You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

129 lines
3.8 KiB

6 years ago
6 years ago
  1. apiVersion: audit.k8s.io/v1
  2. kind: Policy
  3. rules:
  4. {% if audit_policy_custom_rules is defined and audit_policy_custom_rules != "" %}
  5. {{ audit_policy_custom_rules | indent(2, true) }}
  6. {% else %}
  7. # The following requests were manually identified as high-volume and low-risk,
  8. # so drop them.
  9. - level: None
  10. users: ["system:kube-proxy"]
  11. verbs: ["watch"]
  12. resources:
  13. - group: "" # core
  14. resources: ["endpoints", "services", "services/status"]
  15. - level: None
  16. # Ingress controller reads `configmaps/ingress-uid` through the unsecured port.
  17. # TODO(#46983): Change this to the ingress controller service account.
  18. users: ["system:unsecured"]
  19. namespaces: ["kube-system"]
  20. verbs: ["get"]
  21. resources:
  22. - group: "" # core
  23. resources: ["configmaps"]
  24. - level: None
  25. users: ["kubelet"] # legacy kubelet identity
  26. verbs: ["get"]
  27. resources:
  28. - group: "" # core
  29. resources: ["nodes", "nodes/status"]
  30. - level: None
  31. userGroups: ["system:nodes"]
  32. verbs: ["get"]
  33. resources:
  34. - group: "" # core
  35. resources: ["nodes", "nodes/status"]
  36. - level: None
  37. users:
  38. - system:kube-controller-manager
  39. - system:kube-scheduler
  40. - system:serviceaccount:kube-system:endpoint-controller
  41. verbs: ["get", "update"]
  42. namespaces: ["kube-system"]
  43. resources:
  44. - group: "" # core
  45. resources: ["endpoints"]
  46. - level: None
  47. users: ["system:apiserver"]
  48. verbs: ["get"]
  49. resources:
  50. - group: "" # core
  51. resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
  52. # Don't log HPA fetching metrics.
  53. - level: None
  54. users:
  55. - system:kube-controller-manager
  56. verbs: ["get", "list"]
  57. resources:
  58. - group: "metrics.k8s.io"
  59. # Don't log these read-only URLs.
  60. - level: None
  61. nonResourceURLs:
  62. - /healthz*
  63. - /version
  64. - /swagger*
  65. # Don't log events requests.
  66. - level: None
  67. resources:
  68. - group: "" # core
  69. resources: ["events"]
  70. # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
  71. # so only log at the Metadata level.
  72. - level: Metadata
  73. resources:
  74. - group: "" # core
  75. resources: ["secrets", "configmaps"]
  76. - group: authentication.k8s.io
  77. resources: ["tokenreviews"]
  78. omitStages:
  79. - "RequestReceived"
  80. # Get responses can be large; skip them.
  81. - level: Request
  82. verbs: ["get", "list", "watch"]
  83. resources:
  84. - group: "" # core
  85. - group: "admissionregistration.k8s.io"
  86. - group: "apiextensions.k8s.io"
  87. - group: "apiregistration.k8s.io"
  88. - group: "apps"
  89. - group: "authentication.k8s.io"
  90. - group: "authorization.k8s.io"
  91. - group: "autoscaling"
  92. - group: "batch"
  93. - group: "certificates.k8s.io"
  94. - group: "extensions"
  95. - group: "metrics.k8s.io"
  96. - group: "networking.k8s.io"
  97. - group: "policy"
  98. - group: "rbac.authorization.k8s.io"
  99. - group: "settings.k8s.io"
  100. - group: "storage.k8s.io"
  101. omitStages:
  102. - "RequestReceived"
  103. # Default level for known APIs
  104. - level: RequestResponse
  105. resources:
  106. - group: "" # core
  107. - group: "admissionregistration.k8s.io"
  108. - group: "apiextensions.k8s.io"
  109. - group: "apiregistration.k8s.io"
  110. - group: "apps"
  111. - group: "authentication.k8s.io"
  112. - group: "authorization.k8s.io"
  113. - group: "autoscaling"
  114. - group: "batch"
  115. - group: "certificates.k8s.io"
  116. - group: "extensions"
  117. - group: "metrics.k8s.io"
  118. - group: "networking.k8s.io"
  119. - group: "policy"
  120. - group: "rbac.authorization.k8s.io"
  121. - group: "settings.k8s.io"
  122. - group: "storage.k8s.io"
  123. omitStages:
  124. - "RequestReceived"
  125. # Default level for all other requests.
  126. - level: Metadata
  127. omitStages:
  128. - "RequestReceived"
  129. {% endif %}