make sure serviceaccounts/token is only in the metadata stage (#7679)

3 years ago · d66da21726
1 changed files with 2 additions and 2 deletions
--- a/roles/kubernetes/control-plane/templates/apiserver-audit-policy.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/apiserver-audit-policy.yaml.j2
@ -67,12 +67,12 @@ rules:
    resources:
      - group: "" # core
        resources: ["events"]
-  # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
+  # Secrets, ConfigMaps, TokenRequest and TokenReviews can contain sensitive & binary data,
  # so only log at the Metadata level.
  - level: Metadata
    resources:
      - group: "" # core
-        resources: ["secrets", "configmaps"]
+        resources: ["secrets", "configmaps", "serviceaccounts/token"]
      - group: authentication.k8s.io
        resources: ["tokenreviews"]
    omitStages: