Merge pull request #52343 from crassirostris/audit-policy-switch-to-beta

Automatic merge from submit-queue (batch tested with PRs 52339, 52343, 52125, 52360, 52301)

Switch default audit policy to beta and omit RequestReceived stage

Related to https://github.com/kubernetes/kubernetes/issues/52265

```release-note
By default, clusters on GCE no longer sends RequestReceived audit event, if advanced audit is configured.
```
This commit is contained in:
Kubernetes Submit Queue 2017-09-12 21:45:54 -07:00 committed by GitHub
commit e81aeb59aa

View File

@ -499,7 +499,7 @@ function create-master-audit-policy {
- group: "storage.k8s.io"' - group: "storage.k8s.io"'
cat <<EOF >"${path}" cat <<EOF >"${path}"
apiVersion: audit.k8s.io/v1alpha1 apiVersion: audit.k8s.io/v1beta1
kind: Policy kind: Policy
rules: rules:
# The following requests were manually identified as high-volume and low-risk, # The following requests were manually identified as high-volume and low-risk,
@ -509,7 +509,7 @@ rules:
verbs: ["watch"] verbs: ["watch"]
resources: resources:
- group: "" # core - group: "" # core
resources: ["endpoints", "services"] resources: ["endpoints", "services", "services/status"]
- level: None - level: None
# Ingress controller reads `configmaps/ingress-uid` through the unsecured port. # Ingress controller reads `configmaps/ingress-uid` through the unsecured port.
# TODO(#46983): Change this to the ingress controller service account. # TODO(#46983): Change this to the ingress controller service account.
@ -524,13 +524,13 @@ rules:
verbs: ["get"] verbs: ["get"]
resources: resources:
- group: "" # core - group: "" # core
resources: ["nodes"] resources: ["nodes", "nodes/status"]
- level: None - level: None
userGroups: ["system:nodes"] userGroups: ["system:nodes"]
verbs: ["get"] verbs: ["get"]
resources: resources:
- group: "" # core - group: "" # core
resources: ["nodes"] resources: ["nodes", "nodes/status"]
- level: None - level: None
users: users:
- system:kube-controller-manager - system:kube-controller-manager
@ -546,7 +546,7 @@ rules:
verbs: ["get"] verbs: ["get"]
resources: resources:
- group: "" # core - group: "" # core
resources: ["namespaces"] resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
# Don't log these read-only URLs. # Don't log these read-only URLs.
- level: None - level: None
@ -569,15 +569,23 @@ rules:
resources: ["secrets", "configmaps"] resources: ["secrets", "configmaps"]
- group: authentication.k8s.io - group: authentication.k8s.io
resources: ["tokenreviews"] resources: ["tokenreviews"]
omitStages:
- "RequestReceived"
# Get repsonses can be large; skip them. # Get repsonses can be large; skip them.
- level: Request - level: Request
verbs: ["get", "list", "watch"] verbs: ["get", "list", "watch"]
resources: ${known_apis} resources: ${known_apis}
omitStages:
- "RequestReceived"
# Default level for known APIs # Default level for known APIs
- level: RequestResponse - level: RequestResponse
resources: ${known_apis} resources: ${known_apis}
omitStages:
- "RequestReceived"
# Default level for all other requests. # Default level for all other requests.
- level: Metadata - level: Metadata
omitStages:
- "RequestReceived"
EOF EOF
} }