Created
December 2, 2019 08:18
-
-
Save ChenLingPeng/3bb5a2957103af28d064ff2b1e71c554 to your computer and use it in GitHub Desktop.
audit-policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: audit.k8s.io/v1beta1 # This is required. | |
| kind: Policy | |
| # Don't generate audit events for all requests in RequestReceived stage. | |
| omitStages: | |
| - "RequestReceived" | |
| rules: | |
| - level: None | |
| verbs: ["watch", "get", "list"] | |
| # Log pod changes at RequestResponse level | |
| - level: RequestResponse | |
| resources: | |
| - group: "" | |
| # Resource "pods" doesn't match requests to any subresource of pods, | |
| # which is consistent with the RBAC policy. | |
| resources: ["pods"] | |
| # Log "pods/log", "pods/status" at Metadata level | |
| - level: Metadata | |
| resources: | |
| - group: "" | |
| resources: ["pods/log", "pods/status"] | |
| # Don't log requests to a configmap called "controller-leader" | |
| - level: None | |
| resources: | |
| - group: "" | |
| resources: ["configmaps"] | |
| resourceNames: ["controller-leader"] | |
| # Don't log watch requests by the "system:kube-proxy" on endpoints or services | |
| - level: None | |
| users: ["system:kube-proxy"] | |
| verbs: ["watch"] | |
| resources: | |
| - group: "" # core API group | |
| resources: ["endpoints", "services"] | |
| # Don't log authenticated requests to certain non-resource URL paths. | |
| - level: None | |
| userGroups: ["system:authenticated"] | |
| nonResourceURLs: | |
| - "/api*" # Wildcard matching. | |
| - "/version" | |
| # Log the request body of configmap changes in kube-system. | |
| - level: Request | |
| resources: | |
| - group: "" # core API group | |
| resources: ["configmaps"] | |
| # This rule only applies to resources in the "kube-system" namespace. | |
| # The empty string "" can be used to select non-namespaced resources. | |
| namespaces: ["kube-system"] | |
| # Log configmap and secret changes in all other namespaces at the Metadata level. | |
| - level: Metadata | |
| resources: | |
| - group: "" # core API group | |
| resources: ["secrets", "configmaps"] | |
| # Log all other resources in core and extensions at the Request level. | |
| - level: Request | |
| resources: | |
| - group: "" # core API group | |
| - group: "extensions" # Version of group should NOT be included. | |
| - group: "gaia" # tapp | |
| # A catch-all rule to log all other requests at the Metadata level. | |
| - level: Metadata | |
| # Long-running requests like watches that fall under this rule will not | |
| # generate an audit event in RequestReceived. | |
| omitStages: | |
| - "RequestReceived" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment