audip/cluster_spec.yaml

## cluster_spec.yaml
  fileAssets:
  - content: |
      apiVersion: audit.k8s.io/v1beta1
      kind: Policy
      rules:
        # The following requests were manually identified as high-volume and low-risk,
        # so drop them.
        - level: None
          users: ["system:kube-proxy"]
          verbs: ["watch"]
          resources:
            - group: "" # core
              resources: ["endpoints", "services", "services/status"]
        - level: None
        # Ingress controller reads `configmaps/ingress-uid` through the unsecured port.
        # TODO(#46983): Change this to the ingress controller service account.
          users: ["system:unsecured"]
          namespaces: ["kube-system"]
          verbs: ["get"]
          resources:
            - group: "" # core
              resources: ["configmaps"]
        - level: None
          users: ["kubelet"] # legacy kubelet identity
          verbs: ["get"]
          resources:
            - group: "" # core
              resources: ["nodes", "nodes/status"]
        - level: None
          userGroups: ["system:nodes"]
          verbs: ["get"]
          resources:
            - group: "" # core
              resources: ["nodes", "nodes/status"]
        - level: None
          users:
            - system:kube-controller-manager
            - system:kube-scheduler
            - system:serviceaccount:kube-system:endpoint-controller
          verbs: ["get", "update"]
          namespaces: ["kube-system"]
          resources:
            - group: "" # core
              resources: ["endpoints"]
        - level: None
          users: ["system:apiserver"]
          verbs: ["get"]
          resources:
            - group: "" # core
              resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
        # Don't log HPA fetching metrics.
        - level: None
          users:
            - system:kube-controller-manager
          verbs: ["get", "list"]
          resources:
            - group: "metrics.k8s.io"

        # Don't log these read-only URLs.
        - level: None
          nonResourceURLs:
            - /healthz*
            - /version
            - /swagger*

        # Don't log events requests.
        - level: None
          resources:
            - group: "" # core
              resources: ["events"]
        - level: Metadata
          resources:
            - group: "" # core
              resources: ["secrets", "configmaps"]
            - group: authentication.k8s.io
              resources: ["tokenreviews"]
          omitStages:
            - "RequestReceived"
        # Default level for all other requests.
        - level: RequestResponse
          omitStages:
            - "RequestReceived"
    name: audit-policy-file
    path: /srv/kubernetes/assets/audit-policy-file
    roles:
    - Master
    - Nodes
	fileAssets:
	- content: \|
	apiVersion: audit.k8s.io/v1beta1
	kind: Policy
	rules:
	# The following requests were manually identified as high-volume and low-risk,
	# so drop them.
	- level: None
	users: ["system:kube-proxy"]
	verbs: ["watch"]
	resources:
	- group: "" # core
	resources: ["endpoints", "services", "services/status"]
	- level: None
	# Ingress controller reads `configmaps/ingress-uid` through the unsecured port.
	# TODO(#46983): Change this to the ingress controller service account.
	users: ["system:unsecured"]
	namespaces: ["kube-system"]
	verbs: ["get"]
	resources:
	- group: "" # core
	resources: ["configmaps"]
	- level: None
	users: ["kubelet"] # legacy kubelet identity
	verbs: ["get"]
	resources:
	- group: "" # core
	resources: ["nodes", "nodes/status"]
	- level: None
	userGroups: ["system:nodes"]
	verbs: ["get"]
	resources:
	- group: "" # core
	resources: ["nodes", "nodes/status"]
	- level: None
	users:
	- system:kube-controller-manager
	- system:kube-scheduler
	- system:serviceaccount:kube-system:endpoint-controller
	verbs: ["get", "update"]
	namespaces: ["kube-system"]
	resources:
	- group: "" # core
	resources: ["endpoints"]
	- level: None
	users: ["system:apiserver"]
	verbs: ["get"]
	resources:
	- group: "" # core
	resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
	# Don't log HPA fetching metrics.
	- level: None
	users:
	- system:kube-controller-manager
	verbs: ["get", "list"]
	resources:
	- group: "metrics.k8s.io"

	# Don't log these read-only URLs.
	- level: None
	nonResourceURLs:
	- /healthz*
	- /version
	- /swagger*

	# Don't log events requests.
	- level: None
	resources:
	- group: "" # core
	resources: ["events"]
	- level: Metadata
	resources:
	- group: "" # core
	resources: ["secrets", "configmaps"]
	- group: authentication.k8s.io
	resources: ["tokenreviews"]
	omitStages:
	- "RequestReceived"
	# Default level for all other requests.
	- level: RequestResponse
	omitStages:
	- "RequestReceived"
	name: audit-policy-file
	path: /srv/kubernetes/assets/audit-policy-file
	roles:
	- Master
	- Nodes