github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 19:56:01 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #52343 from crassirostris/audit-policy-switch-to-beta

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 52339, 52343, 52125, 52360, 52301)

Switch default audit policy to beta and omit RequestReceived stage

Related to https://github.com/kubernetes/kubernetes/issues/52265

```release-note
By default, clusters on GCE no longer sends RequestReceived audit event, if advanced audit is configured.
```
This commit is contained in:
Kubernetes Submit Queue 2017-09-12 21:45:54 -07:00 committed by GitHub
commit e81aeb59aa
1 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
cluster/gce/gci/configure-helper.sh
View File

@ -499,7 +499,7 @@ function create-master-audit-policy {
- group: "storage.k8s.io"'
cat <<EOF >"${path}"
apiVersion: audit.k8s.io/v1alpha1
apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
# The following requests were manually identified as high-volume and low-risk,
@ -509,7 +509,7 @@ rules:
verbs: ["watch"]
resources:
- group: "" # core
resources: ["endpoints", "services"]
resources: ["endpoints", "services", "services/status"]
- level: None
# Ingress controller reads `configmaps/ingress-uid` through the unsecured port.
# TODO(#46983): Change this to the ingress controller service account.
@ -524,13 +524,13 @@ rules:
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
resources: ["nodes", "nodes/status"]
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
resources: ["nodes", "nodes/status"]
- level: None
users:
- system:kube-controller-manager
@ -546,7 +546,7 @@ rules:
verbs: ["get"]
resources:
- group: "" # core
resources: ["namespaces"]
resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
# Don't log these read-only URLs.
- level: None
@ -569,15 +569,23 @@ rules:
resources: ["secrets", "configmaps"]
- group: authentication.k8s.io
resources: ["tokenreviews"]
omitStages:
- "RequestReceived"
# Get repsonses can be large; skip them.
- level: Request
verbs: ["get", "list", "watch"]
resources: ${known_apis}
omitStages:
- "RequestReceived"
# Default level for known APIs
- level: RequestResponse
resources: ${known_apis}
omitStages:
- "RequestReceived"
# Default level for all other requests.
- level: Metadata
omitStages:
- "RequestReceived"
EOF
}