diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml
index 7744af2b..e1e5d177 100644
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -105,9 +105,6 @@
 - macro: secret
   condition: ka.target.resource=secrets
 
-- macro: req_service_account_token
-  condition: (jevt.value[/requestObject/type]="kubernetes.io/service-account-token")
-
 - macro: health_endpoint
   condition: ka.uri=/healthz
 
@@ -409,7 +406,7 @@
 
 - rule: K8s Secret Created
   desc: Detect any attempt to create a secret. Service account tokens are excluded.
-  condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and not req_service_account_token and response_successful)
+  condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
   output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -417,7 +414,7 @@
 
 - rule: K8s Secret Deleted
   desc: Detect any attempt to delete a secret Service account tokens are excluded.
-  condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and not req_service_account_token and response_successful)
+  condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
   output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
diff --git a/test/trace_files/k8s_audit/create_kube_system_secret.json b/test/trace_files/k8s_audit/create_kube_system_secret.json
index 488c9f12..6e07e162 100644
--- a/test/trace_files/k8s_audit/create_kube_system_secret.json
+++ b/test/trace_files/k8s_audit/create_kube_system_secret.json
@@ -1 +1 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"263db4e4-f0bb-41b4-913d-c03815f49be5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/kube-system/secrets","verb":"create","user":{"username":"admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kubeadm/v1.16.2 (linux/amd64) kubernetes/c97fe50","objectRef":{"resource":"secrets","namespace":"kube-system","name":"bootstrap-token-ne7bxu","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"bootstrap-token-ne7bxu","namespace":"kube-system","creationTimestamp":null},"data":{"auth-extra-groups":"c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=","expiration":"MjAyMC0wMy0yNVQxMTo1Mzo0OS0wNzowMA==","token-id":"bmU3Ynh1","token-secret":"eGNwcGRha3Z1cTJ6d3Eycw==","usage-bootstrap-authentication":"dHJ1ZQ==","usage-bootstrap-signing":"dHJ1ZQ=="},"type":"bootstrap.kubernetes.io/token"},"responseObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"bootstrap-token-ne7bxu","namespace":"kube-system","selfLink":"/api/v1/namespaces/kube-system/secrets/bootstrap-token-ne7bxu","uid":"799b20e8-a196-4061-9a55-d8c76ab092df","resourceVersion":"161","creationTimestamp":"2020-03-24T18:53:49Z"},"data":{"auth-extra-groups":"c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=","expiration":"MjAyMC0wMy0yNVQxMTo1Mzo0OS0wNzowMA==","token-id":"bmU3Ynh1","token-secret":"eGNwcGRha3Z1cTJ6d3Eycw==","usage-bootstrap-authentication":"dHJ1ZQ==","usage-bootstrap-signing":"dHJ1ZQ=="},"type":"bootstrap.kubernetes.io/token"},"requestReceivedTimestamp":"2020-03-24T18:53:49.023018Z","stageTimestamp":"2020-03-24T18:53:49.025530Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"263db4e4-f0bb-41b4-913d-c03815f49be5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/kube-system/secrets","verb":"create","user":{"username":"admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kubeadm/v1.16.2 (linux/amd64) kubernetes/c97fe50","objectRef":{"resource":"secrets","namespace":"kube-system","name":"bootstrap-token-ne7bxu","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2020-03-24T18:53:49.023018Z","stageTimestamp":"2020-03-24T18:53:49.025530Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
diff --git a/test/trace_files/k8s_audit/create_secret.json b/test/trace_files/k8s_audit/create_secret.json
index 76f961a4..a8f58c6a 100644
--- a/test/trace_files/k8s_audit/create_secret.json
+++ b/test/trace_files/k8s_audit/create_secret.json
@@ -1,2 +1,2 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"c07ab0e2-9b07-4cc6-8e3b-91ac69586a1f","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/sysdig-agent/secrets","verb":"create","user":{"username":"minikube-user","groups":["system:masters","system:authenticated"]},"sourceIPs":["10.0.2.15"],"userAgent":"kubectl/v1.13.3 (linux/amd64) kubernetes/721bfa7","objectRef":{"resource":"secrets","namespace":"sysdig-agent","name":"sysdig-agent","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"sysdig-agent","creationTimestamp":null},"data":{"access-key":"MzFiNGQ0YjctMDAyNi00YzI3LWJiMGItNDk5ZDZkZjg1ZGJi"},"type":"Opaque"},"responseObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"sysdig-agent","namespace":"sysdig-agent","selfLink":"/api/v1/namespaces/sysdig-agent/secrets/sysdig-agent","uid":"9c812531-09bd-11ea-a1f9-08002719228f","resourceVersion":"830","creationTimestamp":"2019-11-18T04:40:56Z"},"data":{"access-key":"MzFiNGQ0YjctMDAyNi00YzI3LWJiMGItNDk5ZDZkZjg1ZGJi"},"type":"Opaque"},"requestReceivedTimestamp":"2019-11-18T04:40:56.739299Z","stageTimestamp":"2019-11-18T04:40:56.741993Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"55a81824-ab56-46c5-8b02-96336f5e78d7","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/secrets","verb":"create","user":{"username":"minikube-user","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.64.1"],"userAgent":"kubectl/v1.17.3 (darwin/amd64) kubernetes/06ad960","objectRef":{"resource":"secrets","namespace":"default","name":"example-secret","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2020-04-21T17:57:05.541358Z","stageTimestamp":"2020-04-21T17:57:05.548299Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
 
diff --git a/test/trace_files/k8s_audit/create_service_account_token_secret.json b/test/trace_files/k8s_audit/create_service_account_token_secret.json
index 92ff5219..523a1e9c 100644
--- a/test/trace_files/k8s_audit/create_service_account_token_secret.json
+++ b/test/trace_files/k8s_audit/create_service_account_token_secret.json
@@ -1 +1 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"80ec4e21-2144-4156-bac3-7db13f966060","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/sysdig-agent/secrets","verb":"create","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.12 (linux/amd64) kubernetes/a8b5220/tokens-controller","objectRef":{"resource":"secrets","namespace":"sysdig-agent","name":"default-token-lmsbg","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"default-token-lmsbg","namespace":"sysdig-agent","creationTimestamp":null,"annotations":{"kubernetes.io/service-account.name":"default","kubernetes.io/service-account.uid":"8b65cb69-09bd-11ea-a1f9-08002719228f"}},"data":{"ca.crt":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwdGFXNXAKYTNWaVpVTkJNQjRYRFRFNU1EZ3hNVEl5TkRJeU5Gb1hEVEk1TURnd09USXlOREl5TkZvd0ZURVRNQkVHQTFVRQpBeE1LYldsdWFXdDFZbVZEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT1ZLCkdtd2diY3dhdTJyVW9GVDJ1bFo1d09HRlR4WmRNMjRrUEhMcCs1NXpLd25BamlXeDNCcXg5SDlTb3JzVStnMnYKQkVncjZpMHM0TGlldFNGNmVGR1NvUG1XZ2FGK1ZnQy9XZlJmR0FFU3dWQXVyb3VZZ0VCRW5XTjVvZ1c3TW45eQo4K1pkZXo3OC9Md1hSbmwxWFZFei92RFc2OUZTaVNEZzI5eURkVWVxa2lMTTJOV0hsZ0hDT2FKRVFjZWt5bUFrCjE3SzlSWS90cDJXT3FUVEVBR2p1NU1vSmtqbEF4TDZBNHNlMG1YZWhhM2tVVGNMWnJQUGZJWUpLeC9EZldoRDEKWU1NL2JBelNmYlIyZ2QxVEJqTjlhUy81bE1kcDY2N3NYNFh4WVhxSmlxY3BkTTNhdTkvMW96UkRZQjJ0VTl1bgp6a2pDOXJqRkthNWI2TjE0bVo4Q0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUIwR0ExVWRKUVFXCk1CUUdDQ3NHQVFVRkJ3TUNCZ2dyQmdFRkJRY0RBVEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFDa3haeHNqNFZCam5VcGpuOXJEKzd0UmJFYWR1NXczcU52SjczN1ZBSlFFZUhKaUhPZwp5eHhRK21NMkIvek9pcHdTOC9yTi90SUpydHF0eSt3TnBpcWxZTFhrcTBveEJNdjVzd1p0YnU5Mm55eVhwTkgrCk9tR0MxQmNscWxlUzE0VlBPWHVFL011SlpIaW5HMG5EdWR5eTlvZmVqdTZXSDJJU3FRWEJUK0tKQmtYL1RDcDcKM1NYZS9vUk1pMTdxY01WOTBoV2ZOYldmeDdya0l2bWwrVzEzWnc1WkdVaGxSODdNb1ZMdENybnBmbHBpcDgvYgptbWFra1FPblN4d0FaUkJCQXQrclc4ZUFqSFRFSktJb0s5ZllsMWJtYTU3VTE5ZVZudEIrL0N2RDRUcWkrL0lwClpqMThYNVJXbm8zUkRzUElIQkpDL2ZMK2Juc1ErcFMvSUhGRgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==","namespace":"c3lzZGlnLWFnZW50","token":"ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSnplWE5rYVdjdFlXZGxiblFpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxZM0psZEM1dVlXMWxJam9pWkdWbVlYVnNkQzEwYjJ0bGJpMXNiWE5pWnlJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKa1pXWmhkV3gwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWRXbGtJam9pT0dJMk5XTmlOamt0TURsaVpDMHhNV1ZoTFdFeFpqa3RNRGd3TURJM01Ua3lNamhtSWl3aWMzVmlJam9pYzNsemRHVnRPbk5sY25acFkyVmhZMk52ZFc1ME9uTjVjMlJwWnkxaFoyVnVkRHBrWldaaGRXeDBJbjAuYmxGU05kVzh3a3Z5SzhEVUJUWVJoZFJKaDl3OEw5alp3NDJhMlRacW53bkJvYXg0R21UN2JyblRXS2lkcGZUU2h6UUh5ZVRpU2REMk1Pc1NDeXg3S1J2SWp0dDB3d1JDWUhQUHJ6TE5VR2pyRTJ1ckVGaWJjelJPRU8telV5amJiN0VBanJ3blRhWkZMMVRUMWdsU3hkZDNGbFZzTTg4eU1aaEJZN2NUVU9hUkVDV3VLNG9hc2hQYnZKSHAteWZzVDBSQ0Q3eFhtWmQzbE9kRG9rOHZRZUQtXzQ0VmlrQzljcThwV3FxRHhBTGRsQk1jUHNSc1ZXRDFjb2taZ0RsUHJ2Q0xPemx5b19kZGQ5c1A3VFVrTlhNYjVWcHNVWm4wMlN2QVFMUG44MGhFWHdYaTNnNGRJWG1XaVFIc0pCTmpEeUF6d1FGZXZlZE10cS1uVmpJci13"},"type":"kubernetes.io/service-account-token"},"responseObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"default-token-lmsbg","namespace":"sysdig-agent","selfLink":"/api/v1/namespaces/sysdig-agent/secrets/default-token-lmsbg","uid":"8b69fccc-09bd-11ea-a1f9-08002719228f","resourceVersion":"795","creationTimestamp":"2019-11-18T04:40:28Z","annotations":{"kubernetes.io/service-account.name":"default","kubernetes.io/service-account.uid":"8b65cb69-09bd-11ea-a1f9-08002719228f"}},"data":{"ca.crt":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwdGFXNXAKYTNWaVpVTkJNQjRYRFRFNU1EZ3hNVEl5TkRJeU5Gb1hEVEk1TURnd09USXlOREl5TkZvd0ZURVRNQkVHQTFVRQpBeE1LYldsdWFXdDFZbVZEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT1ZLCkdtd2diY3dhdTJyVW9GVDJ1bFo1d09HRlR4WmRNMjRrUEhMcCs1NXpLd25BamlXeDNCcXg5SDlTb3JzVStnMnYKQkVncjZpMHM0TGlldFNGNmVGR1NvUG1XZ2FGK1ZnQy9XZlJmR0FFU3dWQXVyb3VZZ0VCRW5XTjVvZ1c3TW45eQo4K1pkZXo3OC9Md1hSbmwxWFZFei92RFc2OUZTaVNEZzI5eURkVWVxa2lMTTJOV0hsZ0hDT2FKRVFjZWt5bUFrCjE3SzlSWS90cDJXT3FUVEVBR2p1NU1vSmtqbEF4TDZBNHNlMG1YZWhhM2tVVGNMWnJQUGZJWUpLeC9EZldoRDEKWU1NL2JBelNmYlIyZ2QxVEJqTjlhUy81bE1kcDY2N3NYNFh4WVhxSmlxY3BkTTNhdTkvMW96UkRZQjJ0VTl1bgp6a2pDOXJqRkthNWI2TjE0bVo4Q0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUIwR0ExVWRKUVFXCk1CUUdDQ3NHQVFVRkJ3TUNCZ2dyQmdFRkJRY0RBVEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFDa3haeHNqNFZCam5VcGpuOXJEKzd0UmJFYWR1NXczcU52SjczN1ZBSlFFZUhKaUhPZwp5eHhRK21NMkIvek9pcHdTOC9yTi90SUpydHF0eSt3TnBpcWxZTFhrcTBveEJNdjVzd1p0YnU5Mm55eVhwTkgrCk9tR0MxQmNscWxlUzE0VlBPWHVFL011SlpIaW5HMG5EdWR5eTlvZmVqdTZXSDJJU3FRWEJUK0tKQmtYL1RDcDcKM1NYZS9vUk1pMTdxY01WOTBoV2ZOYldmeDdya0l2bWwrVzEzWnc1WkdVaGxSODdNb1ZMdENybnBmbHBpcDgvYgptbWFra1FPblN4d0FaUkJCQXQrclc4ZUFqSFRFSktJb0s5ZllsMWJtYTU3VTE5ZVZudEIrL0N2RDRUcWkrL0lwClpqMThYNVJXbm8zUkRzUElIQkpDL2ZMK2Juc1ErcFMvSUhGRgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==","namespace":"c3lzZGlnLWFnZW50","token":"ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSnplWE5rYVdjdFlXZGxiblFpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxZM0psZEM1dVlXMWxJam9pWkdWbVlYVnNkQzEwYjJ0bGJpMXNiWE5pWnlJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKa1pXWmhkV3gwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWRXbGtJam9pT0dJMk5XTmlOamt0TURsaVpDMHhNV1ZoTFdFeFpqa3RNRGd3TURJM01Ua3lNamhtSWl3aWMzVmlJam9pYzNsemRHVnRPbk5sY25acFkyVmhZMk52ZFc1ME9uTjVjMlJwWnkxaFoyVnVkRHBrWldaaGRXeDBJbjAuYmxGU05kVzh3a3Z5SzhEVUJUWVJoZFJKaDl3OEw5alp3NDJhMlRacW53bkJvYXg0R21UN2JyblRXS2lkcGZUU2h6UUh5ZVRpU2REMk1Pc1NDeXg3S1J2SWp0dDB3d1JDWUhQUHJ6TE5VR2pyRTJ1ckVGaWJjelJPRU8telV5amJiN0VBanJ3blRhWkZMMVRUMWdsU3hkZDNGbFZzTTg4eU1aaEJZN2NUVU9hUkVDV3VLNG9hc2hQYnZKSHAteWZzVDBSQ0Q3eFhtWmQzbE9kRG9rOHZRZUQtXzQ0VmlrQzljcThwV3FxRHhBTGRsQk1jUHNSc1ZXRDFjb2taZ0RsUHJ2Q0xPemx5b19kZGQ5c1A3VFVrTlhNYjVWcHNVWm4wMlN2QVFMUG44MGhFWHdYaTNnNGRJWG1XaVFIc0pCTmpEeUF6d1FGZXZlZE10cS1uVmpJci13"},"type":"kubernetes.io/service-account-token"},"requestReceivedTimestamp":"2019-11-18T04:40:28.066497Z","stageTimestamp":"2019-11-18T04:40:28.070609Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"40ed7b5a-e92f-49ec-a359-86d36077d9c8","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/test2/secrets","verb":"create","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.17.3 (linux/amd64) kubernetes/06ad960/tokens-controller","objectRef":{"resource":"secrets","namespace":"test2","name":"default-token-7v4pb","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2020-04-21T17:32:29.939199Z","stageTimestamp":"2020-04-21T17:32:29.942468Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}
diff --git a/test/trace_files/k8s_audit/delete_secret.json b/test/trace_files/k8s_audit/delete_secret.json
index 327e52cb..4ff5809e 100644
--- a/test/trace_files/k8s_audit/delete_secret.json
+++ b/test/trace_files/k8s_audit/delete_secret.json
@@ -1 +1 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"39ca37c2-1e47-4ca9-a719-646688a4cea4","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/tes/secrets/default-token-lmq4v","verb":"delete","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.12 (linux/amd64) kubernetes/a8b5220/tokens-controller","objectRef":{"resource":"secrets","namespace":"tes","name":"default-token-lmq4v","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Success","code":200},"requestObject":{"kind":"DeleteOptions","apiVersion":"v1","preconditions":{"uid":"ac540c76-09c2-11ea-a1f9-08002719228f"}},"responseObject":{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Success","details":{"name":"default-token-lmq4v","kind":"secrets","uid":"ac540c76-09c2-11ea-a1f9-08002719228f"}},"requestReceivedTimestamp":"2019-11-18T05:17:20.899988Z","stageTimestamp":"2019-11-18T05:17:20.904826Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"d1df3fa9-497f-49cf-bd48-60a651df8075","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/secrets/example-secret","verb":"delete","user":{"username":"minikube-user","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.64.1"],"userAgent":"kubectl/v1.17.3 (darwin/amd64) kubernetes/06ad960","objectRef":{"resource":"secrets","namespace":"default","name":"example-secret","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Success","code":200},"requestReceivedTimestamp":"2020-04-21T17:58:49.691845Z","stageTimestamp":"2020-04-21T17:58:49.696309Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}