apiVersion: audit.k8s.io/v1 kind: Policy {{- if ShouldEnforceKubernetesDisaStig}} {{- /* STIG Rule ID: SV-242403r879525_rule */}} rules: - level: RequestResponse {{else}} omitStages: - RequestReceived rules: - level: RequestResponse resources: - group: "" resources: ["pods"] - level: Metadata resources: - group: "" resources: ["pods/log", "pods/status"] - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" resources: ["endpoints", "services"] - level: None userGroups: ["system:authenticated"] nonResourceURLs: - /api* - /version - level: Request resources: - group: "" resources: ["configmaps"] namespaces: ["kube-system"] - level: Request resources: - group: "" resources: ["secrets"] - level: Request resources: - group: "" - group: extensions - level: Metadata omitStages: - RequestReceived {{- end}}