feelobot/audit-policy.yaml

## audit-policy.yaml
rules:
  # The following requests were manually identified as high-volume and low-risk,
  # so drop them.
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
      - group: "" # core
        resources: ["endpoints", "services"]
  - level: None
    # Ingress controller reads `configmaps/ingress-uid` through the unsecured port.
    # TODO(#46983): Change this to the ingress controller service account.
    users: ["system:unsecured"]
    namespaces: ["kube-system"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["configmaps"]
  - level: None
    users: ["kubelet"] # legacy kubelet identity
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    userGroups: ["system:nodes"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    users:
      - system:kube-controller-manager
      - system:kube-scheduler
      - system:serviceaccount:kube-system:endpoint-controller
    verbs: ["get", "update"]
    namespaces: ["kube-system"]
    resources:
      - group: "" # core
        resources: ["endpoints"]
  - level: None
    users: ["system:apiserver"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["namespaces"]

  # Don't log these read-only URLs.
  - level: None
    nonResourceURLs:
      - /healthz*
      - /version
      - /swagger*

  # Don't log events requests.
  - level: None
    resources:
      - group: "" # core
        resources: ["events"]

  # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
  # so only log at the Metadata level.
  - level: Metadata
    resources:
      - group: "" # core
        resources: ["secrets", "configmaps"]
      - group: authentication.k8s.io
        resources: ["tokenreviews"]
  # Get repsonses can be large; skip them.
  - level: Request
    verbs: ["get", "list", "watch"]
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Default level for known APIs
  - level: RequestResponse
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Default level for all other requests.
  - level: Metadata
	rules:
	# The following requests were manually identified as high-volume and low-risk,
	# so drop them.
	- level: None
	users: ["system:kube-proxy"]
	verbs: ["watch"]
	resources:
	- group: "" # core
	resources: ["endpoints", "services"]
	- level: None
	# Ingress controller reads `configmaps/ingress-uid` through the unsecured port.
	# TODO(#46983): Change this to the ingress controller service account.
	users: ["system:unsecured"]
	namespaces: ["kube-system"]
	verbs: ["get"]
	resources:
	- group: "" # core
	resources: ["configmaps"]
	- level: None
	users: ["kubelet"] # legacy kubelet identity
	verbs: ["get"]
	resources:
	- group: "" # core
	resources: ["nodes"]
	- level: None
	userGroups: ["system:nodes"]
	verbs: ["get"]
	resources:
	- group: "" # core
	resources: ["nodes"]
	- level: None
	users:
	- system:kube-controller-manager
	- system:kube-scheduler
	- system:serviceaccount:kube-system:endpoint-controller
	verbs: ["get", "update"]
	namespaces: ["kube-system"]
	resources:
	- group: "" # core
	resources: ["endpoints"]
	- level: None
	users: ["system:apiserver"]
	verbs: ["get"]
	resources:
	- group: "" # core
	resources: ["namespaces"]

	# Don't log these read-only URLs.
	- level: None
	nonResourceURLs:
	- /healthz*
	- /version
	- /swagger*

	# Don't log events requests.
	- level: None
	resources:
	- group: "" # core
	resources: ["events"]

	# Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
	# so only log at the Metadata level.
	- level: Metadata
	resources:
	- group: "" # core
	resources: ["secrets", "configmaps"]
	- group: authentication.k8s.io
	resources: ["tokenreviews"]
	# Get repsonses can be large; skip them.
	- level: Request
	verbs: ["get", "list", "watch"]
	resources:
	- group: "" # core
	- group: "admissionregistration.k8s.io"
	- group: "apps"
	- group: "authentication.k8s.io"
	- group: "authorization.k8s.io"
	- group: "autoscaling"
	- group: "batch"
	- group: "certificates.k8s.io"
	- group: "extensions"
	- group: "networking.k8s.io"
	- group: "policy"
	- group: "rbac.authorization.k8s.io"
	- group: "settings.k8s.io"
	- group: "storage.k8s.io"
	# Default level for known APIs
	- level: RequestResponse
	resources:
	- group: "" # core
	- group: "admissionregistration.k8s.io"
	- group: "apps"
	- group: "authentication.k8s.io"
	- group: "authorization.k8s.io"
	- group: "autoscaling"
	- group: "batch"
	- group: "certificates.k8s.io"
	- group: "extensions"
	- group: "networking.k8s.io"
	- group: "policy"
	- group: "rbac.authorization.k8s.io"
	- group: "settings.k8s.io"
	- group: "storage.k8s.io"
	# Default level for all other requests.
	- level: Metadata