @sttts @ericchiang
    ea4764bf
Name
Last commit
Last update
..
container-linux Loading commit data...
debian Loading commit data...
gci Loading commit data...
BUILD Loading commit data...
OWNERS Loading commit data...
config-common.sh Loading commit data...
config-default.sh Loading commit data...
config-test.sh Loading commit data...
configure-vm.sh Loading commit data...
cos Loading commit data...
delete-stranded-load-balancers.sh Loading commit data...
list-resources.sh Loading commit data...
ubuntu Loading commit data...
upgrade.sh Loading commit data...
util.sh Loading commit data...