Merge pull request #52358 from crassirostris/audit-policy-groups

Automatic merge from submit-queue (batch tested with PRs 52376, 52439, 52382, 52358, 52372) Add new api groups to the GCE advanced audit policy Fixes https://github.com/kubernetes/kubernetes/issues/52265 It introduces the missing api groups, that were introduced in 1.8 release. @piosz there's also the 'metrics' api group, should we audit it?
2025-07-23 19:56:01 +00:00 · 2017-09-14 15:27:05 -07:00 · 2017-09-14 15:27:05 -07:00 · afdbfa251f
commit afdbfa251f
parent 8db782cc54 a9fb3c8efb
1 changed files with 10 additions and 0 deletions
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -491,6 +491,8 @@ function create-master-audit-policy {
  local -r known_apis='
      - group: "" # core
      - group: "admissionregistration.k8s.io"
+      - group: "apiextensions.k8s.io"
+      - group: "apiregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
@ -498,6 +500,7 @@ function create-master-audit-policy {
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
+      - group: "metrics"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
@ -553,6 +556,13 @@ rules:
    resources:
      - group: "" # core
        resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
+  # Don't log HPA fetching metrics.
+  - level: None
+    users:
+      - system:kube-controller-manager
+    verbs: ["get", "list"]
+    resources:
+      - group: "metrics"

  # Don't log these read-only URLs.
  - level: None