Created
May 24, 2022 21:31
-
-
Save diyinfosec/7acadaea47a71c82b68f06e13213dd1d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: audit.k8s.io/v1beta1 | |
| kind: Policy | |
| rules: | |
| # non relevant rules | |
| - level: None | |
| nonResourceURLs: | |
| - "/healthz*" | |
| - "/logs" | |
| - "/metrics" | |
| - "/swagger*" | |
| - "/version" | |
| # tokens are included in the spec/status when the level > Metadata | |
| - level: Metadata | |
| omitStages: | |
| - RequestReceived | |
| resources: | |
| - group: authentication.k8s.io | |
| resources: | |
| - tokenreviews | |
| - group: "" | |
| resources: | |
| - configmaps # truncated logs on big configmap | |
| # extended audit of auth delegation | |
| - level: RequestResponse | |
| omitStages: | |
| - RequestReceived | |
| resources: | |
| - group: authorization.k8s.io | |
| resources: | |
| - subjectaccessreviews | |
| # log the content of any state alteration | |
| - level: RequestResponse | |
| omitStages: | |
| - RequestReceived | |
| verbs: | |
| - patch | |
| - update | |
| - create | |
| - delete | |
| - deletecollection | |
| resources: | |
| - group: apps | |
| - group: autoscaling | |
| - group: batch | |
| # NP - NG | |
| - level: Request | |
| verbs: | |
| - create | |
| - patch | |
| - update | |
| - delete | |
| omitStages: | |
| - RequestReceived | |
| resources: | |
| - group: "" | |
| resources: | |
| - events | |
| # Cluster Inventory | |
| - level: Request | |
| verbs: | |
| - create | |
| - delete | |
| - deletecollection | |
| - get | |
| - list | |
| - patch | |
| - update | |
| - watch | |
| omitStages: | |
| - RequestReceived | |
| resources: | |
| - group: clusterregistry.k8s.io | |
| resources: | |
| - clusters | |
| # catch nodes update/patch at a metadata level | |
| # nodes are updating their status periodically | |
| - level: Metadata | |
| verbs: | |
| - update | |
| - patch | |
| omitStages: | |
| - RequestReceived | |
| userGroups: | |
| - "system:nodes" | |
| - level: Metadata | |
| verbs: | |
| - update | |
| - patch | |
| omitStages: | |
| - RequestReceived | |
| resources: | |
| - group: "" | |
| resources: | |
| - configmaps | |
| - endpoints | |
| namespaces: | |
| - kube-system | |
| resourceNames: | |
| - kube-scheduler | |
| - kube-controller-manager | |
| # the content of the request for all these verbs for everything | |
| - level: Request | |
| verbs: | |
| - update | |
| - patch | |
| - create | |
| - delete | |
| omitStages: | |
| - RequestReceived | |
| # everything left | |
| - level: Metadata | |
| omitStages: | |
| - RequestReceived |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment