-
Notifications
You must be signed in to change notification settings - Fork 0
/
audit-policy.yaml
115 lines (115 loc) · 3.26 KB
/
audit-policy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
#
- level: None
userGroups: ["system:serviceaccounts", "system:serviceaccounts:kube-system", "system:serviceaccounts:monitoring", "system:authenticated"]
#
- level: None
users: ["system:apiserver"]
userGroups: ["system:masters"]
verbs: ["get", "watch", "configmaps"]
resources:
- group: ""
resources: ["endpointslices", "configmaps", "namespaces", "secrets"]
#
- level: None
users: ["system:kube-controller-manager"]
userGroups: ["system:authenticated"]
verbs: ["update"]
resources:
- group: "coordination.k8s.io"
resources: ["leases"]
#
- level: None
# Ingress controller reads `configmaps/ingress-uid` through the unsecured port.
users: ["system:unsecured"]
namespaces: ["kube-system"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["configmaps"]
#
- level: None
users: ["kubelet"] # legacy kubelet identity
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
#
- level: None
userGroups: ["system:nodes"]
verbs: ["get", "patch", "watch"]
resources:
- group: "" # core
resources: ["nodes"]
#
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["secrets"]
#
- level: None
users:
- system:kube-controller-manager
- system:kube-scheduler
- system:serviceaccount:kube-system:endpoint-controller
verbs: ["get", "update", "watch"]
namespaces: ["kube-system"]
resources:
- group: "" # core
resources: ["endpoints", "leases"]
#
- level: None
nonResourceURLs:
- /healthz*
- /version
- /livez*
- /metrics
# Don't log events requests.
- level: None
resources:
- group: "events.k8s.io"
resources: ["events"]
#
- level: None
resources:
- group: "apiregistration.k8s.io"
- group: "coordination.k8s.io"
- group: "admissionregistration.k8s.io"
# Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
# so only log at the Metadata level.
- level: Metadata
resources:
- group: "" # core
resources: ["secrets", "configmaps"]
- group: authentication.k8s.io
resources: ["tokenreviews"]
# Log pvc/pv requests to capture volume details
- level: Request
verbs: ["create", "delete", "update", "patch"]
resources:
- group: "" # core
resources: ["persistentvolumeclaims", "persistentvolumes"]
# Log pod create requests to capture container images, etc.
- level: Request
verbs: ["create", "update", "patch"]
resources:
- group: "" # core
resources: ["pods", "replicacontrollers", "container"]
- group: "apps"
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
- group: "batch"
resources: ["jobs", "cronjobs"]
- group: "extensions" # necessary for pre-1.12 clusters
resources: ["daemonsets", "deployments", "replicasets"]
#
- level: RequestResponse
verbs: ["create", "update", "delete", "patch"]
resources:
- group: "networking.k8s.io"
#
- level: Metadata
verbs: ["create", "update", "delete", "patch"]