rewanthtammana/audit.yaml

## audit.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
# Don't log requests for health & few other non-sensitive endpoints
- level: None
  nonResourceURLs:
  - "/healthz*"
  - "/readyz*"
  - "/livez*"
  - "/logs"
  - "/metrics"
  - "/swagger*"
  - "/version"

# Secrets, ConfigMaps, and TokenReviews can contain sensitive data
# Hence log only Metadata
- level: Metadata
  omitStages:
  - RequestReceived
  resources:
  - group: ""  # core
    resources: ["secrets", "configmaps"]
  - group: authentication.k8s.io
    resources: ["tokenreviews"]

# Extended audit of auth delegation
- level: RequestResponse
  omitStages:
  - RequestReceived
  resources:
  - group: authorization.k8s.io
    resources:
    - subjectaccessreviews

# Log changes to different resources at RequestResponse level
- level: RequestResponse
  omitStages:
  - RequestReceived
  resources:
  - group: "" # core API group
    resources: ["pods"]
    verbs: ["create", "patch", "update", "delete"]
  - group: "apps"
    resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
    verbs: ["create", "patch", "update", "delete"]
  - group: "batch"
    resources: ["jobs", "cronjobs"]
  - group: "crd.projectcalico.org" # For Calico

# Log PV/PVC operations to capture volume details
- level: Request
  verbs: ["create", "delete", "update", "patch"]
  resources:
    - group: ""  # core
    resources: ["persistentvolumeclaims", "persistentvolumes"]

# Don't log events requests. They consume huge memory & aren't much useful
- level: None
  resources:
    - group: "events.k8s.io"
    resources: ["events"]

# Log everything else at Metadata level
- level: Metadata
  omitStages:
  - RequestReceived
	apiVersion: audit.k8s.io/v1
	kind: Policy
	rules:
	# Don't log requests for health & few other non-sensitive endpoints
	- level: None
	nonResourceURLs:
	- "/healthz*"
	- "/readyz*"
	- "/livez*"
	- "/logs"
	- "/metrics"
	- "/swagger*"
	- "/version"

	# Secrets, ConfigMaps, and TokenReviews can contain sensitive data
	# Hence log only Metadata
	- level: Metadata
	omitStages:
	- RequestReceived
	resources:
	- group: "" # core
	resources: ["secrets", "configmaps"]
	- group: authentication.k8s.io
	resources: ["tokenreviews"]

	# Extended audit of auth delegation
	- level: RequestResponse
	omitStages:
	- RequestReceived
	resources:
	- group: authorization.k8s.io
	resources:
	- subjectaccessreviews

	# Log changes to different resources at RequestResponse level
	- level: RequestResponse
	omitStages:
	- RequestReceived
	resources:
	- group: "" # core API group
	resources: ["pods"]
	verbs: ["create", "patch", "update", "delete"]
	- group: "apps"
	resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
	verbs: ["create", "patch", "update", "delete"]
	- group: "batch"
	resources: ["jobs", "cronjobs"]
	- group: "crd.projectcalico.org" # For Calico

	# Log PV/PVC operations to capture volume details
	- level: Request
	verbs: ["create", "delete", "update", "patch"]
	resources:
	- group: "" # core
	resources: ["persistentvolumeclaims", "persistentvolumes"]

	# Don't log events requests. They consume huge memory & aren't much useful
	- level: None
	resources:
	- group: "events.k8s.io"
	resources: ["events"]

	# Log everything else at Metadata level
	- level: Metadata
	omitStages:
	- RequestReceived