apiVersion: audit.k8s.io/v1 kind: Policy rules: # audit level 'None' for high volume and low risk events - level: None users: ["aksService"] verbs: ["get", "list"] # audit level 'None' for low-risk requests - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" resources: ["endpoints", "services", "services/status"] # audit level 'None' for low-risk requests - level: None users: ["kubelet"] # legacy kubelet identity verbs: ["get"] resources: - group: "" resources: ["nodes", "nodes/status"] # audit level 'None' for low-risk requests - level: None userGroups: ["system:nodes"] verbs: ["get"] resources: - group: "" resources: ["nodes", "nodes/status"] # audit level 'None' for low-risk requests - level: None users: - aksService # the default user/cert used by aks in master node - system:serviceaccount:kube-system:endpoint-controller verbs: ["get", "update"] namespaces: ["kube-system"] resources: - group: "" resources: ["endpoints"] # audit level 'None' for low-risk requests - level: None users: ["system:apiserver"] verbs: ["get"] resources: - group: "" resources: ["namespaces", "namespaces/status", "namespaces/finalize"] # audit level 'None' for low-risk requests - level: None users: - aksService # the default user/cert used by aks in master node verbs: ["get", "list"] resources: - group: "metrics.k8s.io" # Don't log these read-only URLs. - level: None nonResourceURLs: - /healthz* - /version - /swagger* # Monitoring of delete actions to detect security relevant activities. - level: Metadata verbs: ["delete"] resources: - group: "" resources: ["events"] # Don't log other events requests. - level: None resources: - group: "" resources: ["events"] # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes - level: Request users: ["client", "kubelet", "system:node-problem-detector", "system:serviceaccount:kube-system:node-problem-detector", "system:serviceaccount:kube-system:aci-connector-linux"] verbs: ["update","patch"] resources: - group: "" resources: ["nodes/status", "pods/status"] omitStages: - "RequestReceived" # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes - level: Request userGroups: ["system:nodes"] verbs: ["update","patch"] resources: - group: "" resources: ["nodes/status", "pods/status"] omitStages: - "RequestReceived" # deletecollection calls can be large, don't log responses for expected namespace deletions - level: Request users: ["system:serviceaccount:kube-system:namespace-controller"] verbs: ["deletecollection"] omitStages: - "RequestReceived" # overriding the default behavior of coredns might have security threats for Kubernetes DNS in security perspective, set the level as RequestResponse - level: RequestResponse verbs: ["update","patch"] resources: - group: "" resources: ["configmaps"] resourceNames: ["coredns-custom"] namespaces: ["kube-system"] omitStages: - "RequestReceived" # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data, # so only log at the Metadata level. - level: Metadata resources: - group: "" resources: ["secrets", "configmaps"] - group: authentication.k8s.io resources: ["tokenreviews"] omitStages: - "RequestReceived" # Get repsonses can be large; don't log response - level: Request verbs: ["get", "list", "watch"] resources: - group: "" - group: "admissionregistration.k8s.io" - group: "apiextensions.k8s.io" - group: "apiregistration.k8s.io" - group: "apps" - group: "authentication.k8s.io" - group: "authorization.k8s.io" - group: "autoscaling" - group: "batch" - group: "certificates.k8s.io" - group: "extensions" - group: "metrics.k8s.io" - group: "networking.k8s.io" - group: "policy" - group: "rbac.authorization.k8s.io" - group: "scheduling.k8s.io" - group: "settings.k8s.io" - group: "storage.k8s.io" omitStages: - "RequestReceived" # Default level for known APIs - level: RequestResponse resources: - group: "" - group: "admissionregistration.k8s.io" - group: "apiextensions.k8s.io" - group: "apiregistration.k8s.io" - group: "apps" - group: "authentication.k8s.io" - group: "authorization.k8s.io" - group: "autoscaling" - group: "batch" - group: "certificates.k8s.io" - group: "extensions" - group: "metrics.k8s.io" - group: "networking.k8s.io" - group: "policy" - group: "rbac.authorization.k8s.io" - group: "scheduling.k8s.io" - group: "settings.k8s.io" - group: "storage.k8s.io" omitStages: - "RequestReceived" # Default level for all other requests. - level: Metadata omitStages: - "RequestReceived"