From dcdcb19c47cf2ad9b45fbdd15d1ed62055fd175b Mon Sep 17 00:00:00 2001
From: "Tim St. Clair" <stclair@google.com>
Date: Thu, 22 Jun 2017 13:38:44 -0700
Subject: [PATCH] Don't audit log tokens in TokenReviews

---
 cluster/gce/gci/configure-helper.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index b05637957bd..95be26aae7c 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -568,12 +568,14 @@ rules:
       - group: "" # core
         resources: ["events"]
 
-  # Secrets & ConfigMaps can contain sensitive & binary data,
+  # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
   # so only log at the Metadata level.
   - level: Metadata
     resources:
       - group: "" # core
         resources: ["secrets", "configmaps"]
+      - group: authentication.k8s.io
+        resources: ["tokenreviews"]
   # Get repsonses can be large; skip them.
   - level: Request
     verbs: ["get", "list", "watch"]