From a9fb3c8efb48b34d4e5dec4f27f2c39af2d9ffd8 Mon Sep 17 00:00:00 2001
From: Mik Vyatskov <vmik@google.com>
Date: Tue, 12 Sep 2017 22:23:45 +0200
Subject: [PATCH] Add new api groups to the GCE advanced audit policy

---
 cluster/gce/gci/configure-helper.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index ff6ad6c8a85..630df5c97b4 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -485,6 +485,8 @@ function create-master-audit-policy {
   local -r known_apis='
       - group: "" # core
       - group: "admissionregistration.k8s.io"
+      - group: "apiextensions.k8s.io"
+      - group: "apiregistration.k8s.io"
       - group: "apps"
       - group: "authentication.k8s.io"
       - group: "authorization.k8s.io"
@@ -492,6 +494,7 @@ function create-master-audit-policy {
       - group: "batch"
       - group: "certificates.k8s.io"
       - group: "extensions"
+      - group: "metrics"
       - group: "networking.k8s.io"
       - group: "policy"
       - group: "rbac.authorization.k8s.io"
@@ -547,6 +550,13 @@ rules:
     resources:
       - group: "" # core
         resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
+  # Don't log HPA fetching metrics.
+  - level: None
+    users:
+      - system:kube-controller-manager
+    verbs: ["get", "list"]
+    resources:
+      - group: "metrics"
 
   # Don't log these read-only URLs.
   - level: None