adrien/ansible-role-kubernetes
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Update audit policies file
Some checks reported errors
continuous-integration/drone/push Build was killed
Details

Browse source
This commit is contained in:
Adrien Reslinger 2021-06-02 15:46:58 +02:00
parent 1e17bc7317
commit d18ccea770
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
1 changed files with 17 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

20
files/etc/kubernetes/policies/audit-policy.yaml
View file

@ -10,7 +10,15 @@ rules:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
resources: ["pods", "deployments"]
- level: RequestResponse
resources:
- group: "rbac.authorization.k8s.io"
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["clusterroles", "clusterrolebindings"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
@ -48,11 +56,17 @@ rules:
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
# Log configmap changes in all other namespaces at the RequestResponse level.
- level: RequestResponse
resources:
- group: "" # core API group
resources: ["configmaps"]
# Log secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
resources: ["secrets"]
# Log all other resources in core and extensions at the Request level.
- level: Request