The module lifecycle stage: General Availability
What is Audit Policy
Audit Policy is a YAML file that defines which events the API server should record.
When a request occurs, Kubernetes checks it against the rules in the file.
The first matching rule determines the logging level.
Policy structure
Deckhouse Kubernetes Platform (DKP) deploys a basic audit policy by default, which can be extended with user-defined rules.
Kubernetes documentation Policy resource field structure
In Kubernetes, an audit policy is defined as a YAML file and consists of a set of rules that determine which events are logged and at what level of detail. The file has the following structure:
apiVersion: audit.k8s.io/v1 # API version used for the audit policy
kind: Policy # Resource type — always Policy
rules: # Set of audit rules
- level: # Log detail level. Required field
users: # List of users whose actions are logged
userGroups: # User groups (for example, system:serviceaccounts)
verbs: # Logged actions/operations (create, update, delete, etc.)
resources: # Kubernetes resources this rule applies to
namespaces: # Namespaces covered by this rule
The rules array defines audit rules.
Each rule contains the following fields:
level— the level of detail for logged events. Possible values (from most detailed to least detailed):None— do not log,Metadata— only request metadata (who, when, what, from where; without object content),Request— also stores the request body (for write operations),RequestResponse— stores both request and response bodies.
-
users— a list of user names the rule applies to (for example,["admin"]). If these are service accounts, the name usually looks likesystem:serviceaccount:<namespace>:<serviceaccount-name>. For regular users, the name depends on the authentication system configuration. Fordeckhouse.io/v1objects,Usersusesemailas the name. -
userGroups— user groups (for example,["system:authenticated"]). After authentication, kube-apiserver assigns each user a list of groups (for example, all authenticated users are part ofsystem:authenticated, service accounts belong to additional groups). If a request comes from a user who belongs to at least one group listed inuserGroups, the rule is applied to that request.Built-in Kubernetes groups:
system:authenticated— all authenticated users.system:unauthenticated— requests from anonymous users.system:serviceaccounts— all service accounts in all namespaces.system:serviceaccounts:<namespace>— service accounts in a specific namespace.
-
verbs— list of API operations (get,list,create,delete, etc.). resources— array of target resources:group— API group (for example,"apps","batch",""for core),resources— resource kinds (for example,["pods", "deployments"]). You can get the full list of resources and groups withkubectl api-resources.
-
namespaces— array of namespaces where the rule applies. nonResourceURLs—— set of URL paths to audit. The*symbol is allowed only as a full, final path segment. Examples:/metrics— log requests to apiserver metrics,/healthz*— log all health check requests.
Built-in audit rules
Deckhouse Kubernetes Platform uses the following audit rules, which can be extended by users:
- Do not log frequent updates for
Endpoints,EndpointSlices, andEvents. - Do not log leader election operations on
Leaseresources. - Do not log cert-manager leader election ConfigMaps.
- Do not log VerticalPodAutoscalerCheckpoints resources.
- Do not log PATCH operations on
VerticalPodAutoscalerfrom recommender. - Do not log UpmeterHookProbes resources.
- Do not log any operations in
d8-upmeternamespace. - Do not log ingress-nginx leader election updates in ConfigMaps.
- Do not log dex health-check create/delete operations on
AuthRequestresources. - Log create and delete operations for Node resources with request/response payload.
- Log kubectl logs requests (pods/log) at Metadata level.
- Log create/update/patch/delete operations from system service accounts (
kube-system,d8-*). - Log create/update/patch/delete operations for Pod resources.
- Log create/update/patch/delete operations in system namespaces (
kube-system,d8-*). - Log all LIST operations in all namespaces.
- Log create and delete operations for ServiceAccount resources.
- Log create/update/delete/patch operations for Role and ClusterRole resources.
- Log create/update/delete operations for ClusterRoleBinding resources.
- Log attach and ephemeral container related pod subresource operations.
- Log creation of VirtualMachineOperation resources with request/response payload.
- Log create/update/patch/delete operations for virtualization.deckhouse.io resources.
- Log update/patch operations for internal virtualization subresources.
- Log GET operations for subresources.virtualization.deckhouse.io API group.
- Log create/update/patch/delete operations for
Podresources. - Log create/update/patch/delete operations in
d8-virtualizationnamespace. - Log create/update/patch/delete operations for ModuleConfig resources.
- Do not log requests from authenticated users.
- Log all remaining (unauthenticated) requests at Metadata level.
Rule manifests
1. Do not log frequent updates for Endpoints, EndpointSlices, and Events.
level: None
resources:
- resources:
- endpoints
- endpointslices
- events
2. Do not log leader election operations on Lease resources.
level: None
resources:
- group: coordination.k8s.io
resources:
- leases
3. Do not log cert-manager leader election ConfigMaps.
level: None
resources:
- resources:
- configmaps
resourceNames:
- cert-manager-cainjector-leader-election
- cert-manager-controller
4. Do not log VerticalPodAutoscalerCheckpoints resources.
level: None
resources:
- group: autoscaling.k8s.io
resources:
- verticalpodautoscalercheckpoints
5. Do not log PATCH operations on VerticalPodAutoscaler from recommender.
level: None
users:
- system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-recommender
verbs:
- patch
resources:
- group: autoscaling.k8s.io
resources:
- verticalpodautoscalers
6. Do not log UpmeterHookProbes resources.
level: None
resources:
- group: deckhouse.io
resources:
- upmeterhookprobes
7. Do not log any operations in d8-upmeter namespace.
level: None
namespaces:
- d8-upmeter
8. Do not log ingress-nginx leader election updates in ConfigMaps.
level: None
users:
- system:serviceaccount:d8-ingress-nginx:ingress-nginx
verbs:
- update
resources:
- resources:
- configmaps
namespaces:
- d8-ingress-nginx
9. Do not log dex health-check create/delete operations on AuthRequest resources.
level: None
users:
- system:serviceaccount:d8-user-authn:dex
verbs:
- create
- delete
resources:
- group: dex.coreos.com
resources:
- authrequests
namespaces:
- d8-user-authn
10. Log create and delete operations for Node resources with request/response payload.
level: RequestResponse
verbs:
- create
- delete
resources:
- resources:
- nodes
11. Log kubectl logs requests (pods/log) at Metadata level.
level: Metadata
resources:
- resources:
- pods/log
12. Log create/update/patch/delete operations from system service accounts (kube-system, d8-*).
level: Metadata
users:
- system:serviceaccount:d8-cert-manager:cainjector
- system:serviceaccount:d8-cert-manager:cert-manager
- system:serviceaccount:d8-cert-manager:webhook
- system:serviceaccount:d8-chrony:chrony-exporter
- system:serviceaccount:d8-chrony:chrony-exporter-master
- system:serviceaccount:d8-cloud-instance-manager:caps-controller-manager
- system:serviceaccount:d8-cloud-instance-manager:cluster-autoscaler
- system:serviceaccount:d8-cloud-instance-manager:fencing-agent
- system:serviceaccount:d8-cloud-instance-manager:machine-controller-manager
- system:serviceaccount:d8-cloud-instance-manager:node-controller
- system:serviceaccount:d8-cloud-instance-manager:node-feature-discovery-gc
- system:serviceaccount:d8-cloud-instance-manager:node-feature-discovery-master
- system:serviceaccount:d8-cloud-instance-manager:node-feature-discovery-worker
- system:serviceaccount:d8-cloud-instance-manager:node-group
- system:serviceaccount:d8-cloud-instance-manager:node-group-exporter
- system:serviceaccount:d8-cloud-instance-manager:nvidia-dcgm-exporter
- system:serviceaccount:d8-cloud-instance-manager:nvidia-device-plugin
- system:serviceaccount:d8-cloud-instance-manager:nvidia-gpu-feature-discovery
- system:serviceaccount:d8-cloud-instance-manager:nvidia-mig-manager
- system:serviceaccount:d8-cloud-instance-manager:registry-packages-proxy
- system:serviceaccount:d8-cloud-provider-aws:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-aws:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-aws:node-termination-handler
- system:serviceaccount:d8-cloud-provider-azure:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-azure:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-dvp:capdvp-controller-manager
- system:serviceaccount:d8-cloud-provider-dvp:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-dvp:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-dynamix:capd-controller-manager
- system:serviceaccount:d8-cloud-provider-dynamix:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-dynamix:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-gcp:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-gcp:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-huaweicloud:caphc-controller-manager
- system:serviceaccount:d8-cloud-provider-huaweicloud:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-huaweicloud:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-openstack:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-openstack:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-vcd:capcd-controller-manager
- system:serviceaccount:d8-cloud-provider-vcd:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-vcd:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-vcd:infra-controller-manager
- system:serviceaccount:d8-cloud-provider-vsphere:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-vsphere:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-yandex:capy-controller-manager
- system:serviceaccount:d8-cloud-provider-yandex:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-yandex:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-yandex:cloud-metrics-exporter
- system:serviceaccount:d8-cloud-provider-zvirt:capz-controller-manager
- system:serviceaccount:d8-cloud-provider-zvirt:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-zvirt:cloud-data-discoverer
- system:serviceaccount:d8-cni-cilium:agent
- system:serviceaccount:d8-cni-cilium:egress-gateway-agent
- system:serviceaccount:d8-cni-cilium:operator
- system:serviceaccount:d8-cni-cilium:relay
- system:serviceaccount:d8-cni-cilium:safe-agent-updater
- system:serviceaccount:d8-cni-cilium:ui
- system:serviceaccount:d8-cni-flannel:cni-flannel
- system:serviceaccount:d8-cni-simple-bridge:cni-simple-bridge
- system:serviceaccount:d8-csi-vsphere:cloud-data-discoverer
- system:serviceaccount:d8-descheduler:descheduler
- system:serviceaccount:d8-istio:alliance-healthcheck
- system:serviceaccount:d8-istio:alliance-ingressgateway
- system:serviceaccount:d8-istio:alliance-metadata-exporter
- system:serviceaccount:d8-istio:cni
- system:serviceaccount:d8-istio:ingress-gateway-controller
- system:serviceaccount:d8-istio:kiali
- system:serviceaccount:d8-istio:multicluster-api-proxy
- system:serviceaccount:d8-istio:multicluster-metrics-exporter
- system:serviceaccount:d8-istio:waypoint-controller
- system:serviceaccount:d8-istio:ztunnel
- system:serviceaccount:d8-local-path-provisioner:local-path-provisioner
- system:serviceaccount:d8-metallb:controller
- system:serviceaccount:d8-metallb:l2lb-controller
- system:serviceaccount:d8-metallb:l2lb-speaker
- system:serviceaccount:d8-metallb:speaker
- system:serviceaccount:d8-monitoring:kube-state-metrics
- system:serviceaccount:d8-monitoring:node-exporter
- system:serviceaccount:d8-monitoring:oom-kills-exporter
- system:serviceaccount:d8-multitenancy-manager:multitenancy-manager
- system:serviceaccount:d8-openvpn:openvpn
- system:serviceaccount:d8-service-with-healthchecks:agent
- system:serviceaccount:d8-service-with-healthchecks:controller
- system:serviceaccount:d8-system:deckhouse
- system:serviceaccount:d8-system:documentation
- system:serviceaccount:d8-system:network-policy-engine
- system:serviceaccount:d8-system:registry-nodeservices
- system:serviceaccount:d8-system:terraform-auto-converger
- system:serviceaccount:d8-system:terraform-state-exporter
- system:serviceaccount:d8-system:webhook-handler
- system:serviceaccount:d8-upmeter:smoke-mini
- system:serviceaccount:d8-upmeter:upmeter
- system:serviceaccount:d8-upmeter:upmeter-agent
- system:serviceaccount:d8-user-authn:basic-auth-proxy
- system:serviceaccount:d8-user-authn:dex
- system:serviceaccount:d8-user-authz:permission-browser-apiserver
- system:serviceaccount:d8-user-authz:webhook
- system:serviceaccount:kube-system:d8-control-plane-manager
- system:serviceaccount:kube-system:d8-control-plane-manager-control-plane-proxy
- system:serviceaccount:kube-system:d8-kube-dns
- system:serviceaccount:kube-system:d8-kube-proxy
- system:serviceaccount:kube-system:d8-node-local-dns
- system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-admission-controller
- system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-recommender
- system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-updater
- system:serviceaccount:kube-system:node-local-dns-safe-updater
- system:serviceaccount:kube-system:stale-dns-connections-cleaner
userGroups:
- system:serviceaccounts
verbs:
- create
- update
- patch
- delete
omitStages:
- RequestReceived
13. Log create/update/patch/delete operations for Pod resources.
level: Request
verbs:
- create
- delete
- patch
- update
resources:
- resources:
- pods
omitStages:
- RequestReceived
14. Log create/update/patch/delete operations in system namespaces (kube-system, d8-*).
level: Metadata
verbs:
- create
- update
- patch
- delete
namespaces:
- d8-admission-policy-engine
- d8-cert-manager
- d8-chrony
- d8-cloud-instance-manager
- d8-cloud-provider-aws
- d8-cloud-provider-azure
- d8-cloud-provider-dvp
- d8-cloud-provider-dynamix
- d8-cloud-provider-gcp
- d8-cloud-provider-huaweicloud
- d8-cloud-provider-openstack
- d8-cloud-provider-vcd
- d8-cloud-provider-vsphere
- d8-cloud-provider-yandex
- d8-cloud-provider-zvirt
- d8-cni-cilium
- d8-cni-flannel
- d8-cni-simple-bridge
- d8-csi-vsphere
- d8-descheduler
- d8-istio
- d8-keepalived
- d8-local-path-provisioner
- d8-metallb
- d8-monitoring
- d8-multitenancy-manager
- d8-network-gateway
- d8-okmeter
- d8-openvpn
- d8-service-with-healthchecks
- d8-system
- d8-upmeter
- d8-user-authn
- d8-user-authz
- kube-system
omitStages:
- RequestReceived
15. Log all LIST operations in all namespaces.
level: Metadata
verbs:
- list
16. Log create and delete operations for ServiceAccount resources.
level: Metadata
verbs:
- create
- delete
resources:
- resources:
- serviceaccounts
omitStages:
- RequestReceived
17. Log create/update/delete/patch operations for Role and ClusterRole resources.
level: Request
verbs:
- create
- update
- delete
- patch
resources:
- group: rbac.authorization.k8s.io
resources:
- roles
- clusterroles
omitStages:
- RequestReceived
18. Log create/update/delete operations for ClusterRoleBinding resources.
level: Request
verbs:
- create
- update
- delete
resources:
- group: rbac.authorization.k8s.io
resources:
- clusterrolebindings
omitStages:
- RequestReceived
19. Log attach and ephemeral container related pod subresource operations.
level: Request
verbs:
- get
- patch
- create
resources:
- resources:
- pods/attach
- pods/ephemeralcontainers
omitStages:
- RequestReceived
20. Log creation of VirtualMachineOperation resources with request/response payload.
level: RequestResponse
verbs:
- create
resources:
- group: virtualization.deckhouse.io
resources:
- virtualmachineoperations
21. Log create/update/patch/delete operations for virtualization.deckhouse.io resources.
level: Metadata
verbs:
- create
- update
- patch
- delete
resources:
- group: virtualization.deckhouse.io
22. Log update/patch operations for internal virtualization subresources.
level: Metadata
verbs:
- update
- patch
resources:
- group: internal.virtualization.deckhouse.io
resources:
- internalvirtualizationvirtualmachineinstances
23. Log GET operations for subresources.virtualization.deckhouse.io API group.
level: Metadata
verbs:
- get
resources:
- group: subresources.virtualization.deckhouse.io
24. Log create/update/patch/delete operations for Pod resources.
level: Metadata
verbs:
- create
- update
- patch
- delete
resources:
- resources:
- pods
25. Log create/update/patch/delete operations in d8-virtualization namespace.
level: Metadata
verbs:
- create
- update
- patch
- delete
namespaces:
- d8-virtualization
26. Log create/update/patch/delete operations for ModuleConfig resources.
level: Metadata
verbs:
- create
- update
- patch
- delete
resources:
- group: deckhouse.io
resources:
- moduleconfigs
27. Do not log requests from authenticated users.
level: None
userGroups:
- system:authenticated
28. Log all remaining (unauthenticated) requests at Metadata level.
level: Metadata
Full policy example
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
# 1: Do not log frequent updates for `Endpoints`, `EndpointSlices`, and `Events`.
- level: None
resources:
- resources:
- endpoints
- endpointslices
- events
# 2: Do not log leader election operations on `Lease` resources.
- level: None
resources:
- group: coordination.k8s.io
resources:
- leases
# 3: Do not log cert-manager leader election ConfigMaps.
- level: None
resources:
- resources:
- configmaps
resourceNames:
- cert-manager-cainjector-leader-election
- cert-manager-controller
# 4: Do not log VerticalPodAutoscalerCheckpoints resources.
- level: None
resources:
- group: autoscaling.k8s.io
resources:
- verticalpodautoscalercheckpoints
# 5: Do not log PATCH operations on `VerticalPodAutoscaler` from recommender.
- level: None
users:
- system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-recommender
verbs:
- patch
resources:
- group: autoscaling.k8s.io
resources:
- verticalpodautoscalers
# 6: Do not log UpmeterHookProbes resources.
- level: None
resources:
- group: deckhouse.io
resources:
- upmeterhookprobes
# 7: Do not log any operations in `d8-upmeter` namespace.
- level: None
namespaces:
- d8-upmeter
# 8: Do not log ingress-nginx leader election updates in ConfigMaps.
- level: None
users:
- system:serviceaccount:d8-ingress-nginx:ingress-nginx
verbs:
- update
resources:
- resources:
- configmaps
namespaces:
- d8-ingress-nginx
# 9: Do not log dex health-check create/delete operations on `AuthRequest` resources.
- level: None
users:
- system:serviceaccount:d8-user-authn:dex
verbs:
- create
- delete
resources:
- group: dex.coreos.com
resources:
- authrequests
namespaces:
- d8-user-authn
# 10: Log create and delete operations for Node resources with request/response payload.
- level: RequestResponse
verbs:
- create
- delete
resources:
- resources:
- nodes
# 11: Log kubectl logs requests (pods/log) at Metadata level.
- level: Metadata
resources:
- resources:
- pods/log
# 12: Log create/update/patch/delete operations from system service accounts (`kube-system`, `d8-*`).
- level: Metadata
users:
- system:serviceaccount:d8-cert-manager:cainjector
- system:serviceaccount:d8-cert-manager:cert-manager
- system:serviceaccount:d8-cert-manager:webhook
- system:serviceaccount:d8-chrony:chrony-exporter
- system:serviceaccount:d8-chrony:chrony-exporter-master
- system:serviceaccount:d8-cloud-instance-manager:caps-controller-manager
- system:serviceaccount:d8-cloud-instance-manager:cluster-autoscaler
- system:serviceaccount:d8-cloud-instance-manager:fencing-agent
- system:serviceaccount:d8-cloud-instance-manager:machine-controller-manager
- system:serviceaccount:d8-cloud-instance-manager:node-controller
- system:serviceaccount:d8-cloud-instance-manager:node-feature-discovery-gc
- system:serviceaccount:d8-cloud-instance-manager:node-feature-discovery-master
- system:serviceaccount:d8-cloud-instance-manager:node-feature-discovery-worker
- system:serviceaccount:d8-cloud-instance-manager:node-group
- system:serviceaccount:d8-cloud-instance-manager:node-group-exporter
- system:serviceaccount:d8-cloud-instance-manager:nvidia-dcgm-exporter
- system:serviceaccount:d8-cloud-instance-manager:nvidia-device-plugin
- system:serviceaccount:d8-cloud-instance-manager:nvidia-gpu-feature-discovery
- system:serviceaccount:d8-cloud-instance-manager:nvidia-mig-manager
- system:serviceaccount:d8-cloud-instance-manager:registry-packages-proxy
- system:serviceaccount:d8-cloud-provider-aws:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-aws:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-aws:node-termination-handler
- system:serviceaccount:d8-cloud-provider-azure:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-azure:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-dvp:capdvp-controller-manager
- system:serviceaccount:d8-cloud-provider-dvp:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-dvp:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-dynamix:capd-controller-manager
- system:serviceaccount:d8-cloud-provider-dynamix:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-dynamix:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-gcp:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-gcp:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-huaweicloud:caphc-controller-manager
- system:serviceaccount:d8-cloud-provider-huaweicloud:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-huaweicloud:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-openstack:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-openstack:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-vcd:capcd-controller-manager
- system:serviceaccount:d8-cloud-provider-vcd:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-vcd:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-vcd:infra-controller-manager
- system:serviceaccount:d8-cloud-provider-vsphere:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-vsphere:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-yandex:capy-controller-manager
- system:serviceaccount:d8-cloud-provider-yandex:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-yandex:cloud-data-discoverer
- system:serviceaccount:d8-cloud-provider-yandex:cloud-metrics-exporter
- system:serviceaccount:d8-cloud-provider-zvirt:capz-controller-manager
- system:serviceaccount:d8-cloud-provider-zvirt:cloud-controller-manager
- system:serviceaccount:d8-cloud-provider-zvirt:cloud-data-discoverer
- system:serviceaccount:d8-cni-cilium:agent
- system:serviceaccount:d8-cni-cilium:egress-gateway-agent
- system:serviceaccount:d8-cni-cilium:operator
- system:serviceaccount:d8-cni-cilium:relay
- system:serviceaccount:d8-cni-cilium:safe-agent-updater
- system:serviceaccount:d8-cni-cilium:ui
- system:serviceaccount:d8-cni-flannel:cni-flannel
- system:serviceaccount:d8-cni-simple-bridge:cni-simple-bridge
- system:serviceaccount:d8-csi-vsphere:cloud-data-discoverer
- system:serviceaccount:d8-descheduler:descheduler
- system:serviceaccount:d8-istio:alliance-healthcheck
- system:serviceaccount:d8-istio:alliance-ingressgateway
- system:serviceaccount:d8-istio:alliance-metadata-exporter
- system:serviceaccount:d8-istio:cni
- system:serviceaccount:d8-istio:ingress-gateway-controller
- system:serviceaccount:d8-istio:kiali
- system:serviceaccount:d8-istio:multicluster-api-proxy
- system:serviceaccount:d8-istio:multicluster-metrics-exporter
- system:serviceaccount:d8-istio:waypoint-controller
- system:serviceaccount:d8-istio:ztunnel
- system:serviceaccount:d8-local-path-provisioner:local-path-provisioner
- system:serviceaccount:d8-metallb:controller
- system:serviceaccount:d8-metallb:l2lb-controller
- system:serviceaccount:d8-metallb:l2lb-speaker
- system:serviceaccount:d8-metallb:speaker
- system:serviceaccount:d8-monitoring:kube-state-metrics
- system:serviceaccount:d8-monitoring:node-exporter
- system:serviceaccount:d8-monitoring:oom-kills-exporter
- system:serviceaccount:d8-multitenancy-manager:multitenancy-manager
- system:serviceaccount:d8-openvpn:openvpn
- system:serviceaccount:d8-service-with-healthchecks:agent
- system:serviceaccount:d8-service-with-healthchecks:controller
- system:serviceaccount:d8-system:deckhouse
- system:serviceaccount:d8-system:documentation
- system:serviceaccount:d8-system:network-policy-engine
- system:serviceaccount:d8-system:registry-nodeservices
- system:serviceaccount:d8-system:terraform-auto-converger
- system:serviceaccount:d8-system:terraform-state-exporter
- system:serviceaccount:d8-system:webhook-handler
- system:serviceaccount:d8-upmeter:smoke-mini
- system:serviceaccount:d8-upmeter:upmeter
- system:serviceaccount:d8-upmeter:upmeter-agent
- system:serviceaccount:d8-user-authn:basic-auth-proxy
- system:serviceaccount:d8-user-authn:dex
- system:serviceaccount:d8-user-authz:permission-browser-apiserver
- system:serviceaccount:d8-user-authz:webhook
- system:serviceaccount:kube-system:d8-control-plane-manager
- system:serviceaccount:kube-system:d8-control-plane-manager-control-plane-proxy
- system:serviceaccount:kube-system:d8-kube-dns
- system:serviceaccount:kube-system:d8-kube-proxy
- system:serviceaccount:kube-system:d8-node-local-dns
- system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-admission-controller
- system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-recommender
- system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-updater
- system:serviceaccount:kube-system:node-local-dns-safe-updater
- system:serviceaccount:kube-system:stale-dns-connections-cleaner
userGroups:
- system:serviceaccounts
verbs:
- create
- update
- patch
- delete
omitStages:
- RequestReceived
# 13: Log create/update/patch/delete operations for Pod resources.
- level: Request
verbs:
- create
- delete
- patch
- update
resources:
- resources:
- pods
omitStages:
- RequestReceived
# 14: Log create/update/patch/delete operations in system namespaces (`kube-system`, `d8-*`).
- level: Metadata
verbs:
- create
- update
- patch
- delete
namespaces:
- d8-admission-policy-engine
- d8-cert-manager
- d8-chrony
- d8-cloud-instance-manager
- d8-cloud-provider-aws
- d8-cloud-provider-azure
- d8-cloud-provider-dvp
- d8-cloud-provider-dynamix
- d8-cloud-provider-gcp
- d8-cloud-provider-huaweicloud
- d8-cloud-provider-openstack
- d8-cloud-provider-vcd
- d8-cloud-provider-vsphere
- d8-cloud-provider-yandex
- d8-cloud-provider-zvirt
- d8-cni-cilium
- d8-cni-flannel
- d8-cni-simple-bridge
- d8-csi-vsphere
- d8-descheduler
- d8-istio
- d8-keepalived
- d8-local-path-provisioner
- d8-metallb
- d8-monitoring
- d8-multitenancy-manager
- d8-network-gateway
- d8-okmeter
- d8-openvpn
- d8-service-with-healthchecks
- d8-system
- d8-upmeter
- d8-user-authn
- d8-user-authz
- kube-system
omitStages:
- RequestReceived
# 15: Log all LIST operations in all namespaces.
- level: Metadata
verbs:
- list
# 16: Log create and delete operations for ServiceAccount resources.
- level: Metadata
verbs:
- create
- delete
resources:
- resources:
- serviceaccounts
omitStages:
- RequestReceived
# 17: Log create/update/delete/patch operations for Role and ClusterRole resources.
- level: Request
verbs:
- create
- update
- delete
- patch
resources:
- group: rbac.authorization.k8s.io
resources:
- roles
- clusterroles
omitStages:
- RequestReceived
# 18: Log create/update/delete operations for ClusterRoleBinding resources.
- level: Request
verbs:
- create
- update
- delete
resources:
- group: rbac.authorization.k8s.io
resources:
- clusterrolebindings
omitStages:
- RequestReceived
# 19: Log attach and ephemeral container related pod subresource operations.
- level: Request
verbs:
- get
- patch
- create
resources:
- resources:
- pods/attach
- pods/ephemeralcontainers
omitStages:
- RequestReceived
# 20: Log creation of VirtualMachineOperation resources with request/response payload.
- level: RequestResponse
verbs:
- create
resources:
- group: virtualization.deckhouse.io
resources:
- virtualmachineoperations
# 21: Log create/update/patch/delete operations for virtualization.deckhouse.io resources.
- level: Metadata
verbs:
- create
- update
- patch
- delete
resources:
- group: virtualization.deckhouse.io
# 22: Log update/patch operations for internal virtualization subresources.
- level: Metadata
verbs:
- update
- patch
resources:
- group: internal.virtualization.deckhouse.io
resources:
- internalvirtualizationvirtualmachineinstances
# 23: Log GET operations for subresources.virtualization.deckhouse.io API group.
- level: Metadata
verbs:
- get
resources:
- group: subresources.virtualization.deckhouse.io
# 24: Log create/update/patch/delete operations for `Pod` resources.
- level: Metadata
verbs:
- create
- update
- patch
- delete
resources:
- resources:
- pods
# 25: Log create/update/patch/delete operations in `d8-virtualization` namespace.
- level: Metadata
verbs:
- create
- update
- patch
- delete
namespaces:
- d8-virtualization
# 26: Log create/update/patch/delete operations for ModuleConfig resources.
- level: Metadata
verbs:
- create
- update
- patch
- delete
resources:
- group: deckhouse.io
resources:
- moduleconfigs
############
# User-defined rules from secret kube-system/audit-policy are inserted here
############
# 27: Do not log requests from authenticated users.
- level: None
userGroups:
- system:authenticated
# 28: Log all remaining (unauthenticated) requests at Metadata level.
- level: Metadata