github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-02 16:29:21 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #47921 from timstclair/audit-policy

Browse Source 
Automatic merge from submit-queue

Don't audit log tokens in TokenReviews

We don't want to leak auth tokens in the audit logs, so only log TokenReview requests at the metadata level.

Issue: kubernetes/features#22
This commit is contained in:
Kubernetes Submit Queue 2017-06-22 19:47:43 -07:00 committed by GitHub
commit f35f5ef464
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cluster/gce/gci/configure-helper.sh
View File

@ -568,12 +568,14 @@ rules:
- group: "" # core - group: "" # core
resources: ["events"] resources: ["events"]
# Secrets & ConfigMaps can contain sensitive & binary data, # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
# so only log at the Metadata level. # so only log at the Metadata level.
- level: Metadata - level: Metadata
resources: resources:
- group: "" # core - group: "" # core
resources: ["secrets", "configmaps"] resources: ["secrets", "configmaps"]
- group: authentication.k8s.io
resources: ["tokenreviews"]
# Get repsonses can be large; skip them. # Get repsonses can be large; skip them.
- level: Request - level: Request
verbs: ["get", "list", "watch"] verbs: ["get", "list", "watch"]