From 3f90188d6eb66c6e65ac369cbdb9d83d09958998 Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Fri, 17 Apr 2020 11:55:29 -0700
Subject: [PATCH] update audit level to Metadata for secrets

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 examples/k8s_audit_config/audit-policy.yaml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/examples/k8s_audit_config/audit-policy.yaml b/examples/k8s_audit_config/audit-policy.yaml
index e9fc2427..e63b8d14 100644
--- a/examples/k8s_audit_config/audit-policy.yaml
+++ b/examples/k8s_audit_config/audit-policy.yaml
@@ -56,11 +56,17 @@ rules:
     # The empty string "" can be used to select non-namespaced resources.
     namespaces: ["kube-system"]
 
-  # Log configmap and secret changes in all other namespaces at the RequestResponse level.
+  # Log configmap changes in all other namespaces at the RequestResponse level.
   - level: RequestResponse
     resources:
     - group: "" # core API group
-      resources: ["secrets", "configmaps"]
+      resources: ["configmaps"]
+
+  # Log secret changes in all other namespaces at the Metadata level.
+  - level: Metadata
+    resources:
+    - group: "" # core API group
+      resources: ["secrets"]
 
   # Log all other resources in core and extensions at the Request level.
   - level: Request