Merge pull request #49280 from CaoShuFeng/RequestReceived

Automatic merge from submit-queue

Provide a way to omit Event stages in audit policy

This provide a way to omit some stages for each audit policy rule.
    
For example:

    ```
      apiVersion: audit.k8s.io/v1beta1
      kind: Policy
      - level: Metadata
        resources:
           - group: "rbac.authorization.k8s.io"
             resources: ["roles"]
        omitStages:
          - "RequestReceived"
    ```
    
RequestReceived stage will not be emitted to audit backends with previous config.


**Release note**:

```
None
```
#

staging/src/k8s.io/apiserver/pkg/apis/audit/types.go

@@ -207,6 +207,10 @@ type PolicyRule struct {
 	//  "/healthz*" - Log all health checks
 	// +optional
 	NonResourceURLs []string
+
+	// OmitStages specify events generated in which stages will not be emitted to backend.
+	// An empty list means no restrictions will apply.
+	OmitStages []Stage
 }
 
 // GroupResources represents resource kinds in an API group.

staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.pb.go

@@ -543,6 +543,21 @@ func (m *PolicyRule) MarshalTo(dAtA []byte) (int, error) {
 			i += copy(dAtA[i:], s)
 		}
 	}
+	if len(m.OmitStages) > 0 {
+		for _, s := range m.OmitStages {
+			dAtA[i] = 0x42
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
 	return i, nil
 }
 
@@ -744,6 +759,12 @@ func (m *PolicyRule) Size() (n int) {
 			n += 1 + l + sovGenerated(uint64(l))
 		}
 	}
+	if len(m.OmitStages) > 0 {
+		for _, s := range m.OmitStages {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -856,6 +877,7 @@ func (this *PolicyRule) String() string {
 		`Resources:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Resources), "GroupResources", "GroupResources", 1), `&`, ``, 1) + `,`,
 		`Namespaces:` + fmt.Sprintf("%v", this.Namespaces) + `,`,
 		`NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`,
+		`OmitStages:` + fmt.Sprintf("%v", this.OmitStages) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -2304,6 +2326,35 @@ func (m *PolicyRule) Unmarshal(dAtA []byte) error {
 			}
 			m.NonResourceURLs = append(m.NonResourceURLs, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field OmitStages", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.OmitStages = append(m.OmitStages, Stage(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -2435,75 +2486,76 @@ func init() {
 }
 
 var fileDescriptorGenerated = []byte{
-	// 1107 bytes of a gzipped FileDescriptorProto
+	// 1129 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0xcf, 0x6f, 0xe3, 0x44,
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0xcd, 0x6e, 0x23, 0x45,
-	0x14, 0xae, 0x37, 0x4d, 0x1b, 0x4f, 0xb7, 0x3f, 0x76, 0x16, 0x81, 0xd5, 0x43, 0x52, 0x82, 0x84,
+	0x10, 0xce, 0xac, 0xe3, 0x8d, 0xa7, 0xb3, 0xf9, 0xd9, 0x5e, 0xc4, 0x8e, 0x72, 0xb0, 0x83, 0x91,
-	0x22, 0x28, 0x76, 0x5b, 0x0a, 0x2c, 0x07, 0x0e, 0x8d, 0x16, 0x41, 0xa4, 0x52, 0xca, 0xb4, 0x59,
+	0x90, 0x05, 0x61, 0x26, 0x09, 0x81, 0x5d, 0x0e, 0x1c, 0x62, 0x2d, 0x02, 0x4b, 0x21, 0x84, 0x4e,
-	0x89, 0x1f, 0x07, 0x9c, 0xe4, 0x35, 0x31, 0x4d, 0x6c, 0x33, 0x33, 0x0e, 0xea, 0x8d, 0x03, 0xe2,
+	0xbc, 0x12, 0x3f, 0x07, 0xc6, 0x76, 0xc5, 0x1e, 0xe2, 0xf9, 0xa1, 0xbb, 0xc7, 0x28, 0x37, 0x0e,
-	0xcc, 0x9d, 0x3f, 0x06, 0x21, 0x81, 0xd4, 0xe3, 0x1e, 0xf7, 0x14, 0xd1, 0xf0, 0x5f, 0xf4, 0x84,
+	0x3c, 0x00, 0x77, 0x1e, 0x66, 0x85, 0x04, 0x52, 0x8e, 0x7b, 0xdc, 0x93, 0x45, 0xcc, 0x5b, 0xe4,
-	0x66, 0x3c, 0xe3, 0xb1, 0xd3, 0x8d, 0x48, 0x2f, 0x7b, 0xf3, 0xbc, 0xf7, 0x7d, 0xdf, 0xbc, 0xf7,
+	0x84, 0xba, 0xa7, 0x7b, 0x7a, 0xec, 0xac, 0x85, 0x73, 0xd9, 0xdb, 0x74, 0xd5, 0xf7, 0x7d, 0x5d,
-	0xfc, 0xde, 0xb3, 0xd1, 0x57, 0x97, 0x4f, 0x98, 0x1b, 0x44, 0xde, 0x65, 0xd2, 0x01, 0x1a, 0x02,
+	0x55, 0x53, 0x55, 0x33, 0xe8, 0x9b, 0x8b, 0xa7, 0xcc, 0x0d, 0x62, 0xef, 0x22, 0xed, 0x00, 0x8d,
-	0x07, 0xe6, 0x8d, 0x21, 0xec, 0x45, 0xd4, 0x53, 0x0e, 0x3f, 0x0e, 0x18, 0xd0, 0x31, 0x50, 0x2f,
+	0x80, 0x03, 0xf3, 0x46, 0x10, 0xf5, 0x62, 0xea, 0x29, 0x87, 0x9f, 0x04, 0x0c, 0xe8, 0x08, 0xa8,
-	0xbe, 0xec, 0xcb, 0x93, 0xe7, 0x27, 0xbd, 0x80, 0x7b, 0xe3, 0x7d, 0x7f, 0x18, 0x0f, 0xfc, 0x7d,
+	0x97, 0x5c, 0xf4, 0xe5, 0xc9, 0xf3, 0xd3, 0x5e, 0xc0, 0xbd, 0xd1, 0x9e, 0x3f, 0x4c, 0x06, 0xfe,
-	0xaf, 0x0f, 0x21, 0x50, 0x9f, 0x43, 0xcf, 0x8d, 0x69, 0xc4, 0x23, 0xdc, 0x48, 0x99, 0x6e, 0xc6,
+	0x9e, 0xd7, 0x87, 0x08, 0xa8, 0xcf, 0xa1, 0xe7, 0x26, 0x34, 0xe6, 0x31, 0x6e, 0x64, 0x4c, 0x37,
-	0x74, 0xe3, 0xcb, 0xbe, 0x3c, 0xb9, 0x92, 0xe9, 0x6a, 0xe6, 0xf6, 0x7b, 0xfd, 0x80, 0x0f, 0x92,
+	0x67, 0xba, 0xc9, 0x45, 0x5f, 0x9e, 0x5c, 0xc9, 0x74, 0x35, 0x73, 0xeb, 0xc3, 0x7e, 0xc0, 0x07,
-	0x8e, 0xdb, 0x8d, 0x46, 0x5e, 0x3f, 0xea, 0x47, 0x9e, 0x14, 0xe8, 0x24, 0x17, 0xf2, 0x24, 0x0f,
+	0x69, 0xc7, 0xed, 0xc6, 0xa1, 0xd7, 0x8f, 0xfb, 0xb1, 0x27, 0x05, 0x3a, 0xe9, 0xb9, 0x3c, 0xc9,
-	0xf2, 0x29, 0x15, 0xde, 0xde, 0x35, 0x21, 0x79, 0x7e, 0xc2, 0x07, 0x10, 0xf2, 0xa0, 0xeb, 0xf3,
+	0x83, 0x7c, 0xca, 0x84, 0xb7, 0x76, 0x4c, 0x48, 0x9e, 0x9f, 0xf2, 0x01, 0x44, 0x3c, 0xe8, 0xfa,
-	0x20, 0x0a, 0xbd, 0xf1, 0x9d, 0x30, 0xb6, 0x0f, 0x0d, 0x7a, 0xe4, 0x77, 0x07, 0x41, 0x08, 0xf4,
+	0x3c, 0x88, 0x23, 0x6f, 0x74, 0x2b, 0x8c, 0xad, 0x03, 0x83, 0x0e, 0xfd, 0xee, 0x20, 0x88, 0x80,
-	0xca, 0xe4, 0x30, 0x02, 0xee, 0xbf, 0x8c, 0xe5, 0xcd, 0x63, 0xd1, 0x24, 0xe4, 0xc1, 0x08, 0xee,
+	0x5e, 0x9a, 0x1c, 0x42, 0xe0, 0xfe, 0xeb, 0x58, 0xde, 0x3c, 0x16, 0x4d, 0x23, 0x1e, 0x84, 0x70,
-	0x10, 0x3e, 0xfc, 0x3f, 0x02, 0xeb, 0x0e, 0x60, 0xe4, 0xdf, 0xe1, 0xbd, 0x3f, 0x8f, 0x97, 0xf0,
+	0x8b, 0xf0, 0xc9, 0xff, 0x11, 0x58, 0x77, 0x00, 0xa1, 0x7f, 0x8b, 0xf7, 0xd1, 0x3c, 0x5e, 0xca,
-	0x60, 0xe8, 0x05, 0x21, 0x67, 0x9c, 0xce, 0x92, 0xea, 0x7f, 0x55, 0x50, 0xf9, 0xd3, 0x31, 0x84,
+	0x83, 0xa1, 0x17, 0x44, 0x9c, 0x71, 0x3a, 0x4b, 0xaa, 0xff, 0x55, 0x41, 0xe5, 0xcf, 0x47, 0x10,
-	0x1c, 0x7f, 0x8f, 0x2a, 0x22, 0x85, 0x9e, 0xcf, 0x7d, 0xc7, 0xda, 0xb1, 0x1a, 0x6b, 0x07, 0x7b,
+	0x71, 0xfc, 0x23, 0xaa, 0x88, 0x14, 0x7a, 0x3e, 0xf7, 0x1d, 0x6b, 0xdb, 0x6a, 0xac, 0xee, 0xef,
-	0xae, 0xa9, 0x7b, 0xa6, 0x68, 0x4a, 0x2f, 0xd0, 0xee, 0x78, 0xdf, 0xfd, 0xb2, 0xf3, 0x03, 0x74,
+	0xba, 0xa6, 0xee, 0xb9, 0xa2, 0x29, 0xbd, 0x40, 0xbb, 0xa3, 0x3d, 0xf7, 0xeb, 0xce, 0x4f, 0xd0,
-	0xf9, 0x17, 0xc0, 0xfd, 0x26, 0xbe, 0x9e, 0xd4, 0x96, 0xa6, 0x93, 0x1a, 0x32, 0x36, 0x92, 0xa9,
+	0xe5, 0x5f, 0x01, 0xf7, 0x9b, 0xf8, 0x6a, 0x5c, 0x5b, 0x9a, 0x8c, 0x6b, 0xc8, 0xd8, 0x48, 0xae,
-	0xe2, 0x5d, 0x54, 0x1e, 0xc2, 0x18, 0x86, 0xce, 0x83, 0x1d, 0xab, 0x61, 0x37, 0x5f, 0x57, 0xe0,
+	0x8a, 0x77, 0x50, 0x79, 0x08, 0x23, 0x18, 0x3a, 0xf7, 0xb6, 0xad, 0x86, 0xdd, 0x7c, 0x5b, 0x81,
-	0xf2, 0xb1, 0x30, 0xde, 0xea, 0x07, 0x92, 0x82, 0xf0, 0xb7, 0xc8, 0x16, 0xd9, 0x32, 0xee, 0x8f,
+	0xcb, 0x47, 0xc2, 0x78, 0xa3, 0x1f, 0x48, 0x06, 0xc2, 0xdf, 0x23, 0x5b, 0x64, 0xcb, 0xb8, 0x1f,
-	0x62, 0xa7, 0x24, 0x03, 0x7a, 0x67, 0xb1, 0x80, 0xce, 0x83, 0x11, 0x34, 0x1f, 0x29, 0x75, 0xfb,
+	0x26, 0x4e, 0x49, 0x06, 0xf4, 0xfe, 0x62, 0x01, 0x9d, 0x05, 0x21, 0x34, 0x1f, 0x2a, 0x75, 0xfb,
-	0x5c, 0x8b, 0x10, 0xa3, 0x87, 0x4f, 0xd0, 0xaa, 0xec, 0x9c, 0xd6, 0x53, 0x67, 0x59, 0x06, 0x73,
+	0x4c, 0x8b, 0x10, 0xa3, 0x87, 0x8f, 0xd1, 0x8a, 0xec, 0x9c, 0xd6, 0x33, 0x67, 0x59, 0x06, 0x73,
-	0xa8, 0xe0, 0xab, 0x47, 0xa9, 0xf9, 0x76, 0x52, 0x7b, 0x73, 0x5e, 0x3d, 0xf9, 0x55, 0x0c, 0xcc,
+	0xa0, 0xe0, 0x2b, 0x87, 0x99, 0xf9, 0x66, 0x5c, 0x7b, 0x67, 0x5e, 0x3d, 0xf9, 0x65, 0x02, 0xcc,
-	0x6d, 0xb7, 0x9e, 0x12, 0x2d, 0x22, 0x52, 0x63, 0xdc, 0xef, 0x83, 0x53, 0x2e, 0xa6, 0x76, 0x26,
+	0x6d, 0xb7, 0x9e, 0x11, 0x2d, 0x22, 0x52, 0x63, 0xdc, 0xef, 0x83, 0x53, 0x9e, 0x4e, 0xed, 0x54,
-	0x8c, 0xb7, 0xfa, 0x81, 0xa4, 0x20, 0x7c, 0x80, 0x10, 0x85, 0x1f, 0x13, 0x60, 0xbc, 0x4d, 0x5a,
+	0x18, 0x6f, 0xf4, 0x03, 0xc9, 0x40, 0x78, 0x1f, 0x21, 0x0a, 0x3f, 0xa7, 0xc0, 0x78, 0x9b, 0xb4,
-	0xce, 0x8a, 0xa4, 0x64, 0xa5, 0x23, 0x99, 0x87, 0xe4, 0x50, 0x78, 0x07, 0x2d, 0x8f, 0x81, 0x76,
+	0x9c, 0xfb, 0x92, 0x92, 0x97, 0x8e, 0xe4, 0x1e, 0x52, 0x40, 0xe1, 0x6d, 0xb4, 0x3c, 0x02, 0xda,
-	0x9c, 0x55, 0x89, 0x7e, 0xa8, 0xd0, 0xcb, 0xcf, 0x80, 0x76, 0x88, 0xf4, 0xe0, 0xcf, 0xd1, 0x72,
+	0x71, 0x56, 0x24, 0xfa, 0x81, 0x42, 0x2f, 0x3f, 0x07, 0xda, 0x21, 0xd2, 0x83, 0xbf, 0x44, 0xcb,
-	0xc2, 0x80, 0x3a, 0x15, 0x59, 0xab, 0xb7, 0x73, 0xb5, 0x72, 0x8b, 0xbd, 0x2d, 0x6a, 0xd4, 0x66,
+	0x29, 0x03, 0xea, 0x54, 0x64, 0xad, 0xde, 0x2b, 0xd4, 0xca, 0x9d, 0xee, 0x6d, 0x51, 0xa3, 0x36,
-	0x40, 0x5b, 0xe1, 0x45, 0x64, 0x94, 0x84, 0x85, 0x48, 0x05, 0x3c, 0x40, 0x5b, 0xc1, 0x28, 0x06,
+	0x03, 0xda, 0x8a, 0xce, 0x63, 0xa3, 0x24, 0x2c, 0x44, 0x2a, 0xe0, 0x01, 0xda, 0x0c, 0xc2, 0x04,
-	0xca, 0xa2, 0x50, 0xb4, 0x8a, 0xf0, 0x38, 0xf6, 0xbd, 0x54, 0x5f, 0x9b, 0x4e, 0x6a, 0x5b, 0xad,
+	0x28, 0x8b, 0x23, 0xd1, 0x2a, 0xc2, 0xe3, 0xd8, 0x77, 0x52, 0x7d, 0x6b, 0x32, 0xae, 0x6d, 0xb6,
-	0x19, 0x0d, 0x72, 0x47, 0x15, 0xbf, 0x8b, 0x6c, 0x16, 0x25, 0xb4, 0x0b, 0xad, 0x53, 0xe6, 0xa0,
+	0x66, 0x34, 0xc8, 0x2d, 0x55, 0xfc, 0x01, 0xb2, 0x59, 0x9c, 0xd2, 0x2e, 0xb4, 0x4e, 0x98, 0x83,
-	0x9d, 0x52, 0xc3, 0x6e, 0xae, 0x8b, 0x97, 0x76, 0xa6, 0x8d, 0xc4, 0xf8, 0xf1, 0x05, 0xb2, 0x23,
+	0xb6, 0x4b, 0x0d, 0xbb, 0xb9, 0x26, 0x5e, 0xda, 0xa9, 0x36, 0x12, 0xe3, 0xc7, 0xe7, 0xc8, 0x8e,
-	0xd9, 0x57, 0x04, 0x2e, 0x9c, 0x35, 0x19, 0xcf, 0xc7, 0xee, 0xa2, 0xab, 0x41, 0xb5, 0x29, 0x81,
+	0x65, 0x5f, 0x11, 0x38, 0x77, 0x56, 0x65, 0x3c, 0x9f, 0xba, 0x8b, 0xae, 0x06, 0xd5, 0xa6, 0x04,
-	0x0b, 0xa0, 0x10, 0x76, 0x21, 0xbd, 0x27, 0x33, 0x12, 0x23, 0x8d, 0x07, 0x68, 0x83, 0x02, 0x8b,
+	0xce, 0x81, 0x42, 0xd4, 0x85, 0xec, 0x9e, 0xdc, 0x48, 0x8c, 0x34, 0x1e, 0xa0, 0x75, 0x0a, 0x2c,
-	0xa3, 0x90, 0xc1, 0x19, 0xf7, 0x79, 0xc2, 0x9c, 0x87, 0xf2, 0xb2, 0xdd, 0xc5, 0xda, 0x2f, 0xe5,
+	0x89, 0x23, 0x06, 0xa7, 0xdc, 0xe7, 0x29, 0x73, 0x1e, 0xc8, 0xcb, 0x76, 0x16, 0x6b, 0xbf, 0x8c,
-	0x34, 0xf1, 0x74, 0x52, 0xdb, 0x20, 0x05, 0x1d, 0x32, 0xa3, 0x8b, 0x7d, 0xb4, 0xae, 0x5e, 0x71,
+	0xd3, 0xc4, 0x93, 0x71, 0x6d, 0x9d, 0x4c, 0xe9, 0x90, 0x19, 0x5d, 0xec, 0xa3, 0x35, 0xf5, 0x8a,
-	0x1a, 0x88, 0xb3, 0x2e, 0x2f, 0x6a, 0xcc, 0xbd, 0x48, 0xad, 0x00, 0xb7, 0x1d, 0x5e, 0x86, 0xd1,
+	0xb3, 0x40, 0x9c, 0x35, 0x79, 0x51, 0x63, 0xee, 0x45, 0x6a, 0x05, 0xb8, 0xed, 0xe8, 0x22, 0x8a,
-	0x4f, 0x61, 0xf3, 0xd1, 0x74, 0x52, 0x5b, 0x27, 0x79, 0x09, 0x52, 0x54, 0xc4, 0x3d, 0x93, 0x8c,
+	0x7f, 0x89, 0x9a, 0x0f, 0x27, 0xe3, 0xda, 0x1a, 0x29, 0x4a, 0x90, 0x69, 0x45, 0xdc, 0x33, 0xc9,
-	0xba, 0x63, 0xe3, 0x9e, 0x77, 0x14, 0x12, 0x51, 0x97, 0xcc, 0x68, 0xd6, 0xff, 0xb0, 0x90, 0x2d,
+	0xa8, 0x3b, 0xd6, 0xef, 0x78, 0xc7, 0x54, 0x22, 0xea, 0x92, 0x19, 0xcd, 0xfa, 0x0b, 0x0b, 0xd9,
-	0xd7, 0xc8, 0x71, 0xc0, 0x38, 0xfe, 0xee, 0xce, 0x2a, 0x71, 0x17, 0x2b, 0x9d, 0x60, 0xcb, 0x45,
+	0x72, 0x8d, 0x1c, 0x05, 0x8c, 0xe3, 0x1f, 0x6e, 0xad, 0x12, 0x77, 0xb1, 0xd2, 0x09, 0xb6, 0x5c,
-	0xb2, 0xa5, 0xba, 0xb2, 0xa2, 0x2d, 0xb9, 0x35, 0x72, 0x8e, 0xca, 0x01, 0x87, 0x11, 0x73, 0x1e,
+	0x24, 0x9b, 0xaa, 0x2b, 0x2b, 0xda, 0x52, 0x58, 0x23, 0x67, 0xa8, 0x1c, 0x70, 0x08, 0x99, 0x73,
-	0xec, 0x94, 0x1a, 0x6b, 0x07, 0xde, 0xe2, 0x2d, 0x20, 0x23, 0x6c, 0xae, 0xeb, 0xe1, 0x6c, 0x09,
+	0x6f, 0xbb, 0xd4, 0x58, 0xdd, 0xf7, 0x16, 0x6f, 0x01, 0x19, 0x61, 0x73, 0x4d, 0x0f, 0x67, 0x4b,
-	0x15, 0x92, 0x8a, 0xd5, 0x7f, 0xb7, 0xd0, 0xc6, 0x67, 0x34, 0x4a, 0x62, 0x02, 0x69, 0xc7, 0x31,
+	0xa8, 0x90, 0x4c, 0xac, 0xfe, 0x87, 0x85, 0xd6, 0xbf, 0xa0, 0x71, 0x9a, 0x10, 0xc8, 0x3a, 0x8e,
-	0xfc, 0x16, 0x2a, 0xf7, 0x85, 0x45, 0xe6, 0x60, 0x1b, 0x5e, 0x0a, 0x4b, 0x7d, 0xa2, 0x83, 0xa9,
+	0xe1, 0x77, 0x51, 0xb9, 0x2f, 0x2c, 0x32, 0x07, 0xdb, 0xf0, 0x32, 0x58, 0xe6, 0x13, 0x1d, 0x4c,
-	0x66, 0xc8, 0x88, 0x54, 0x07, 0x67, 0x32, 0xc4, 0xf8, 0xf1, 0x47, 0xe2, 0x7d, 0xa7, 0x87, 0x13,
+	0x35, 0x43, 0x46, 0xa4, 0x3a, 0x38, 0x97, 0x21, 0xc6, 0x8f, 0x9f, 0x88, 0xf7, 0x9d, 0x1d, 0x8e,
-	0x7f, 0x04, 0xcc, 0x29, 0x49, 0x82, 0x7a, 0x8b, 0x39, 0x07, 0x29, 0xe2, 0xea, 0xbf, 0x94, 0xd0,
+	0xfd, 0x10, 0x98, 0x53, 0x92, 0x04, 0xf5, 0x16, 0x0b, 0x0e, 0x32, 0x8d, 0xab, 0xff, 0x56, 0x42,
-	0xe6, 0x4c, 0x03, 0xe3, 0x5d, 0x54, 0xd1, 0x20, 0x15, 0x61, 0x56, 0x35, 0xad, 0x45, 0x32, 0x04,
+	0x1b, 0x33, 0x0d, 0x8c, 0x77, 0x50, 0x45, 0x83, 0x54, 0x84, 0x79, 0xd5, 0xb4, 0x16, 0xc9, 0x11,
-	0xf6, 0x90, 0x1d, 0x0a, 0xa9, 0xd8, 0xef, 0x82, 0x5a, 0xc0, 0xd9, 0x8a, 0x3c, 0xd1, 0x0e, 0x62,
+	0xd8, 0x43, 0x76, 0x24, 0xa4, 0x12, 0xbf, 0x0b, 0x6a, 0x01, 0xe7, 0x2b, 0xf2, 0x58, 0x3b, 0x88,
-	0x30, 0x62, 0xe1, 0x88, 0x83, 0x5c, 0xbd, 0xb9, 0x85, 0x23, 0xb0, 0x44, 0x7a, 0x70, 0x13, 0x95,
+	0xc1, 0x88, 0x85, 0x23, 0x0e, 0x72, 0xf5, 0x16, 0x16, 0x8e, 0xc0, 0x12, 0xe9, 0xc1, 0x4d, 0x54,
-	0x92, 0xa0, 0xa7, 0x16, 0xe8, 0x9e, 0x02, 0x94, 0xda, 0x8b, 0x2e, 0x4f, 0x41, 0x16, 0xab, 0xd0,
+	0x4a, 0x83, 0x9e, 0x5a, 0xa0, 0xbb, 0x0a, 0x50, 0x6a, 0x2f, 0xba, 0x3c, 0x05, 0x59, 0xac, 0x42,
-	0x8f, 0x83, 0x67, 0x40, 0x59, 0x10, 0x85, 0x6a, 0x7b, 0x66, 0xab, 0xf0, 0xe8, 0xb4, 0xa5, 0x3c,
+	0x3f, 0x09, 0x9e, 0x03, 0x65, 0x41, 0x1c, 0xa9, 0xed, 0x99, 0xaf, 0xc2, 0xc3, 0x93, 0x96, 0xf2,
-	0x24, 0x87, 0xc2, 0x47, 0x68, 0x53, 0xa7, 0xa5, 0x89, 0xe9, 0x0e, 0x7d, 0x43, 0x11, 0x37, 0x49,
+	0x90, 0x02, 0x0a, 0x1f, 0xa2, 0x0d, 0x9d, 0x96, 0x26, 0x66, 0x3b, 0xf4, 0xb1, 0x22, 0x6e, 0x90,
-	0xd1, 0x4d, 0x66, 0xf1, 0xf8, 0x03, 0xb4, 0xc6, 0x92, 0x4e, 0x56, 0xbe, 0x74, 0xa9, 0x3e, 0x56,
+	0x69, 0x37, 0x99, 0xc5, 0xe3, 0x8f, 0xd1, 0x2a, 0x4b, 0x3b, 0x79, 0xf9, 0xb2, 0xa5, 0xfa, 0x48,
-	0xf4, 0xb5, 0x33, 0xe3, 0x22, 0x79, 0x5c, 0xfd, 0x6f, 0x0b, 0xad, 0x9c, 0x46, 0xc3, 0xa0, 0x7b,
+	0xd1, 0x57, 0x4f, 0x8d, 0x8b, 0x14, 0x71, 0xf5, 0xbf, 0x2d, 0x74, 0xff, 0x24, 0x1e, 0x06, 0xdd,
-	0xf5, 0x0a, 0x3e, 0x97, 0x5f, 0xa3, 0x32, 0x4d, 0x86, 0xa0, 0xfb, 0xfc, 0x70, 0xf1, 0x3e, 0x4f,
+	0xcb, 0x37, 0xf0, 0xb9, 0xfc, 0x16, 0x95, 0x69, 0x3a, 0x04, 0xdd, 0xe7, 0x07, 0x8b, 0xf7, 0x79,
-	0x43, 0x24, 0xc9, 0x10, 0x4c, 0xd3, 0x8a, 0x13, 0x23, 0xa9, 0x62, 0xfd, 0x4f, 0x0b, 0xa1, 0x14,
+	0x16, 0x22, 0x49, 0x87, 0x60, 0x9a, 0x56, 0x9c, 0x18, 0xc9, 0x14, 0xeb, 0x7f, 0x5a, 0x08, 0x65,
-	0xf4, 0x0a, 0xe6, 0xb5, 0x5d, 0x9c, 0xd7, 0xbd, 0xfb, 0xe6, 0x31, 0x67, 0x60, 0x7f, 0x2d, 0xe9,
+	0xa0, 0x37, 0x30, 0xaf, 0xed, 0xe9, 0x79, 0xdd, 0xbd, 0x6b, 0x1e, 0x73, 0x06, 0xf6, 0x45, 0x49,
-	0x1c, 0x44, 0x6a, 0xe6, 0xe7, 0xc2, 0x5a, 0xe4, 0xe7, 0xa2, 0x86, 0xca, 0xe2, 0x4b, 0xa7, 0x27,
+	0xe7, 0x20, 0x52, 0x33, 0x3f, 0x17, 0xd6, 0x22, 0x3f, 0x17, 0x35, 0x54, 0x16, 0x5f, 0x3a, 0x3d,
-	0xd6, 0x16, 0x48, 0xf1, 0x41, 0x62, 0x24, 0xb5, 0x63, 0x17, 0x21, 0xf1, 0x20, 0x47, 0x5d, 0x8f,
+	0xb1, 0xb6, 0x40, 0x8a, 0x0f, 0x12, 0x23, 0x99, 0x1d, 0xbb, 0x08, 0x89, 0x07, 0x39, 0xea, 0x7a,
-	0xe9, 0x86, 0x78, 0x55, 0xed, 0xcc, 0x4a, 0x72, 0x08, 0x21, 0x28, 0x3e, 0xc2, 0xcc, 0x59, 0x36,
+	0x4c, 0xd7, 0xc5, 0xab, 0x6a, 0xe7, 0x56, 0x52, 0x40, 0x08, 0x41, 0xf1, 0x11, 0x66, 0xce, 0xb2,
-	0x82, 0xe2, 0xdb, 0xcc, 0x48, 0x6a, 0xc7, 0x41, 0x7e, 0x4f, 0x94, 0x65, 0x25, 0x9e, 0x2c, 0x5e,
+	0x11, 0x14, 0xdf, 0x66, 0x46, 0x32, 0x3b, 0x0e, 0x8a, 0x7b, 0xa2, 0x2c, 0x2b, 0xf1, 0x74, 0xf1,
-	0x89, 0xe2, 0x66, 0x32, 0x93, 0xfb, 0xd2, 0x2d, 0xe3, 0x22, 0x94, 0x8d, 0x31, 0x73, 0x56, 0x4c,
+	0x4a, 0x4c, 0x6f, 0x26, 0x33, 0xb9, 0xaf, 0xdd, 0x32, 0x2e, 0x42, 0xf9, 0x18, 0x33, 0xe7, 0xbe,
-	0xec, 0xd9, 0x9c, 0x33, 0x92, 0x43, 0xe0, 0x4f, 0xd0, 0x66, 0x18, 0x85, 0x5a, 0xaa, 0x4d, 0x8e,
+	0x89, 0x3d, 0x9f, 0x73, 0x46, 0x0a, 0x08, 0xfc, 0x19, 0xda, 0x88, 0xe2, 0x48, 0x4b, 0xb5, 0xc9,
-	0x99, 0xb3, 0x2a, 0x49, 0x8f, 0xc5, 0x2c, 0x9d, 0x14, 0x5d, 0x64, 0x16, 0xdb, 0x74, 0xaf, 0x6f,
+	0x11, 0x73, 0x56, 0x24, 0xe9, 0x91, 0x98, 0xa5, 0xe3, 0x69, 0x17, 0x99, 0xc5, 0xe2, 0x27, 0x08,
-	0xaa, 0x4b, 0xcf, 0x6f, 0xaa, 0x4b, 0x2f, 0x6e, 0xaa, 0x4b, 0x3f, 0x4f, 0xab, 0xd6, 0xf5, 0xb4,
+	0xc5, 0x61, 0xc0, 0xe5, 0x1f, 0x0e, 0x73, 0x2a, 0x92, 0xf9, 0x58, 0x76, 0x75, 0x6e, 0x35, 0x7f,
-	0x6a, 0x3d, 0x9f, 0x56, 0xad, 0x17, 0xd3, 0xaa, 0xf5, 0xcf, 0xb4, 0x6a, 0xfd, 0xf6, 0x6f, 0x75,
+	0x40, 0x05, 0x68, 0xd3, 0xbd, 0xba, 0xae, 0x2e, 0xbd, 0xbc, 0xae, 0x2e, 0xbd, 0xba, 0xae, 0x2e,
-	0xe9, 0x9b, 0x8a, 0xce, 0xe5, 0xbf, 0x00, 0x00, 0x00, 0xff, 0xff, 0x6c, 0x88, 0x4f, 0x33, 0x21,
+	0xfd, 0x3a, 0xa9, 0x5a, 0x57, 0x93, 0xaa, 0xf5, 0x72, 0x52, 0xb5, 0x5e, 0x4d, 0xaa, 0xd6, 0x3f,
-	0x0c, 0x00, 0x00,
+	0x93, 0xaa, 0xf5, 0xfb, 0xbf, 0xd5, 0xa5, 0xef, 0x2a, 0xba, 0x08, 0xff, 0x05, 0x00, 0x00, 0xff,
+	0xff, 0x92, 0xdb, 0xa5, 0x50, 0x5a, 0x0c, 0x00, 0x00,
 }

staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.proto

@@ -205,5 +205,9 @@ message PolicyRule {
   //  "/healthz*" - Log all health checks
   // +optional
   repeated string nonResourceURLs = 7;
+
+  // OmitStages specify events generated in which stages will not be emitted to backend.
+  // An empty list means no restrictions will apply.
+  repeated string omitStages = 8;
 }
 

staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go

@@ -208,6 +208,10 @@ type PolicyRule struct {
 	//  "/healthz*" - Log all health checks
 	// +optional
 	NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,7,rep,name=nonResourceURLs"`
+
+	// OmitStages specify events generated in which stages will not be emitted to backend.
+	// An empty list means no restrictions will apply.
+	OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,8,rep,name=omitStages"`
 }
 
 // GroupResources represents resource kinds in an API group.

staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.conversion.go

@@ -264,6 +264,7 @@ func autoConvert_v1alpha1_PolicyRule_To_audit_PolicyRule(in *PolicyRule, out *au
 	out.Resources = *(*[]audit.GroupResources)(unsafe.Pointer(&in.Resources))
 	out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
 	out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs))
+	out.OmitStages = *(*[]audit.Stage)(unsafe.Pointer(&in.OmitStages))
 	return nil
 }
 
@@ -280,6 +281,7 @@ func autoConvert_audit_PolicyRule_To_v1alpha1_PolicyRule(in *audit.PolicyRule, o
 	out.Resources = *(*[]GroupResources)(unsafe.Pointer(&in.Resources))
 	out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
 	out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs))
+	out.OmitStages = *(*[]Stage)(unsafe.Pointer(&in.OmitStages))
 	return nil
 }
 

staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.deepcopy.go

@@ -327,6 +327,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.OmitStages != nil {
+		in, out := &in.OmitStages, &out.OmitStages
+		*out = make([]Stage, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 

staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.pb.go

@@ -547,6 +547,21 @@ func (m *PolicyRule) MarshalTo(dAtA []byte) (int, error) {
 			i += copy(dAtA[i:], s)
 		}
 	}
+	if len(m.OmitStages) > 0 {
+		for _, s := range m.OmitStages {
+			dAtA[i] = 0x42
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
 	return i, nil
 }
 
@@ -750,6 +765,12 @@ func (m *PolicyRule) Size() (n int) {
 			n += 1 + l + sovGenerated(uint64(l))
 		}
 	}
+	if len(m.OmitStages) > 0 {
+		for _, s := range m.OmitStages {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -863,6 +884,7 @@ func (this *PolicyRule) String() string {
 		`Resources:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Resources), "GroupResources", "GroupResources", 1), `&`, ``, 1) + `,`,
 		`Namespaces:` + fmt.Sprintf("%v", this.Namespaces) + `,`,
 		`NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`,
+		`OmitStages:` + fmt.Sprintf("%v", this.OmitStages) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -2340,6 +2362,35 @@ func (m *PolicyRule) Unmarshal(dAtA []byte) error {
 			}
 			m.NonResourceURLs = append(m.NonResourceURLs, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field OmitStages", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.OmitStages = append(m.OmitStages, Stage(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -2471,76 +2522,78 @@ func init() {
 }
 
 var fileDescriptorGenerated = []byte{
-	// 1131 bytes of a gzipped FileDescriptorProto
+	// 1153 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0x4f, 0x6f, 0x1b, 0x45,
-	0x14, 0xcf, 0xd6, 0x71, 0xe2, 0x9d, 0x34, 0x7f, 0x3a, 0x45, 0xb0, 0xca, 0xc1, 0x0e, 0x46, 0x82,
+	0x14, 0xcf, 0xd6, 0x71, 0xe2, 0x9d, 0x34, 0x7f, 0x3a, 0x45, 0x74, 0x95, 0x83, 0x1d, 0x8c, 0x04,
-	0x08, 0xd2, 0xdd, 0xa6, 0x2d, 0x34, 0x17, 0x0e, 0xb1, 0x8a, 0xc0, 0x52, 0x08, 0xd1, 0x24, 0xae,
+	0x11, 0xa4, 0xbb, 0x4d, 0x5b, 0x48, 0x2e, 0x1c, 0x62, 0x15, 0x81, 0xa5, 0x10, 0xa2, 0x49, 0x5c,
-	0x10, 0x70, 0x60, 0x6c, 0xbf, 0xd8, 0x4b, 0xec, 0xdd, 0x65, 0x66, 0xd6, 0x28, 0x37, 0x2e, 0xdc,
+	0x21, 0xe0, 0xc0, 0xd8, 0x7e, 0xb1, 0x97, 0x78, 0xff, 0x30, 0x33, 0x6b, 0x94, 0x1b, 0x1f, 0x81,
-	0xb9, 0xf3, 0x2d, 0xf8, 0x00, 0x08, 0x09, 0x0e, 0x39, 0xf6, 0xd8, 0x93, 0x45, 0xcc, 0xb7, 0xc8,
+	0x3b, 0xdf, 0x82, 0x0f, 0x50, 0x21, 0xc1, 0x21, 0xc7, 0x1e, 0x7b, 0xb2, 0x88, 0xf9, 0x16, 0x39,
-	0x09, 0xcd, 0xec, 0xec, 0xce, 0xae, 0x5d, 0x53, 0xe7, 0xd2, 0x9b, 0xe7, 0xbd, 0xdf, 0xef, 0x37,
+	0xa1, 0x99, 0x9d, 0xdd, 0x59, 0xdb, 0x4d, 0xeb, 0x5c, 0x7a, 0xdb, 0x7d, 0xef, 0xf7, 0xfb, 0xcd,
-	0xef, 0xbd, 0x79, 0xef, 0xad, 0xd1, 0xc9, 0xc5, 0x01, 0x77, 0xfd, 0xd0, 0xbb, 0x88, 0xdb, 0xc0,
+	0x7b, 0x6f, 0xde, 0x7b, 0xbb, 0xe8, 0xf8, 0x7c, 0x9f, 0xbb, 0x7e, 0xe4, 0x9d, 0x27, 0x6d, 0x60,
-	0x02, 0x10, 0xc0, 0xbd, 0x11, 0x04, 0xdd, 0x90, 0x79, 0xda, 0x41, 0x23, 0x9f, 0x03, 0x1b, 0x01,
+	0x21, 0x08, 0xe0, 0xde, 0x10, 0xc2, 0x6e, 0xc4, 0x3c, 0xed, 0xa0, 0xb1, 0xcf, 0x81, 0x0d, 0x81,
-	0xf3, 0xa2, 0x8b, 0x9e, 0x3a, 0x79, 0x34, 0xee, 0xfa, 0xc2, 0x1b, 0xed, 0xb7, 0x41, 0xd0, 0x7d,
+	0x79, 0xf1, 0x79, 0x4f, 0xbd, 0x79, 0x34, 0xe9, 0xfa, 0xc2, 0x1b, 0xee, 0xb6, 0x41, 0xd0, 0x5d,
-	0xaf, 0x07, 0x01, 0x30, 0x2a, 0xa0, 0xeb, 0x46, 0x2c, 0x14, 0x21, 0xfe, 0x20, 0x21, 0xba, 0x19,
+	0xaf, 0x07, 0x21, 0x30, 0x2a, 0xa0, 0xeb, 0xc6, 0x2c, 0x12, 0x11, 0xfe, 0x38, 0x25, 0xba, 0x39,
-	0xd1, 0x8d, 0x2e, 0x7a, 0xea, 0xe4, 0x2a, 0xa2, 0xab, 0x89, 0xdb, 0x0f, 0x7a, 0xbe, 0xe8, 0xc7,
+	0xd1, 0x8d, 0xcf, 0x7b, 0xea, 0xcd, 0x55, 0x44, 0x57, 0x13, 0x37, 0x1f, 0xf6, 0x7c, 0xd1, 0x4f,
-	0x6d, 0xb7, 0x13, 0x0e, 0xbd, 0x5e, 0xd8, 0x0b, 0x3d, 0xc5, 0x6f, 0xc7, 0xe7, 0xea, 0xa4, 0x0e,
+	0xda, 0x6e, 0x27, 0x0a, 0xbc, 0x5e, 0xd4, 0x8b, 0x3c, 0xc5, 0x6f, 0x27, 0x67, 0xea, 0x4d, 0xbd,
-	0xea, 0x57, 0xa2, 0xbb, 0xbd, 0x67, 0x02, 0xf2, 0x68, 0x2c, 0xfa, 0x10, 0x08, 0xbf, 0x43, 0x85,
+	0xa8, 0xa7, 0x54, 0x77, 0x73, 0xc7, 0x04, 0xe4, 0xd1, 0x44, 0xf4, 0x21, 0x14, 0x7e, 0x87, 0x0a,
-	0x1f, 0x06, 0xde, 0x68, 0x26, 0x8a, 0xed, 0x27, 0x06, 0x3d, 0xa4, 0x9d, 0xbe, 0x1f, 0x00, 0xbb,
+	0x3f, 0x0a, 0xbd, 0xe1, 0x4c, 0x14, 0x9b, 0x4f, 0x0d, 0x3a, 0xa0, 0x9d, 0xbe, 0x1f, 0x02, 0xbb,
-	0x34, 0x19, 0x0c, 0x41, 0xd0, 0x57, 0xb1, 0xbc, 0x79, 0x2c, 0x16, 0x07, 0xc2, 0x1f, 0xc2, 0x0c,
+	0x30, 0x19, 0x04, 0x20, 0xe8, 0xeb, 0x58, 0xde, 0x4d, 0x2c, 0x96, 0x84, 0xc2, 0x0f, 0x60, 0x86,
-	0xe1, 0x93, 0xd7, 0x11, 0x78, 0xa7, 0x0f, 0x43, 0x3a, 0xc3, 0x7b, 0x3c, 0x8f, 0x17, 0x0b, 0x7f,
+	0xf0, 0xf9, 0xdb, 0x08, 0xbc, 0xd3, 0x87, 0x80, 0xce, 0xf0, 0x9e, 0xdc, 0xc4, 0x4b, 0x84, 0x3f,
-	0xe0, 0xf9, 0x81, 0xe0, 0x82, 0xcd, 0x90, 0x0e, 0x5e, 0xff, 0x24, 0x74, 0x10, 0xf5, 0x67, 0xdf,
+	0xf0, 0xfc, 0x50, 0x70, 0xc1, 0x66, 0x48, 0xfb, 0x6f, 0xbf, 0x12, 0x3a, 0x88, 0xfb, 0xb3, 0x77,
-	0xa4, 0xfe, 0x57, 0x05, 0x95, 0x3f, 0x1b, 0x41, 0x20, 0xf0, 0xf7, 0xa8, 0x22, 0x93, 0xef, 0x52,
+	0x52, 0xff, 0xbb, 0x82, 0xca, 0x5f, 0x0e, 0x21, 0x14, 0xf8, 0x27, 0x54, 0x91, 0xc9, 0x77, 0xa9,
-	0x41, 0x1d, 0x6b, 0xc7, 0xda, 0x5d, 0x7b, 0xf4, 0xd0, 0x35, 0x0f, 0x96, 0xc5, 0x62, 0xde, 0x4c,
+	0xa0, 0x8e, 0xb5, 0x65, 0x6d, 0xaf, 0x3c, 0x7e, 0xe4, 0x9a, 0x0b, 0xcb, 0x63, 0x31, 0x77, 0x26,
-	0xa2, 0xdd, 0xd1, 0xbe, 0xfb, 0x55, 0xfb, 0x07, 0xe8, 0x88, 0x2f, 0x41, 0xd0, 0x06, 0xbe, 0x1a,
+	0xd1, 0xee, 0x70, 0xd7, 0xfd, 0xb6, 0xfd, 0x33, 0x74, 0xc4, 0x37, 0x20, 0x68, 0x03, 0x5f, 0x8e,
-	0xd7, 0x96, 0x26, 0xe3, 0x1a, 0x32, 0x36, 0x92, 0xa9, 0xe2, 0x3d, 0x54, 0x1e, 0xc0, 0x08, 0x06,
+	0x6a, 0x0b, 0xe3, 0x51, 0x0d, 0x19, 0x1b, 0xc9, 0x55, 0xf1, 0x0e, 0x2a, 0x0f, 0x60, 0x08, 0x03,
-	0xce, 0x9d, 0x1d, 0x6b, 0xd7, 0x6e, 0xbc, 0xad, 0xc1, 0xe5, 0x23, 0x69, 0xbc, 0x49, 0x7f, 0x90,
+	0xe7, 0xce, 0x96, 0xb5, 0x6d, 0x37, 0xde, 0xd7, 0xe0, 0xf2, 0xa1, 0x34, 0x5e, 0x67, 0x0f, 0x24,
-	0x04, 0x84, 0xbf, 0x45, 0xb6, 0xac, 0x13, 0x17, 0x74, 0x18, 0x39, 0x25, 0x15, 0xd0, 0x87, 0x8b,
+	0x05, 0xe1, 0x1f, 0x90, 0x2d, 0xeb, 0xc4, 0x05, 0x0d, 0x62, 0xa7, 0xa4, 0x02, 0xfa, 0x64, 0xbe,
-	0x05, 0x74, 0xe6, 0x0f, 0xa1, 0x71, 0x4f, 0xab, 0xdb, 0x67, 0xa9, 0x08, 0x31, 0x7a, 0xf8, 0x18,
+	0x80, 0x4e, 0xfd, 0x00, 0x1a, 0xf7, 0xb4, 0xba, 0x7d, 0x9a, 0x89, 0x10, 0xa3, 0x87, 0x8f, 0xd0,
-	0xad, 0xaa, 0xc2, 0x34, 0x9f, 0x39, 0xcb, 0x2a, 0x98, 0x27, 0x1a, 0xbe, 0x7a, 0x98, 0x98, 0x6f,
+	0xb2, 0x2a, 0x4c, 0xf3, 0x99, 0xb3, 0xa8, 0x82, 0x79, 0xaa, 0xe1, 0xcb, 0x07, 0xa9, 0xf9, 0x7a,
-	0xc6, 0xb5, 0x77, 0xe7, 0xbd, 0x84, 0xb8, 0x8c, 0x80, 0xbb, 0xad, 0xe6, 0x33, 0x92, 0x8a, 0xc8,
+	0x54, 0xfb, 0xe0, 0xa6, 0x9b, 0x10, 0x17, 0x31, 0x70, 0xb7, 0xd5, 0x7c, 0x46, 0x32, 0x11, 0x99,
-	0xd4, 0xb8, 0xa0, 0x3d, 0x70, 0xca, 0xc5, 0xd4, 0x4e, 0xa5, 0xf1, 0x26, 0xfd, 0x41, 0x12, 0x10,
+	0x1a, 0x17, 0xb4, 0x07, 0x4e, 0x79, 0x32, 0xb5, 0x13, 0x69, 0xbc, 0xce, 0x1e, 0x48, 0x0a, 0xc2,
-	0x7e, 0x84, 0x10, 0x83, 0x1f, 0x63, 0xe0, 0xa2, 0x45, 0x9a, 0xce, 0x8a, 0xa2, 0x64, 0xa5, 0x23,
+	0x8f, 0x11, 0x62, 0xf0, 0x4b, 0x02, 0x5c, 0xb4, 0x48, 0xd3, 0x59, 0x52, 0x94, 0xbc, 0x74, 0x24,
-	0x99, 0x87, 0xe4, 0x50, 0x78, 0x07, 0x2d, 0x8f, 0x80, 0xb5, 0x9d, 0x55, 0x85, 0xbe, 0xab, 0xd1,
+	0xf7, 0x90, 0x02, 0x0a, 0x6f, 0xa1, 0xc5, 0x21, 0xb0, 0xb6, 0xb3, 0xac, 0xd0, 0x77, 0x35, 0x7a,
-	0xcb, 0xcf, 0x81, 0xb5, 0x89, 0xf2, 0xe0, 0x2f, 0xd0, 0x72, 0xcc, 0x81, 0x39, 0x15, 0x55, 0xab,
+	0xf1, 0x39, 0xb0, 0x36, 0x51, 0x1e, 0xfc, 0x35, 0x5a, 0x4c, 0x38, 0x30, 0xa7, 0xa2, 0x6a, 0xf5,
-	0xf7, 0x73, 0xb5, 0x72, 0x8b, 0x53, 0x21, 0x6b, 0xd4, 0xe2, 0xc0, 0x9a, 0xc1, 0x79, 0x68, 0x94,
+	0x51, 0xa1, 0x56, 0xee, 0xe4, 0x54, 0xc8, 0x1a, 0xb5, 0x38, 0xb0, 0x66, 0x78, 0x16, 0x19, 0x25,
-	0xa4, 0x85, 0x28, 0x05, 0xdc, 0x47, 0x5b, 0xfe, 0x30, 0x02, 0xc6, 0xc3, 0x40, 0xb6, 0x8a, 0xf4,
+	0x69, 0x21, 0x4a, 0x01, 0xf7, 0xd1, 0x86, 0x1f, 0xc4, 0xc0, 0x78, 0x14, 0xca, 0x56, 0x91, 0x1e,
-	0x38, 0xf6, 0xad, 0x54, 0xdf, 0x9a, 0x8c, 0x6b, 0x5b, 0xcd, 0x29, 0x0d, 0x32, 0xa3, 0x8a, 0x3f,
+	0xc7, 0xbe, 0x95, 0xea, 0x7b, 0xe3, 0x51, 0x6d, 0xa3, 0x39, 0xa5, 0x41, 0x66, 0x54, 0xf1, 0xa7,
-	0x42, 0x36, 0x0f, 0x63, 0xd6, 0x81, 0xe6, 0x09, 0x77, 0xd0, 0x4e, 0x69, 0xd7, 0x6e, 0xac, 0xcb,
+	0xc8, 0xe6, 0x51, 0xc2, 0x3a, 0xd0, 0x3c, 0xe6, 0x0e, 0xda, 0x2a, 0x6d, 0xdb, 0x8d, 0x55, 0x79,
-	0x47, 0x3b, 0x4d, 0x8d, 0xc4, 0xf8, 0x31, 0x20, 0x3b, 0x54, 0x7d, 0x45, 0xe0, 0xdc, 0x59, 0x53,
+	0x69, 0x27, 0x99, 0x91, 0x18, 0x3f, 0x06, 0x64, 0x47, 0xaa, 0xaf, 0x08, 0x9c, 0x39, 0x2b, 0x2a,
-	0xf1, 0x1c, 0xb8, 0x0b, 0xee, 0x14, 0xdd, 0xa5, 0x04, 0xce, 0x81, 0x41, 0xd0, 0x81, 0xe4, 0x9a,
+	0x9e, 0x7d, 0x77, 0xce, 0x9d, 0xa2, 0xbb, 0x94, 0xc0, 0x19, 0x30, 0x08, 0x3b, 0x90, 0x1e, 0x93,
-	0xcc, 0x48, 0x8c, 0x32, 0xee, 0xa3, 0x0d, 0x06, 0x3c, 0x0a, 0x03, 0x0e, 0xa7, 0x82, 0x8a, 0x98,
+	0x1b, 0x89, 0x51, 0xc6, 0x7d, 0xb4, 0xc6, 0x80, 0xc7, 0x51, 0xc8, 0xe1, 0x44, 0x50, 0x91, 0x70,
-	0x3b, 0x77, 0xd5, 0x5d, 0x7b, 0x8b, 0x75, 0x5f, 0xc2, 0x69, 0xe0, 0xc9, 0xb8, 0xb6, 0x41, 0x0a,
+	0xe7, 0xae, 0x3a, 0x6b, 0x67, 0xbe, 0xee, 0x4b, 0x39, 0x0d, 0x3c, 0x1e, 0xd5, 0xd6, 0xc8, 0x84,
-	0x3a, 0x64, 0x4a, 0x17, 0x53, 0xb4, 0xae, 0x5f, 0x38, 0x09, 0xc4, 0x59, 0x57, 0x17, 0xed, 0xce,
+	0x0e, 0x99, 0xd2, 0xc5, 0x14, 0xad, 0xea, 0x1b, 0x4e, 0x03, 0x71, 0x56, 0xd5, 0x41, 0xdb, 0x37,
-	0xbd, 0x48, 0xef, 0x0e, 0xb7, 0x15, 0x5c, 0x04, 0xe1, 0x4f, 0x41, 0xe3, 0xde, 0x64, 0x5c, 0x5b,
+	0x1e, 0xa4, 0x77, 0x87, 0xdb, 0x0a, 0xcf, 0xc3, 0xe8, 0xd7, 0xb0, 0x71, 0x6f, 0x3c, 0xaa, 0xad,
-	0x27, 0x79, 0x09, 0x52, 0x54, 0xc4, 0x5d, 0x93, 0x8c, 0xbe, 0x63, 0xe3, 0x96, 0x77, 0x14, 0x12,
+	0x92, 0xa2, 0x04, 0x99, 0x54, 0xc4, 0x5d, 0x93, 0x8c, 0x3e, 0x63, 0xed, 0x96, 0x67, 0x4c, 0x24,
-	0xd1, 0x97, 0x4c, 0x69, 0xd6, 0xff, 0xb0, 0x90, 0xad, 0xb6, 0xc8, 0x91, 0xcf, 0x05, 0xfe, 0x6e,
+	0xa2, 0x0f, 0x99, 0xd2, 0xac, 0xbf, 0xb0, 0x90, 0xad, 0xb6, 0xc8, 0xa1, 0xcf, 0x05, 0xfe, 0x71,
-	0x66, 0x93, 0xb8, 0x8b, 0x95, 0x4e, 0xb2, 0xd5, 0x1e, 0xd9, 0xd2, 0x4d, 0x59, 0x49, 0x2d, 0xb9,
+	0x66, 0x93, 0xb8, 0xf3, 0x95, 0x4e, 0xb2, 0xd5, 0x1e, 0xd9, 0xd0, 0x4d, 0x59, 0xc9, 0x2c, 0x85,
-	0x2d, 0x72, 0x8a, 0xca, 0xbe, 0x80, 0x21, 0x77, 0xee, 0xec, 0x94, 0xa6, 0xa4, 0xff, 0xbf, 0x03,
+	0x2d, 0x72, 0x82, 0xca, 0xbe, 0x80, 0x80, 0x3b, 0x77, 0xb6, 0x4a, 0x53, 0xd2, 0x6f, 0xee, 0x00,
-	0x54, 0x80, 0x8d, 0xf5, 0x74, 0x34, 0x9b, 0x52, 0x84, 0x24, 0x5a, 0xf5, 0xdf, 0x2c, 0xb4, 0xf1,
+	0x15, 0x60, 0x63, 0x35, 0x1b, 0xcd, 0xa6, 0x14, 0x21, 0xa9, 0x56, 0xfd, 0x0f, 0x0b, 0xad, 0x7d,
-	0x39, 0x0b, 0xe3, 0x88, 0x40, 0xd2, 0x6f, 0x1c, 0xbf, 0x87, 0xca, 0x3d, 0x69, 0x51, 0x29, 0xd8,
+	0xc5, 0xa2, 0x24, 0x26, 0x90, 0xf6, 0x1b, 0xc7, 0x1f, 0xa2, 0x72, 0x4f, 0x5a, 0x54, 0x0a, 0xb6,
-	0x86, 0x97, 0xc0, 0x12, 0x9f, 0xec, 0x5f, 0x96, 0x32, 0x54, 0x40, 0xba, 0x7f, 0x33, 0x19, 0x62,
+	0xe1, 0xa5, 0xb0, 0xd4, 0x27, 0xfb, 0x97, 0x65, 0x0c, 0x15, 0x90, 0xee, 0xdf, 0x5c, 0x86, 0x18,
-	0xfc, 0xf8, 0xa9, 0x7c, 0xee, 0xe4, 0x70, 0x4c, 0x87, 0xc0, 0x9d, 0x92, 0x22, 0xe8, 0x47, 0xcc,
+	0x3f, 0xde, 0x93, 0xd7, 0x9d, 0xbe, 0x1c, 0xd1, 0x00, 0xb8, 0x53, 0x52, 0x04, 0x7d, 0x89, 0x05,
-	0x39, 0x48, 0x11, 0x57, 0xff, 0xbd, 0x84, 0x36, 0xa7, 0xfa, 0x17, 0xef, 0xa1, 0x4a, 0x0a, 0xd2,
+	0x07, 0x99, 0xc4, 0xd5, 0xff, 0x2c, 0xa1, 0xf5, 0xa9, 0xfe, 0xc5, 0x3b, 0xa8, 0x92, 0x81, 0x74,
-	0x11, 0x66, 0x45, 0x4b, 0xb5, 0x48, 0x86, 0xc0, 0x1e, 0xb2, 0x03, 0x29, 0x15, 0xd1, 0x0e, 0xe8,
+	0x84, 0x79, 0xd1, 0x32, 0x2d, 0x92, 0x23, 0xb0, 0x87, 0xec, 0x50, 0x4a, 0xc5, 0xb4, 0x03, 0x7a,
-	0xf5, 0x9b, 0x2d, 0xc8, 0xe3, 0xd4, 0x41, 0x0c, 0x46, 0xae, 0x1b, 0x79, 0x50, 0x8b, 0x37, 0xb7,
+	0xfd, 0xe6, 0x0b, 0xf2, 0x28, 0x73, 0x10, 0x83, 0x91, 0xeb, 0x46, 0xbe, 0xa8, 0xc5, 0x5b, 0x58,
-	0x6e, 0x24, 0x96, 0x28, 0x0f, 0x6e, 0xa0, 0x52, 0xec, 0x77, 0xf5, 0xfa, 0x7c, 0xa8, 0x01, 0xa5,
+	0x37, 0x12, 0x4b, 0x94, 0x07, 0x37, 0x50, 0x29, 0xf1, 0xbb, 0x7a, 0x7d, 0x3e, 0xd2, 0x80, 0x52,
-	0xd6, 0xa2, 0xab, 0x53, 0x92, 0x65, 0x12, 0x34, 0xf2, 0x55, 0x45, 0xf5, 0xe6, 0xcc, 0x92, 0x38,
+	0x6b, 0xde, 0xd5, 0x29, 0xc9, 0x32, 0x09, 0x1a, 0xfb, 0xaa, 0xa2, 0x7a, 0x73, 0xe6, 0x49, 0x1c,
-	0x3c, 0x69, 0x26, 0x95, 0xce, 0x10, 0x72, 0x6d, 0xd2, 0xc8, 0x7f, 0x0e, 0x8c, 0xfb, 0x61, 0x30,
+	0x1c, 0x37, 0xd3, 0x4a, 0xe7, 0x08, 0xb9, 0x36, 0x69, 0xec, 0x3f, 0x07, 0xc6, 0xfd, 0x28, 0x9c,
-	0xbd, 0x36, 0x0f, 0x4f, 0x9a, 0xda, 0x43, 0x72, 0x28, 0x7c, 0x88, 0x36, 0xd3, 0x22, 0xa4, 0xc4,
+	0x5e, 0x9b, 0x07, 0xc7, 0x4d, 0xed, 0x21, 0x05, 0x14, 0x3e, 0x40, 0xeb, 0x59, 0x11, 0x32, 0x62,
-	0x64, 0x83, 0xbe, 0xa3, 0x89, 0x9b, 0xa4, 0xe8, 0x26, 0xd3, 0x78, 0xfc, 0x31, 0x5a, 0xe3, 0x71,
+	0xba, 0x41, 0x1f, 0x68, 0xe2, 0x3a, 0x99, 0x74, 0x93, 0x69, 0x3c, 0xfe, 0x0c, 0xad, 0xf0, 0xa4,
-	0x3b, 0x2b, 0x76, 0x45, 0xd1, 0xef, 0x6b, 0xfa, 0xda, 0xa9, 0x71, 0x91, 0x3c, 0xae, 0xfe, 0xb7,
+	0x9d, 0x17, 0xbb, 0xa2, 0xe8, 0xf7, 0x35, 0x7d, 0xe5, 0xc4, 0xb8, 0x48, 0x11, 0x57, 0xff, 0xc7,
-	0x85, 0x56, 0x4e, 0xc2, 0x81, 0xdf, 0xb9, 0x7c, 0x03, 0x9f, 0xd6, 0xaf, 0x51, 0x99, 0xc5, 0x03,
+	0x42, 0x4b, 0xc7, 0xd1, 0xc0, 0xef, 0x5c, 0xbc, 0x83, 0x4f, 0xeb, 0x77, 0xa8, 0xcc, 0x92, 0x01,
-	0x48, 0x87, 0xe2, 0xf1, 0xc2, 0x43, 0x91, 0x44, 0x48, 0xe2, 0x01, 0x98, 0x0e, 0x97, 0x27, 0x4e,
+	0x64, 0x43, 0xf1, 0x64, 0xee, 0xa1, 0x48, 0x23, 0x24, 0xc9, 0x00, 0x4c, 0x87, 0xcb, 0x37, 0x4e,
-	0x12, 0xc1, 0xfa, 0x9f, 0x16, 0x42, 0x09, 0xe8, 0x0d, 0xcc, 0xf6, 0x59, 0x71, 0xb6, 0xbd, 0x5b,
+	0x52, 0xc1, 0xfa, 0x5f, 0x16, 0x42, 0x29, 0xe8, 0x1d, 0xcc, 0xf6, 0xe9, 0xe4, 0x6c, 0x7b, 0xb7,
-	0xa6, 0x31, 0x67, 0xb8, 0x7f, 0x29, 0xa5, 0x29, 0xc8, 0xcc, 0xcc, 0xdf, 0x10, 0x6b, 0x91, 0xbf,
+	0x4c, 0xe3, 0x86, 0xe1, 0x7e, 0x51, 0xca, 0x52, 0x90, 0x99, 0x99, 0xdf, 0x10, 0x6b, 0x9e, 0xdf,
-	0x21, 0x35, 0x54, 0x96, 0xdf, 0xc4, 0x74, 0xba, 0x6d, 0x89, 0x94, 0x9f, 0x2e, 0x4e, 0x12, 0x3b,
+	0x90, 0x1a, 0x2a, 0xcb, 0x6f, 0x62, 0x36, 0xdd, 0xb6, 0x44, 0xca, 0x4f, 0x17, 0x27, 0xa9, 0x1d,
-	0x76, 0x11, 0x92, 0x3f, 0x54, 0x8b, 0xa6, 0x23, 0xbd, 0x21, 0x1f, 0xaa, 0x95, 0x59, 0x49, 0x0e,
+	0xbb, 0x08, 0xc9, 0x07, 0xd5, 0xa2, 0xd9, 0x48, 0xaf, 0xc9, 0x8b, 0x6a, 0xe5, 0x56, 0x52, 0x40,
-	0x21, 0x05, 0xe5, 0xe7, 0x9a, 0x3b, 0xcb, 0x46, 0x50, 0x7e, 0xc5, 0x39, 0x49, 0xec, 0xb8, 0x9f,
+	0x48, 0x41, 0xf9, 0xb9, 0xe6, 0xce, 0xa2, 0x11, 0x94, 0x5f, 0x71, 0x4e, 0x52, 0x3b, 0xee, 0x17,
-	0xdf, 0x29, 0x65, 0x55, 0x88, 0xa7, 0x0b, 0x17, 0xa2, 0xb8, 0xc4, 0xcc, 0x90, 0xbf, 0x72, 0x21,
+	0x77, 0x4a, 0x59, 0x15, 0x62, 0x6f, 0xee, 0x42, 0x4c, 0x2e, 0x31, 0x33, 0xe4, 0xaf, 0x5d, 0x48,
-	0xb9, 0x08, 0x65, 0x13, 0xcf, 0x9d, 0x15, 0x13, 0x7a, 0xb6, 0x12, 0x38, 0xc9, 0x21, 0xf0, 0xa7,
+	0x2e, 0x42, 0xf9, 0xc4, 0x73, 0x67, 0xc9, 0x84, 0x9e, 0xaf, 0x04, 0x4e, 0x0a, 0x08, 0xfc, 0x05,
-	0x68, 0x33, 0x08, 0x83, 0x54, 0xaa, 0x45, 0x8e, 0xb8, 0xb3, 0xaa, 0x48, 0xf7, 0xe5, 0x20, 0x1d,
+	0x5a, 0x0f, 0xa3, 0x30, 0x93, 0x6a, 0x91, 0x43, 0xee, 0x2c, 0x2b, 0xd2, 0x7d, 0x39, 0x48, 0x47,
-	0x17, 0x5d, 0x64, 0x1a, 0xdb, 0x78, 0x70, 0x75, 0x5d, 0x5d, 0x7a, 0x71, 0x5d, 0x5d, 0x7a, 0x79,
+	0x93, 0x2e, 0x32, 0x8d, 0xc5, 0x7b, 0x08, 0x45, 0x81, 0x2f, 0xd4, 0xaf, 0x10, 0x77, 0x2a, 0x8a,
-	0x5d, 0x5d, 0xfa, 0x79, 0x52, 0xb5, 0xae, 0x26, 0x55, 0xeb, 0xc5, 0xa4, 0x6a, 0xbd, 0x9c, 0x54,
+	0xf9, 0x40, 0xb5, 0x74, 0x6e, 0x35, 0xbf, 0x4a, 0x05, 0x68, 0xe3, 0xe1, 0xe5, 0x55, 0x75, 0xe1,
-	0xad, 0x7f, 0x26, 0x55, 0xeb, 0xd7, 0x7f, 0xab, 0x4b, 0xdf, 0xac, 0xea, 0x54, 0xfe, 0x0b, 0x00,
+	0xe5, 0x55, 0x75, 0xe1, 0xd5, 0x55, 0x75, 0xe1, 0xb7, 0x71, 0xd5, 0xba, 0x1c, 0x57, 0xad, 0x97,
-	0x00, 0xff, 0xff, 0x88, 0x33, 0xe9, 0x19, 0x81, 0x0c, 0x00, 0x00,
+	0xe3, 0xaa, 0xf5, 0x6a, 0x5c, 0xb5, 0xfe, 0x1d, 0x57, 0xad, 0xdf, 0xff, 0xab, 0x2e, 0x7c, 0xbf,
+	0xac, 0x6b, 0xf0, 0x7f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x19, 0x44, 0x81, 0xf3, 0xba, 0x0c, 0x00,
+	0x00,
 }

staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.proto

@@ -212,5 +212,9 @@ message PolicyRule {
   //  "/healthz*" - Log all health checks
   // +optional
   repeated string nonResourceURLs = 7;
+
+  // OmitStages specify events generated in which stages will not be emitted to backend.
+  // An empty list means no restrictions will apply.
+  repeated string omitStages = 8;
 }
 

staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go

@@ -201,6 +201,10 @@ type PolicyRule struct {
 	//  "/healthz*" - Log all health checks
 	// +optional
 	NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,7,rep,name=nonResourceURLs"`
+
+	// OmitStages specify events generated in which stages will not be emitted to backend.
+	// An empty list means no restrictions will apply.
+	OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,8,rep,name=omitStages"`
 }
 
 // GroupResources represents resource kinds in an API group.

staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.conversion.go

@@ -239,6 +239,7 @@ func autoConvert_v1beta1_PolicyRule_To_audit_PolicyRule(in *PolicyRule, out *aud
 	out.Resources = *(*[]audit.GroupResources)(unsafe.Pointer(&in.Resources))
 	out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
 	out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs))
+	out.OmitStages = *(*[]audit.Stage)(unsafe.Pointer(&in.OmitStages))
 	return nil
 }
 
@@ -255,6 +256,7 @@ func autoConvert_audit_PolicyRule_To_v1beta1_PolicyRule(in *audit.PolicyRule, ou
 	out.Resources = *(*[]GroupResources)(unsafe.Pointer(&in.Resources))
 	out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
 	out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs))
+	out.OmitStages = *(*[]Stage)(unsafe.Pointer(&in.OmitStages))
 	return nil
 }
 

staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.deepcopy.go

@@ -327,6 +327,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.OmitStages != nil {
+		in, out := &in.OmitStages, &out.OmitStages
+		*out = make([]Stage, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 

staging/src/k8s.io/apiserver/pkg/apis/audit/validation/validation.go

@@ -38,6 +38,7 @@ func validatePolicyRule(rule audit.PolicyRule, fldPath *field.Path) field.ErrorL
 	allErrs = append(allErrs, validateLevel(rule.Level, fldPath.Child("level"))...)
 	allErrs = append(allErrs, validateNonResourceURLs(rule.NonResourceURLs, fldPath.Child("nonResourceURLs"))...)
 	allErrs = append(allErrs, validateResources(rule.Resources, fldPath.Child("resources"))...)
+	allErrs = append(allErrs, validateOmitStages(rule.OmitStages, fldPath.Child("omitStages"))...)
 
 	if len(rule.NonResourceURLs) > 0 {
 		if len(rule.Resources) > 0 || len(rule.Namespaces) > 0 {
@@ -55,6 +56,13 @@ var validLevels = []string{
 	string(audit.LevelRequestResponse),
 }
 
+var validOmitStages = []string{
+	string(audit.StageRequestReceived),
+	string(audit.StageResponseStarted),
+	string(audit.StageResponseComplete),
+	string(audit.StagePanic),
+}
+
 func validateLevel(level audit.Level, fldPath *field.Path) field.ErrorList {
 	switch level {
 	case audit.LevelNone, audit.LevelMetadata, audit.LevelRequest, audit.LevelRequestResponse:
@@ -104,3 +112,20 @@ func validateResources(groupResources []audit.GroupResources, fldPath *field.Pat
 	}
 	return allErrs
 }
+
+func validateOmitStages(omitStages []audit.Stage, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+	for i, stage := range omitStages {
+		valid := false
+		for _, validOmitStage := range validOmitStages {
+			if string(stage) == validOmitStage {
+				valid = true
+				break
+			}
+		}
+		if !valid {
+			allErrs = append(allErrs, field.Invalid(fldPath.Index(i), string(stage), "allowed stages are "+strings.Join(validOmitStages, ",")))
+		}
+	}
+	return allErrs
+}

staging/src/k8s.io/apiserver/pkg/apis/audit/validation/validation_test.go

@@ -43,6 +43,11 @@ func TestValidatePolicy(t *testing.T) {
 				"/metrics",
 				"*",
 			},
+		}, { // Omit RequestReceived stage
+			Level: audit.LevelMetadata,
+			OmitStages: []audit.Stage{
+				audit.Stage("RequestReceived"),
+			},
 		},
 	}
 	successCases := []audit.Policy{}
@@ -108,6 +113,12 @@ func TestValidatePolicy(t *testing.T) {
 			Resources:  []audit.GroupResources{{ResourceNames: []string{"leader"}}},
 			Namespaces: []string{"kube-system"},
 		},
+		{ // invalid omitStages
+			Level: audit.LevelMetadata,
+			OmitStages: []audit.Stage{
+				audit.Stage("foo"),
+			},
+		},
 	}
 	errorCases := []audit.Policy{}
 	for _, rule := range invalidRules {

staging/src/k8s.io/apiserver/pkg/apis/audit/zz_generated.deepcopy.go

@@ -325,6 +325,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.OmitStages != nil {
+		in, out := &in.OmitStages, &out.OmitStages
+		*out = make([]Stage, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 

staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go

@@ -31,7 +31,7 @@ const (
 // Checker exposes methods for checking the policy rules.
 type Checker interface {
 	// Check the audit level for a request with the given authorizer attributes.
-	Level(authorizer.Attributes) audit.Level
+	LevelAndStages(authorizer.Attributes) (audit.Level, []audit.Stage)
 }
 
 // NewChecker creates a new policy checker.
@@ -40,21 +40,21 @@ func NewChecker(policy *audit.Policy) Checker {
 }
 
 // FakeChecker creates a checker that returns a constant level for all requests (for testing).
-func FakeChecker(level audit.Level) Checker {
+func FakeChecker(level audit.Level, stage []audit.Stage) Checker {
-	return &fakeChecker{level}
+	return &fakeChecker{level, stage}
 }
 
 type policyChecker struct {
 	audit.Policy
 }
 
-func (p *policyChecker) Level(attrs authorizer.Attributes) audit.Level {
+func (p *policyChecker) LevelAndStages(attrs authorizer.Attributes) (audit.Level, []audit.Stage) {
 	for _, rule := range p.Rules {
 		if ruleMatches(&rule, attrs) {
-			return rule.Level
+			return rule.Level, rule.OmitStages
 		}
 	}
-	return DefaultAuditLevel
+	return DefaultAuditLevel, nil
 }
 
 // Check whether the rule matches the request attrs.
@@ -181,8 +181,9 @@ func hasString(slice []string, value string) bool {
 
 type fakeChecker struct {
 	level audit.Level
+	stage []audit.Stage
 }
 
-func (f *fakeChecker) Level(_ authorizer.Attributes) audit.Level {
+func (f *fakeChecker) LevelAndStages(_ authorizer.Attributes) (audit.Level, []audit.Stage) {
-	return f.level
+	return f.level, f.stage
 }

staging/src/k8s.io/apiserver/pkg/audit/policy/checker_test.go

@@ -136,59 +136,80 @@ func TestChecker(t *testing.T) {
 				ResourceNames: []string{"edit"},
 			}},
 		},
+		"omit RequestReceived": {
+			Level: audit.LevelRequest,
+			OmitStages: []audit.Stage{
+				audit.StageRequestReceived,
+			},
+		},
+		"only audit panic": {
+			Level: audit.LevelRequest,
+			OmitStages: []audit.Stage{
+				audit.StageRequestReceived,
+				audit.StageResponseStarted,
+				audit.StageResponseComplete,
+			},
+		},
 	}
 
-	test := func(req string, expected audit.Level, ruleNames ...string) {
+	test := func(req string, expLevel audit.Level, expOmitStages []audit.Stage, ruleNames ...string) {
 		policy := audit.Policy{}
 		for _, rule := range ruleNames {
 			require.Contains(t, rules, rule)
 			policy.Rules = append(policy.Rules, rules[rule])
 		}
 		require.Contains(t, attrs, req)
-		actual := NewChecker(&policy).Level(attrs[req])
+		actualLevel, actualOmitStages := NewChecker(&policy).LevelAndStages(attrs[req])
-		assert.Equal(t, expected, actual, "request:%s rules:%s", req, strings.Join(ruleNames, ","))
+		assert.Equal(t, expLevel, actualLevel, "request:%s rules:%s", req, strings.Join(ruleNames, ","))
+		assert.Equal(t, expOmitStages, actualOmitStages, "request:%s rules:%s", req, strings.Join(ruleNames, ","))
 	}
 
-	test("namespaced", audit.LevelMetadata, "default")
+	test("namespaced", audit.LevelMetadata, nil, "default")
-	test("namespaced", audit.LevelNone, "create")
+	test("namespaced", audit.LevelNone, nil, "create")
-	test("namespaced", audit.LevelMetadata, "tims")
+	test("namespaced", audit.LevelMetadata, nil, "tims")
-	test("namespaced", audit.LevelMetadata, "humans")
+	test("namespaced", audit.LevelMetadata, nil, "humans")
-	test("namespaced", audit.LevelNone, "serviceAccounts")
+	test("namespaced", audit.LevelNone, nil, "serviceAccounts")
-	test("namespaced", audit.LevelRequestResponse, "getPods")
+	test("namespaced", audit.LevelRequestResponse, nil, "getPods")
-	test("namespaced", audit.LevelNone, "getClusterRoles")
+	test("namespaced", audit.LevelNone, nil, "getClusterRoles")
-	test("namespaced", audit.LevelNone, "getLogs")
+	test("namespaced", audit.LevelNone, nil, "getLogs")
-	test("namespaced", audit.LevelNone, "getMetrics")
+	test("namespaced", audit.LevelNone, nil, "getMetrics")
-	test("namespaced", audit.LevelMetadata, "getMetrics", "serviceAccounts", "default")
+	test("namespaced", audit.LevelMetadata, nil, "getMetrics", "serviceAccounts", "default")
-	test("namespaced", audit.LevelRequestResponse, "getMetrics", "getPods", "default")
+	test("namespaced", audit.LevelRequestResponse, nil, "getMetrics", "getPods", "default")
-	test("namespaced", audit.LevelRequestResponse, "getPodLogs", "getPods")
+	test("namespaced", audit.LevelRequestResponse, nil, "getPodLogs", "getPods")
+	test("namespaced", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived}, "omit RequestReceived", "getPods", "default")
+	test("namespaced", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived, audit.StageResponseStarted, audit.StageResponseComplete}, "only audit panic", "getPods", "default")
 
-	test("cluster", audit.LevelMetadata, "default")
+	test("cluster", audit.LevelMetadata, nil, "default")
-	test("cluster", audit.LevelNone, "create")
+	test("cluster", audit.LevelNone, nil, "create")
-	test("cluster", audit.LevelMetadata, "tims")
+	test("cluster", audit.LevelMetadata, nil, "tims")
-	test("cluster", audit.LevelMetadata, "humans")
+	test("cluster", audit.LevelMetadata, nil, "humans")
-	test("cluster", audit.LevelNone, "serviceAccounts")
+	test("cluster", audit.LevelNone, nil, "serviceAccounts")
-	test("cluster", audit.LevelNone, "getPods")
+	test("cluster", audit.LevelNone, nil, "getPods")
-	test("cluster", audit.LevelRequestResponse, "getClusterRoles")
+	test("cluster", audit.LevelRequestResponse, nil, "getClusterRoles")
-	test("cluster", audit.LevelRequest, "clusterRoleEdit", "getClusterRoles")
+	test("cluster", audit.LevelRequest, nil, "clusterRoleEdit", "getClusterRoles")
-	test("cluster", audit.LevelNone, "getLogs")
+	test("cluster", audit.LevelNone, nil, "getLogs")
-	test("cluster", audit.LevelNone, "getMetrics")
+	test("cluster", audit.LevelNone, nil, "getMetrics")
-	test("cluster", audit.LevelMetadata, "getMetrics", "serviceAccounts", "default")
+	test("cluster", audit.LevelMetadata, nil, "getMetrics", "serviceAccounts", "default")
-	test("cluster", audit.LevelRequestResponse, "getMetrics", "getClusterRoles", "default")
+	test("cluster", audit.LevelRequestResponse, nil, "getMetrics", "getClusterRoles", "default")
-	test("cluster", audit.LevelNone, "getPodLogs", "getPods")
+	test("cluster", audit.LevelNone, nil, "getPodLogs", "getPods")
+	test("cluster", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived}, "omit RequestReceived", "getPods", "default")
+	test("cluster", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived, audit.StageResponseStarted, audit.StageResponseComplete}, "only audit panic", "getPods", "default")
 
-	test("nonResource", audit.LevelMetadata, "default")
+	test("nonResource", audit.LevelMetadata, nil, "default")
-	test("nonResource", audit.LevelNone, "create")
+	test("nonResource", audit.LevelNone, nil, "create")
-	test("nonResource", audit.LevelMetadata, "tims")
+	test("nonResource", audit.LevelMetadata, nil, "tims")
-	test("nonResource", audit.LevelMetadata, "humans")
+	test("nonResource", audit.LevelMetadata, nil, "humans")
-	test("nonResource", audit.LevelNone, "serviceAccounts")
+	test("nonResource", audit.LevelNone, nil, "serviceAccounts")
-	test("nonResource", audit.LevelNone, "getPods")
+	test("nonResource", audit.LevelNone, nil, "getPods")
-	test("nonResource", audit.LevelNone, "getClusterRoles")
+	test("nonResource", audit.LevelNone, nil, "getClusterRoles")
-	test("nonResource", audit.LevelRequestResponse, "getLogs")
+	test("nonResource", audit.LevelRequestResponse, nil, "getLogs")
-	test("nonResource", audit.LevelNone, "getMetrics")
+	test("nonResource", audit.LevelNone, nil, "getMetrics")
-	test("nonResource", audit.LevelMetadata, "getMetrics", "serviceAccounts", "default")
+	test("nonResource", audit.LevelMetadata, nil, "getMetrics", "serviceAccounts", "default")
-	test("nonResource", audit.LevelRequestResponse, "getLogs", "getClusterRoles", "default")
+	test("nonResource", audit.LevelRequestResponse, nil, "getLogs", "getClusterRoles", "default")
-	test("nonResource", audit.LevelNone, "getPodLogs", "getPods")
+	test("nonResource", audit.LevelNone, nil, "getPodLogs", "getPods")
+	test("nonResource", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived}, "omit RequestReceived", "getPods", "default")
+	test("nonResource", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived, audit.StageResponseStarted, audit.StageResponseComplete}, "only audit panic", "getPods", "default")
 
-	test("subresource", audit.LevelRequest, "getPodLogs", "getPods")
+	test("subresource", audit.LevelRequest, nil, "getPodLogs", "getPods")
-	test("subresource", audit.LevelRequest, "getPods", "getPodLogs")
+	test("subresource", audit.LevelRequest, nil, "getPods", "getPodLogs")
 }

staging/src/k8s.io/apiserver/pkg/endpoints/apiserver_test.go

@@ -331,7 +331,7 @@ func handleInternal(storage map[string]rest.Storage, admissionControl admission.
 		}
 	}
 
-	handler := genericapifilters.WithAudit(mux, requestContextMapper, auditSink, auditpolicy.FakeChecker(auditinternal.LevelRequestResponse), func(r *http.Request, requestInfo *request.RequestInfo) bool {
+	handler := genericapifilters.WithAudit(mux, requestContextMapper, auditSink, auditpolicy.FakeChecker(auditinternal.LevelRequestResponse, nil), func(r *http.Request, requestInfo *request.RequestInfo) bool {
 		// simplified long-running check
 		return requestInfo.Verb == "watch" || requestInfo.Verb == "proxy"
 	})

staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go

@@ -42,7 +42,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
 		return handler
 	}
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		ctx, ev, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy)
+		ctx, ev, omitStages, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy)
 		if err != nil {
 			utilruntime.HandleError(fmt.Errorf("failed to create audit event: %v", err))
 			responsewriters.InternalError(w, req, errors.New("failed to create audit event"))
@@ -54,7 +54,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
 		}
 
 		ev.Stage = auditinternal.StageRequestReceived
-		processAuditEvent(sink, ev)
+		processAuditEvent(sink, ev, omitStages)
 
 		// intercept the status code
 		var longRunningSink audit.Sink
@@ -64,7 +64,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
 				longRunningSink = sink
 			}
 		}
-		respWriter := decorateResponseWriter(w, ev, longRunningSink)
+		respWriter := decorateResponseWriter(w, ev, longRunningSink, omitStages)
 
 		// send audit event when we leave this func, either via a panic or cleanly. In the case of long
 		// running requests, this will be the second audit event.
@@ -78,7 +78,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
 					Reason:  metav1.StatusReasonInternalError,
 					Message: fmt.Sprintf("APIServer panic'd: %v", r),
 				}
-				processAuditEvent(sink, ev)
+				processAuditEvent(sink, ev, omitStages)
 				return
 			}
 
@@ -92,14 +92,14 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
 			if ev.ResponseStatus == nil && longRunningSink != nil {
 				ev.ResponseStatus = fakedSuccessStatus
 				ev.Stage = auditinternal.StageResponseStarted
-				processAuditEvent(longRunningSink, ev)
+				processAuditEvent(longRunningSink, ev, omitStages)
 			}
 
 			ev.Stage = auditinternal.StageResponseComplete
 			if ev.ResponseStatus == nil {
 				ev.ResponseStatus = fakedSuccessStatus
 			}
-			processAuditEvent(sink, ev)
+			processAuditEvent(sink, ev, omitStages)
 		}()
 		handler.ServeHTTP(respWriter, req)
 	})
@@ -110,47 +110,53 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
 // - context with audit event attached to it
 // - created audit event
 // - error if anything bad happened
-func createAuditEventAndAttachToContext(requestContextMapper request.RequestContextMapper, req *http.Request, policy policy.Checker) (request.Context, *auditinternal.Event, error) {
+func createAuditEventAndAttachToContext(requestContextMapper request.RequestContextMapper, req *http.Request, policy policy.Checker) (request.Context, *auditinternal.Event, []auditinternal.Stage, error) {
 	ctx, ok := requestContextMapper.Get(req)
 	if !ok {
-		return nil, nil, fmt.Errorf("no context found for request")
+		return nil, nil, nil, fmt.Errorf("no context found for request")
 	}
 
 	attribs, err := GetAuthorizerAttributes(ctx)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err)
+		return nil, nil, nil, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err)
 	}
 
-	level := policy.Level(attribs)
+	level, omitStages := policy.LevelAndStages(attribs)
 	audit.ObservePolicyLevel(level)
 	if level == auditinternal.LevelNone {
 		// Don't audit.
-		return nil, nil, nil
+		return nil, nil, nil, nil
 	}
 
 	ev, err := audit.NewEventFromRequest(req, level, attribs)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to complete audit event from request: %v", err)
+		return nil, nil, nil, fmt.Errorf("failed to complete audit event from request: %v", err)
 	}
 
 	ctx = request.WithAuditEvent(ctx, ev)
 	if err := requestContextMapper.Update(req, ctx); err != nil {
-		return nil, nil, fmt.Errorf("failed to attach audit event to context: %v", err)
+		return nil, nil, nil, fmt.Errorf("failed to attach audit event to context: %v", err)
 	}
 
-	return ctx, ev, nil
+	return ctx, ev, omitStages, nil
 }
 
-func processAuditEvent(sink audit.Sink, ev *auditinternal.Event) {
+func processAuditEvent(sink audit.Sink, ev *auditinternal.Event, omitStages []auditinternal.Stage) {
+	for _, stage := range omitStages {
+		if ev.Stage == stage {
+			return
+		}
+	}
 	audit.ObserveEvent()
 	sink.ProcessEvents(ev)
 }
 
-func decorateResponseWriter(responseWriter http.ResponseWriter, ev *auditinternal.Event, sink audit.Sink) http.ResponseWriter {
+func decorateResponseWriter(responseWriter http.ResponseWriter, ev *auditinternal.Event, sink audit.Sink, omitStages []auditinternal.Stage) http.ResponseWriter {
 	delegate := &auditResponseWriter{
 		ResponseWriter: responseWriter,
 		event:          ev,
 		sink:           sink,
+		omitStages:     omitStages,
 	}
 
 	// check if the ResponseWriter we're wrapping is the fancy one we need
@@ -173,6 +179,7 @@ type auditResponseWriter struct {
 	event      *auditinternal.Event
 	once       sync.Once
 	sink       audit.Sink
+	omitStages []auditinternal.Stage
 }
 
 func (a *auditResponseWriter) setHttpHeader() {
@@ -188,7 +195,7 @@ func (a *auditResponseWriter) processCode(code int) {
 		a.event.Stage = auditinternal.StageResponseStarted
 
 		if a.sink != nil {
-			processAuditEvent(a.sink, a.event)
+			processAuditEvent(a.sink, a.event, a.omitStages)
 		}
 	})
 }

staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit_test.go

@@ -98,14 +98,14 @@ func (*fancyResponseWriter) Flush() {}
 func (*fancyResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) { return nil, nil, nil }
 
 func TestConstructResponseWriter(t *testing.T) {
-	actual := decorateResponseWriter(&simpleResponseWriter{}, nil, nil)
+	actual := decorateResponseWriter(&simpleResponseWriter{}, nil, nil, nil)
 	switch v := actual.(type) {
 	case *auditResponseWriter:
 	default:
 		t.Errorf("Expected auditResponseWriter, got %v", reflect.TypeOf(v))
 	}
 
-	actual = decorateResponseWriter(&fancyResponseWriter{}, nil, nil)
+	actual = decorateResponseWriter(&fancyResponseWriter{}, nil, nil, nil)
 	switch v := actual.(type) {
 	case *fancyResponseWriterDelegator:
 	default:
@@ -115,7 +115,7 @@ func TestConstructResponseWriter(t *testing.T) {
 
 func TestDecorateResponseWriterWithoutChannel(t *testing.T) {
 	ev := &auditinternal.Event{}
-	actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil)
+	actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil, nil)
 
 	// write status. This will not block because firstEventSentCh is nil
 	actual.WriteHeader(42)
@@ -129,7 +129,7 @@ func TestDecorateResponseWriterWithoutChannel(t *testing.T) {
 
 func TestDecorateResponseWriterWithImplicitWrite(t *testing.T) {
 	ev := &auditinternal.Event{}
-	actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil)
+	actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil, nil)
 
 	// write status. This will not block because firstEventSentCh is nil
 	actual.Write([]byte("foo"))
@@ -144,7 +144,7 @@ func TestDecorateResponseWriterWithImplicitWrite(t *testing.T) {
 func TestDecorateResponseWriterChannel(t *testing.T) {
 	sink := &fakeAuditSink{}
 	ev := &auditinternal.Event{}
-	actual := decorateResponseWriter(&simpleResponseWriter{}, ev, sink)
+	actual := decorateResponseWriter(&simpleResponseWriter{}, ev, sink, nil)
 
 	done := make(chan struct{})
 	go func() {
@@ -206,6 +206,7 @@ func TestAuditLegacy(t *testing.T) {
 		desc       string
 		path       string
 		verb       string
+		omitStages []auditinternal.Stage
 		handler    func(http.ResponseWriter, *http.Request)
 		expected   []string
 	}{
@@ -214,6 +215,7 @@ func TestAuditLegacy(t *testing.T) {
 			"read-only empty",
 			shortRunningPath,
 			"GET",
+			nil,
 			func(http.ResponseWriter, *http.Request) {},
 			[]string{
 				readOnlyShortRunningPrefix(auditinternal.StageRequestReceived) + ` response="<deferred>"`,
@@ -224,6 +226,7 @@ func TestAuditLegacy(t *testing.T) {
 			"read-only panic",
 			shortRunningPath,
 			"GET",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				panic("kaboom")
 			},
@@ -238,6 +241,7 @@ func TestAuditLegacy(t *testing.T) {
 			"writing empty",
 			shortRunningPath,
 			"PUT",
+			nil,
 			func(http.ResponseWriter, *http.Request) {},
 			[]string{
 				writingShortRunningPrefix(auditinternal.StageRequestReceived) + ` response="<deferred>"`,
@@ -248,6 +252,7 @@ func TestAuditLegacy(t *testing.T) {
 			"writing sleep",
 			shortRunningPath,
 			"PUT",
+			nil,
 			func(http.ResponseWriter, *http.Request) {
 				time.Sleep(delay)
 			},
@@ -260,6 +265,7 @@ func TestAuditLegacy(t *testing.T) {
 			"writing 403+write",
 			shortRunningPath,
 			"PUT",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				w.WriteHeader(403)
 				w.Write([]byte("foo"))
@@ -273,6 +279,7 @@ func TestAuditLegacy(t *testing.T) {
 			"writing panic",
 			shortRunningPath,
 			"PUT",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				panic("kaboom")
 			},
@@ -285,6 +292,7 @@ func TestAuditLegacy(t *testing.T) {
 			"writing write+panic",
 			shortRunningPath,
 			"PUT",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				w.Write([]byte("foo"))
 				panic("kaboom")
@@ -300,6 +308,7 @@ func TestAuditLegacy(t *testing.T) {
 			"empty longrunning",
 			longRunningPath,
 			"GET",
+			nil,
 			func(http.ResponseWriter, *http.Request) {},
 			[]string{
 				longRunningPrefix(auditinternal.StageRequestReceived) + ` response="<deferred>"`,
@@ -311,6 +320,7 @@ func TestAuditLegacy(t *testing.T) {
 			"sleep longrunning",
 			longRunningPath,
 			"GET",
+			nil,
 			func(http.ResponseWriter, *http.Request) {
 				time.Sleep(delay)
 			},
@@ -324,6 +334,7 @@ func TestAuditLegacy(t *testing.T) {
 			"sleep+403 longrunning",
 			longRunningPath,
 			"GET",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				time.Sleep(delay)
 				w.WriteHeader(403)
@@ -338,6 +349,7 @@ func TestAuditLegacy(t *testing.T) {
 			"write longrunning",
 			longRunningPath,
 			"GET",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				w.Write([]byte("foo"))
 			},
@@ -351,6 +363,7 @@ func TestAuditLegacy(t *testing.T) {
 			"403+write longrunning",
 			longRunningPath,
 			"GET",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				w.WriteHeader(403)
 				w.Write([]byte("foo"))
@@ -365,6 +378,7 @@ func TestAuditLegacy(t *testing.T) {
 			"panic longrunning",
 			longRunningPath,
 			"GET",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				panic("kaboom")
 			},
@@ -377,6 +391,7 @@ func TestAuditLegacy(t *testing.T) {
 			"write+panic longrunning",
 			longRunningPath,
 			"GET",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				w.Write([]byte("foo"))
 				panic("kaboom")
@@ -387,10 +402,33 @@ func TestAuditLegacy(t *testing.T) {
 				longRunningPrefix(auditinternal.StagePanic) + ` response="500"`,
 			},
 		},
+		{
+			"omit RequestReceived",
+			shortRunningPath,
+			"GET",
+			[]auditinternal.Stage{auditinternal.StageRequestReceived},
+			func(http.ResponseWriter, *http.Request) {},
+			[]string{
+				readOnlyShortRunningPrefix(auditinternal.StageResponseComplete) + ` response="200"`,
+			},
+		},
+		{
+			"emit painc only",
+			longRunningPath,
+			"GET",
+			[]auditinternal.Stage{auditinternal.StageRequestReceived, auditinternal.StageResponseStarted, auditinternal.StageResponseComplete},
+			func(w http.ResponseWriter, req *http.Request) {
+				w.Write([]byte("foo"))
+				panic("kaboom")
+			},
+			[]string{
+				longRunningPrefix(auditinternal.StagePanic) + ` response="500"`,
+			},
+		},
 	} {
 		var buf bytes.Buffer
 		backend := pluginlog.NewBackend(&buf, pluginlog.FormatLegacy, auditv1beta1.SchemeGroupVersion)
-		policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
+		policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, test.omitStages)
 		handler := WithAudit(http.HandlerFunc(test.handler), &fakeRequestContextMapper{
 			user: &user.DefaultInfo{Name: "admin"},
 		}, backend, policyChecker, func(r *http.Request, ri *request.RequestInfo) bool {
@@ -440,6 +478,7 @@ func TestAuditJson(t *testing.T) {
 		path       string
 		verb       string
 		auditID    string
+		omitStages []auditinternal.Stage
 		handler    func(http.ResponseWriter, *http.Request)
 		expected   []auditv1beta1.Event
 		respHeader bool
@@ -450,6 +489,7 @@ func TestAuditJson(t *testing.T) {
 			shortRunningPath,
 			"GET",
 			"",
+			nil,
 			func(http.ResponseWriter, *http.Request) {},
 			[]auditv1beta1.Event{
 				{
@@ -471,6 +511,7 @@ func TestAuditJson(t *testing.T) {
 			shortRunningPath,
 			"GET",
 			uuid.NewRandom().String(),
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				w.Write([]byte("foo"))
 			},
@@ -494,6 +535,7 @@ func TestAuditJson(t *testing.T) {
 			shortRunningPath,
 			"GET",
 			"",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				panic("kaboom")
 			},
@@ -518,6 +560,7 @@ func TestAuditJson(t *testing.T) {
 			shortRunningPath,
 			"PUT",
 			"",
+			nil,
 			func(http.ResponseWriter, *http.Request) {},
 			[]auditv1beta1.Event{
 				{
@@ -539,6 +582,7 @@ func TestAuditJson(t *testing.T) {
 			shortRunningPath,
 			"PUT",
 			"",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				w.Write([]byte("foo"))
 				time.Sleep(delay)
@@ -563,6 +607,7 @@ func TestAuditJson(t *testing.T) {
 			shortRunningPath,
 			"PUT",
 			"",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				w.WriteHeader(403)
 				w.Write([]byte("foo"))
@@ -587,6 +632,7 @@ func TestAuditJson(t *testing.T) {
 			shortRunningPath,
 			"PUT",
 			"",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				panic("kaboom")
 			},
@@ -610,6 +656,7 @@ func TestAuditJson(t *testing.T) {
 			shortRunningPath,
 			"PUT",
 			"",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				w.Write([]byte("foo"))
 				panic("kaboom")
@@ -635,6 +682,7 @@ func TestAuditJson(t *testing.T) {
 			longRunningPath,
 			"GET",
 			"",
+			nil,
 			func(http.ResponseWriter, *http.Request) {},
 			[]auditv1beta1.Event{
 				{
@@ -662,6 +710,7 @@ func TestAuditJson(t *testing.T) {
 			longRunningPath,
 			"GET",
 			uuid.NewRandom().String(),
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				w.Write([]byte("foo"))
 			},
@@ -691,6 +740,7 @@ func TestAuditJson(t *testing.T) {
 			longRunningPath,
 			"GET",
 			"",
+			nil,
 			func(http.ResponseWriter, *http.Request) {
 				time.Sleep(delay)
 			},
@@ -720,6 +770,7 @@ func TestAuditJson(t *testing.T) {
 			longRunningPath,
 			"GET",
 			"",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				time.Sleep(delay)
 				w.WriteHeader(403)
@@ -750,6 +801,7 @@ func TestAuditJson(t *testing.T) {
 			longRunningPath,
 			"GET",
 			"",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				w.Write([]byte("foo"))
 			},
@@ -779,6 +831,7 @@ func TestAuditJson(t *testing.T) {
 			longRunningPath,
 			"GET",
 			"",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				w.WriteHeader(403)
 				w.Write([]byte("foo"))
@@ -809,6 +862,7 @@ func TestAuditJson(t *testing.T) {
 			longRunningPath,
 			"GET",
 			"",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				panic("kaboom")
 			},
@@ -832,6 +886,7 @@ func TestAuditJson(t *testing.T) {
 			longRunningPath,
 			"GET",
 			"",
+			nil,
 			func(w http.ResponseWriter, req *http.Request) {
 				w.Write([]byte("foo"))
 				panic("kaboom")
@@ -857,10 +912,49 @@ func TestAuditJson(t *testing.T) {
 			},
 			true,
 		},
+		{
+			"omit RequestReceived",
+			shortRunningPath,
+			"GET",
+			"",
+			[]auditinternal.Stage{auditinternal.StageRequestReceived},
+			func(w http.ResponseWriter, req *http.Request) {
+				w.Write([]byte("foo"))
+			},
+			[]auditv1beta1.Event{
+				{
+					Stage:          auditinternal.StageResponseComplete,
+					Verb:           "get",
+					RequestURI:     shortRunningPath,
+					ResponseStatus: &metav1.Status{Code: 200},
+				},
+			},
+			true,
+		},
+		{
+			"emit Panic only",
+			longRunningPath,
+			"GET",
+			"",
+			[]auditinternal.Stage{auditinternal.StageRequestReceived, auditinternal.StageResponseStarted, auditinternal.StageResponseComplete},
+			func(w http.ResponseWriter, req *http.Request) {
+				w.Write([]byte("foo"))
+				panic("kaboom")
+			},
+			[]auditv1beta1.Event{
+				{
+					Stage:          auditinternal.StagePanic,
+					Verb:           "watch",
+					RequestURI:     longRunningPath,
+					ResponseStatus: &metav1.Status{Code: 500},
+				},
+			},
+			true,
+		},
 	} {
 		var buf bytes.Buffer
 		backend := pluginlog.NewBackend(&buf, pluginlog.FormatJson, auditv1beta1.SchemeGroupVersion)
-		policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
+		policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, test.omitStages)
 		handler := WithAudit(http.HandlerFunc(test.handler), &fakeRequestContextMapper{
 			user: &user.DefaultInfo{Name: "admin"},
 		}, backend, policyChecker, func(r *http.Request, ri *request.RequestInfo) bool {
@@ -964,7 +1058,7 @@ func (*fakeRequestContextMapper) Update(req *http.Request, context request.Conte
 }
 
 func TestAuditNoPanicOnNilUser(t *testing.T) {
-	policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
+	policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil)
 	handler := WithAudit(&fakeHTTPHandler{}, &fakeRequestContextMapper{}, &fakeAuditSink{}, policyChecker, nil)
 	req, _ := http.NewRequest("GET", "/api/v1/namespaces/default/pods", nil)
 	req.RemoteAddr = "127.0.0.1"
@@ -977,7 +1071,7 @@ func TestAuditLevelNone(t *testing.T) {
 	handler = http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(200)
 	})
-	policyChecker := policy.FakeChecker(auditinternal.LevelNone)
+	policyChecker := policy.FakeChecker(auditinternal.LevelNone, nil)
 	handler = WithAudit(handler, &fakeRequestContextMapper{
 		user: &user.DefaultInfo{Name: "admin"},
 	}, sink, policyChecker, nil)

staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit.go

@@ -38,7 +38,7 @@ func WithFailedAuthenticationAudit(failedHandler http.Handler, requestContextMap
 		return failedHandler
 	}
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		_, ev, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy)
+		_, ev, omitStages, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy)
 		if err != nil {
 			utilruntime.HandleError(fmt.Errorf("failed to create audit event: %v", err))
 			responsewriters.InternalError(w, req, errors.New("failed to create audit event"))
@@ -53,7 +53,7 @@ func WithFailedAuthenticationAudit(failedHandler http.Handler, requestContextMap
 		ev.ResponseStatus.Message = getAuthMethods(req)
 		ev.Stage = auditinternal.StageResponseStarted
 
-		rw := decorateResponseWriter(w, ev, sink)
+		rw := decorateResponseWriter(w, ev, sink, omitStages)
 		failedHandler.ServeHTTP(rw, req)
 	})
 }

staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit_test.go

@@ -30,7 +30,7 @@ import (
 
 func TestFailedAuthnAudit(t *testing.T) {
 	sink := &fakeAuditSink{}
-	policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
+	policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil)
 	handler := WithFailedAuthenticationAudit(
 		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(http.StatusUnauthorized)
@@ -61,7 +61,7 @@ func TestFailedAuthnAudit(t *testing.T) {
 
 func TestFailedMultipleAuthnAudit(t *testing.T) {
 	sink := &fakeAuditSink{}
-	policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
+	policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil)
 	handler := WithFailedAuthenticationAudit(
 		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(http.StatusUnauthorized)
@@ -93,7 +93,7 @@ func TestFailedMultipleAuthnAudit(t *testing.T) {
 
 func TestFailedAuthnAuditWithoutAuthorization(t *testing.T) {
 	sink := &fakeAuditSink{}
-	policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
+	policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil)
 	handler := WithFailedAuthenticationAudit(
 		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(http.StatusUnauthorized)
@@ -120,3 +120,20 @@ func TestFailedAuthnAuditWithoutAuthorization(t *testing.T) {
 		t.Errorf("Unexpected user, expected /api/v1/namespaces/default/pods, got %s", ev.RequestURI)
 	}
 }
+
+func TestFailedAuthnAuditOmitted(t *testing.T) {
+	sink := &fakeAuditSink{}
+	policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, []auditinternal.Stage{auditinternal.StageResponseStarted})
+	handler := WithFailedAuthenticationAudit(
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusUnauthorized)
+		}),
+		&fakeRequestContextMapper{}, sink, policyChecker)
+	req, _ := http.NewRequest("GET", "/api/v1/namespaces/default/pods", nil)
+	req.RemoteAddr = "127.0.0.1"
+	handler.ServeHTTP(httptest.NewRecorder(), req)
+
+	if len(sink.events) != 0 {
+		t.Fatalf("Unexpected number of audit events generated, expected 0, got: %d", len(sink.events))
+	}
+}