The module lifecycle stageGeneral Availability

What is Audit Policy

Audit Policy is a YAML file that defines which events the API server should record.
When a request occurs, Kubernetes checks it against the rules in the file.
The first matching rule determines the logging level.

Policy structure

Deckhouse Kubernetes Platform (DKP) deploys a basic audit policy by default, which can be extended with user-defined rules.

Kubernetes documentation Policy resource field structure

In Kubernetes, an audit policy is defined as a YAML file and consists of a set of rules that determine which events are logged and at what level of detail. The file has the following structure:

apiVersion: audit.k8s.io/v1  # API version used for the audit policy
kind: Policy                 # Resource type — always Policy
rules:                       # Set of audit rules
  - level:                     # Log detail level. Required field
    users:                     # List of users whose actions are logged
    userGroups:                # User groups (for example, system:serviceaccounts)
    verbs:                     # Logged actions/operations (create, update, delete, etc.)
    resources:                 # Kubernetes resources this rule applies to
    namespaces:                # Namespaces covered by this rule

The rules array defines audit rules. Each rule contains the following fields:

  • level — the level of detail for logged events. Possible values (from most detailed to least detailed):
    • None — do not log,
    • Metadata — only request metadata (who, when, what, from where; without object content),
    • Request — also stores the request body (for write operations),
    • RequestResponse — stores both request and response bodies.
  • users — a list of user names the rule applies to (for example, ["admin"]). If these are service accounts, the name usually looks like system:serviceaccount:<namespace>:<serviceaccount-name>. For regular users, the name depends on the authentication system configuration. For deckhouse.io/v1 objects, Users uses email as the name.

  • userGroups — user groups (for example, ["system:authenticated"]). After authentication, kube-apiserver assigns each user a list of groups (for example, all authenticated users are part of system:authenticated, service accounts belong to additional groups). If a request comes from a user who belongs to at least one group listed in userGroups, the rule is applied to that request.

    Built-in Kubernetes groups:

    • system:authenticated — all authenticated users.
    • system:unauthenticated — requests from anonymous users.
    • system:serviceaccounts — all service accounts in all namespaces.
    • system:serviceaccounts:<namespace> — service accounts in a specific namespace.
  • verbs — list of API operations (get, list, create, delete, etc.).

  • resources — array of target resources:
    • group — API group (for example, "apps", "batch", "" for core),
    • resources — resource kinds (for example, ["pods", "deployments"]). You can get the full list of resources and groups with kubectl api-resources.
  • namespaces — array of namespaces where the rule applies.

  • nonResourceURLs —— set of URL paths to audit. The * symbol is allowed only as a full, final path segment. Examples:
    • /metrics — log requests to apiserver metrics,
    • /healthz* — log all health check requests.

Built-in audit rules

Deckhouse Kubernetes Platform uses the following audit rules, which can be extended by users:

Rule manifests

1. Do not log frequent updates for Endpoints, EndpointSlices, and Events.

level: None
resources:
  - resources:
      - endpoints
      - endpointslices
      - events

2. Do not log leader election operations on Lease resources.

level: None
resources:
  - group: coordination.k8s.io
    resources:
      - leases

3. Do not log cert-manager leader election ConfigMaps.

level: None
resources:
  - resources:
      - configmaps
    resourceNames:
      - cert-manager-cainjector-leader-election
      - cert-manager-controller

4. Do not log VerticalPodAutoscalerCheckpoints resources.

level: None
resources:
  - group: autoscaling.k8s.io
    resources:
      - verticalpodautoscalercheckpoints

5. Do not log PATCH operations on VerticalPodAutoscaler from recommender.

level: None
users:
  - system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-recommender
verbs:
  - patch
resources:
  - group: autoscaling.k8s.io
    resources:
      - verticalpodautoscalers

6. Do not log UpmeterHookProbes resources.

level: None
resources:
  - group: deckhouse.io
    resources:
      - upmeterhookprobes

7. Do not log any operations in d8-upmeter namespace.

level: None
namespaces:
  - d8-upmeter

8. Do not log ingress-nginx leader election updates in ConfigMaps.

level: None
users:
  - system:serviceaccount:d8-ingress-nginx:ingress-nginx
verbs:
  - update
resources:
  - resources:
      - configmaps
namespaces:
  - d8-ingress-nginx

9. Do not log dex health-check create/delete operations on AuthRequest resources.

level: None
users:
  - system:serviceaccount:d8-user-authn:dex
verbs:
  - create
  - delete
resources:
  - group: dex.coreos.com
    resources:
      - authrequests
namespaces:
  - d8-user-authn

10. Log create and delete operations for Node resources with request/response payload.

level: RequestResponse
verbs:
  - create
  - delete
resources:
  - resources:
      - nodes

11. Log kubectl logs requests (pods/log) at Metadata level.

level: Metadata
resources:
  - resources:
      - pods/log

12. Log create/update/patch/delete operations from system service accounts (kube-system, d8-*).

level: Metadata
users:
  - system:serviceaccount:d8-cert-manager:cainjector
  - system:serviceaccount:d8-cert-manager:cert-manager
  - system:serviceaccount:d8-cert-manager:webhook
  - system:serviceaccount:d8-chrony:chrony-exporter
  - system:serviceaccount:d8-chrony:chrony-exporter-master
  - system:serviceaccount:d8-cloud-instance-manager:caps-controller-manager
  - system:serviceaccount:d8-cloud-instance-manager:cluster-autoscaler
  - system:serviceaccount:d8-cloud-instance-manager:fencing-agent
  - system:serviceaccount:d8-cloud-instance-manager:machine-controller-manager
  - system:serviceaccount:d8-cloud-instance-manager:node-controller
  - system:serviceaccount:d8-cloud-instance-manager:node-feature-discovery-gc
  - system:serviceaccount:d8-cloud-instance-manager:node-feature-discovery-master
  - system:serviceaccount:d8-cloud-instance-manager:node-feature-discovery-worker
  - system:serviceaccount:d8-cloud-instance-manager:node-group
  - system:serviceaccount:d8-cloud-instance-manager:node-group-exporter
  - system:serviceaccount:d8-cloud-instance-manager:nvidia-dcgm-exporter
  - system:serviceaccount:d8-cloud-instance-manager:nvidia-device-plugin
  - system:serviceaccount:d8-cloud-instance-manager:nvidia-gpu-feature-discovery
  - system:serviceaccount:d8-cloud-instance-manager:nvidia-mig-manager
  - system:serviceaccount:d8-cloud-instance-manager:registry-packages-proxy
  - system:serviceaccount:d8-cloud-provider-aws:cloud-controller-manager
  - system:serviceaccount:d8-cloud-provider-aws:cloud-data-discoverer
  - system:serviceaccount:d8-cloud-provider-aws:node-termination-handler
  - system:serviceaccount:d8-cloud-provider-azure:cloud-controller-manager
  - system:serviceaccount:d8-cloud-provider-azure:cloud-data-discoverer
  - system:serviceaccount:d8-cloud-provider-dvp:capdvp-controller-manager
  - system:serviceaccount:d8-cloud-provider-dvp:cloud-controller-manager
  - system:serviceaccount:d8-cloud-provider-dvp:cloud-data-discoverer
  - system:serviceaccount:d8-cloud-provider-dynamix:capd-controller-manager
  - system:serviceaccount:d8-cloud-provider-dynamix:cloud-controller-manager
  - system:serviceaccount:d8-cloud-provider-dynamix:cloud-data-discoverer
  - system:serviceaccount:d8-cloud-provider-gcp:cloud-controller-manager
  - system:serviceaccount:d8-cloud-provider-gcp:cloud-data-discoverer
  - system:serviceaccount:d8-cloud-provider-huaweicloud:caphc-controller-manager
  - system:serviceaccount:d8-cloud-provider-huaweicloud:cloud-controller-manager
  - system:serviceaccount:d8-cloud-provider-huaweicloud:cloud-data-discoverer
  - system:serviceaccount:d8-cloud-provider-openstack:cloud-controller-manager
  - system:serviceaccount:d8-cloud-provider-openstack:cloud-data-discoverer
  - system:serviceaccount:d8-cloud-provider-vcd:capcd-controller-manager
  - system:serviceaccount:d8-cloud-provider-vcd:cloud-controller-manager
  - system:serviceaccount:d8-cloud-provider-vcd:cloud-data-discoverer
  - system:serviceaccount:d8-cloud-provider-vcd:infra-controller-manager
  - system:serviceaccount:d8-cloud-provider-vsphere:cloud-controller-manager
  - system:serviceaccount:d8-cloud-provider-vsphere:cloud-data-discoverer
  - system:serviceaccount:d8-cloud-provider-yandex:capy-controller-manager
  - system:serviceaccount:d8-cloud-provider-yandex:cloud-controller-manager
  - system:serviceaccount:d8-cloud-provider-yandex:cloud-data-discoverer
  - system:serviceaccount:d8-cloud-provider-yandex:cloud-metrics-exporter
  - system:serviceaccount:d8-cloud-provider-zvirt:capz-controller-manager
  - system:serviceaccount:d8-cloud-provider-zvirt:cloud-controller-manager
  - system:serviceaccount:d8-cloud-provider-zvirt:cloud-data-discoverer
  - system:serviceaccount:d8-cni-cilium:agent
  - system:serviceaccount:d8-cni-cilium:egress-gateway-agent
  - system:serviceaccount:d8-cni-cilium:operator
  - system:serviceaccount:d8-cni-cilium:relay
  - system:serviceaccount:d8-cni-cilium:safe-agent-updater
  - system:serviceaccount:d8-cni-cilium:ui
  - system:serviceaccount:d8-cni-flannel:cni-flannel
  - system:serviceaccount:d8-cni-simple-bridge:cni-simple-bridge
  - system:serviceaccount:d8-csi-vsphere:cloud-data-discoverer
  - system:serviceaccount:d8-descheduler:descheduler
  - system:serviceaccount:d8-istio:alliance-healthcheck
  - system:serviceaccount:d8-istio:alliance-ingressgateway
  - system:serviceaccount:d8-istio:alliance-metadata-exporter
  - system:serviceaccount:d8-istio:cni
  - system:serviceaccount:d8-istio:ingress-gateway-controller
  - system:serviceaccount:d8-istio:kiali
  - system:serviceaccount:d8-istio:multicluster-api-proxy
  - system:serviceaccount:d8-istio:multicluster-metrics-exporter
  - system:serviceaccount:d8-istio:waypoint-controller
  - system:serviceaccount:d8-istio:ztunnel
  - system:serviceaccount:d8-local-path-provisioner:local-path-provisioner
  - system:serviceaccount:d8-metallb:controller
  - system:serviceaccount:d8-metallb:l2lb-controller
  - system:serviceaccount:d8-metallb:l2lb-speaker
  - system:serviceaccount:d8-metallb:speaker
  - system:serviceaccount:d8-monitoring:kube-state-metrics
  - system:serviceaccount:d8-monitoring:node-exporter
  - system:serviceaccount:d8-monitoring:oom-kills-exporter
  - system:serviceaccount:d8-multitenancy-manager:multitenancy-manager
  - system:serviceaccount:d8-openvpn:openvpn
  - system:serviceaccount:d8-service-with-healthchecks:agent
  - system:serviceaccount:d8-service-with-healthchecks:controller
  - system:serviceaccount:d8-system:deckhouse
  - system:serviceaccount:d8-system:documentation
  - system:serviceaccount:d8-system:network-policy-engine
  - system:serviceaccount:d8-system:registry-nodeservices
  - system:serviceaccount:d8-system:terraform-auto-converger
  - system:serviceaccount:d8-system:terraform-state-exporter
  - system:serviceaccount:d8-system:webhook-handler
  - system:serviceaccount:d8-upmeter:smoke-mini
  - system:serviceaccount:d8-upmeter:upmeter
  - system:serviceaccount:d8-upmeter:upmeter-agent
  - system:serviceaccount:d8-user-authn:basic-auth-proxy
  - system:serviceaccount:d8-user-authn:dex
  - system:serviceaccount:d8-user-authz:permission-browser-apiserver
  - system:serviceaccount:d8-user-authz:webhook
  - system:serviceaccount:kube-system:d8-control-plane-manager
  - system:serviceaccount:kube-system:d8-control-plane-manager-control-plane-proxy
  - system:serviceaccount:kube-system:d8-kube-dns
  - system:serviceaccount:kube-system:d8-kube-proxy
  - system:serviceaccount:kube-system:d8-node-local-dns
  - system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-admission-controller
  - system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-recommender
  - system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-updater
  - system:serviceaccount:kube-system:node-local-dns-safe-updater
  - system:serviceaccount:kube-system:stale-dns-connections-cleaner
userGroups:
  - system:serviceaccounts
verbs:
  - create
  - update
  - patch
  - delete
omitStages:
  - RequestReceived

13. Log create/update/patch/delete operations for Pod resources.

level: Request
verbs:
  - create
  - delete
  - patch
  - update
resources:
  - resources:
      - pods
omitStages:
  - RequestReceived

14. Log create/update/patch/delete operations in system namespaces (kube-system, d8-*).

level: Metadata
verbs:
  - create
  - update
  - patch
  - delete
namespaces:
  - d8-admission-policy-engine
  - d8-cert-manager
  - d8-chrony
  - d8-cloud-instance-manager
  - d8-cloud-provider-aws
  - d8-cloud-provider-azure
  - d8-cloud-provider-dvp
  - d8-cloud-provider-dynamix
  - d8-cloud-provider-gcp
  - d8-cloud-provider-huaweicloud
  - d8-cloud-provider-openstack
  - d8-cloud-provider-vcd
  - d8-cloud-provider-vsphere
  - d8-cloud-provider-yandex
  - d8-cloud-provider-zvirt
  - d8-cni-cilium
  - d8-cni-flannel
  - d8-cni-simple-bridge
  - d8-csi-vsphere
  - d8-descheduler
  - d8-istio
  - d8-keepalived
  - d8-local-path-provisioner
  - d8-metallb
  - d8-monitoring
  - d8-multitenancy-manager
  - d8-network-gateway
  - d8-okmeter
  - d8-openvpn
  - d8-service-with-healthchecks
  - d8-system
  - d8-upmeter
  - d8-user-authn
  - d8-user-authz
  - kube-system
omitStages:
  - RequestReceived

15. Log all LIST operations in all namespaces.

level: Metadata
verbs:
  - list

16. Log create and delete operations for ServiceAccount resources.

level: Metadata
verbs:
  - create
  - delete
resources:
  - resources:
      - serviceaccounts
omitStages:
  - RequestReceived

17. Log create/update/delete/patch operations for Role and ClusterRole resources.

level: Request
verbs:
  - create
  - update
  - delete
  - patch
resources:
  - group: rbac.authorization.k8s.io
    resources:
      - roles
      - clusterroles
omitStages:
  - RequestReceived

18. Log create/update/delete operations for ClusterRoleBinding resources.

level: Request
verbs:
  - create
  - update
  - delete
resources:
  - group: rbac.authorization.k8s.io
    resources:
      - clusterrolebindings
omitStages:
  - RequestReceived

19. Log attach and ephemeral container related pod subresource operations.

level: Request
verbs:
  - get
  - patch
  - create
resources:
  - resources:
      - pods/attach
      - pods/ephemeralcontainers
omitStages:
  - RequestReceived

20. Log creation of VirtualMachineOperation resources with request/response payload.

level: RequestResponse
verbs:
  - create
resources:
  - group: virtualization.deckhouse.io
    resources:
      - virtualmachineoperations

21. Log create/update/patch/delete operations for virtualization.deckhouse.io resources.

level: Metadata
verbs:
  - create
  - update
  - patch
  - delete
resources:
  - group: virtualization.deckhouse.io

22. Log update/patch operations for internal virtualization subresources.

level: Metadata
verbs:
  - update
  - patch
resources:
  - group: internal.virtualization.deckhouse.io
    resources:
      - internalvirtualizationvirtualmachineinstances

23. Log GET operations for subresources.virtualization.deckhouse.io API group.

level: Metadata
verbs:
  - get
resources:
  - group: subresources.virtualization.deckhouse.io

24. Log create/update/patch/delete operations for Pod resources.

level: Metadata
verbs:
  - create
  - update
  - patch
  - delete
resources:
  - resources:
      - pods

25. Log create/update/patch/delete operations in d8-virtualization namespace.

level: Metadata
verbs:
  - create
  - update
  - patch
  - delete
namespaces:
  - d8-virtualization

26. Log create/update/patch/delete operations for ModuleConfig resources.

level: Metadata
verbs:
  - create
  - update
  - patch
  - delete
resources:
  - group: deckhouse.io
    resources:
      - moduleconfigs

27. Do not log requests from authenticated users.

level: None
userGroups:
  - system:authenticated

28. Log all remaining (unauthenticated) requests at Metadata level.

level: Metadata

Full policy example

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  # 1: Do not log frequent updates for `Endpoints`, `EndpointSlices`, and `Events`.
  - level: None
    resources:
      - resources:
          - endpoints
          - endpointslices
          - events

  # 2: Do not log leader election operations on `Lease` resources.
  - level: None
    resources:
      - group: coordination.k8s.io
        resources:
          - leases

  # 3: Do not log cert-manager leader election ConfigMaps.
  - level: None
    resources:
      - resources:
          - configmaps
        resourceNames:
          - cert-manager-cainjector-leader-election
          - cert-manager-controller

  # 4: Do not log VerticalPodAutoscalerCheckpoints resources.
  - level: None
    resources:
      - group: autoscaling.k8s.io
        resources:
          - verticalpodautoscalercheckpoints

  # 5: Do not log PATCH operations on `VerticalPodAutoscaler` from recommender.
  - level: None
    users:
      - system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-recommender
    verbs:
      - patch
    resources:
      - group: autoscaling.k8s.io
        resources:
          - verticalpodautoscalers

  # 6: Do not log UpmeterHookProbes resources.
  - level: None
    resources:
      - group: deckhouse.io
        resources:
          - upmeterhookprobes

  # 7: Do not log any operations in `d8-upmeter` namespace.
  - level: None
    namespaces:
      - d8-upmeter

  # 8: Do not log ingress-nginx leader election updates in ConfigMaps.
  - level: None
    users:
      - system:serviceaccount:d8-ingress-nginx:ingress-nginx
    verbs:
      - update
    resources:
      - resources:
          - configmaps
    namespaces:
      - d8-ingress-nginx

  # 9: Do not log dex health-check create/delete operations on `AuthRequest` resources.
  - level: None
    users:
      - system:serviceaccount:d8-user-authn:dex
    verbs:
      - create
      - delete
    resources:
      - group: dex.coreos.com
        resources:
          - authrequests
    namespaces:
      - d8-user-authn

  # 10: Log create and delete operations for Node resources with request/response payload.
  - level: RequestResponse
    verbs:
      - create
      - delete
    resources:
      - resources:
          - nodes

  # 11: Log kubectl logs requests (pods/log) at Metadata level.
  - level: Metadata
    resources:
      - resources:
          - pods/log

  # 12: Log create/update/patch/delete operations from system service accounts (`kube-system`, `d8-*`).
  - level: Metadata
    users:
      - system:serviceaccount:d8-cert-manager:cainjector
      - system:serviceaccount:d8-cert-manager:cert-manager
      - system:serviceaccount:d8-cert-manager:webhook
      - system:serviceaccount:d8-chrony:chrony-exporter
      - system:serviceaccount:d8-chrony:chrony-exporter-master
      - system:serviceaccount:d8-cloud-instance-manager:caps-controller-manager
      - system:serviceaccount:d8-cloud-instance-manager:cluster-autoscaler
      - system:serviceaccount:d8-cloud-instance-manager:fencing-agent
      - system:serviceaccount:d8-cloud-instance-manager:machine-controller-manager
      - system:serviceaccount:d8-cloud-instance-manager:node-controller
      - system:serviceaccount:d8-cloud-instance-manager:node-feature-discovery-gc
      - system:serviceaccount:d8-cloud-instance-manager:node-feature-discovery-master
      - system:serviceaccount:d8-cloud-instance-manager:node-feature-discovery-worker
      - system:serviceaccount:d8-cloud-instance-manager:node-group
      - system:serviceaccount:d8-cloud-instance-manager:node-group-exporter
      - system:serviceaccount:d8-cloud-instance-manager:nvidia-dcgm-exporter
      - system:serviceaccount:d8-cloud-instance-manager:nvidia-device-plugin
      - system:serviceaccount:d8-cloud-instance-manager:nvidia-gpu-feature-discovery
      - system:serviceaccount:d8-cloud-instance-manager:nvidia-mig-manager
      - system:serviceaccount:d8-cloud-instance-manager:registry-packages-proxy
      - system:serviceaccount:d8-cloud-provider-aws:cloud-controller-manager
      - system:serviceaccount:d8-cloud-provider-aws:cloud-data-discoverer
      - system:serviceaccount:d8-cloud-provider-aws:node-termination-handler
      - system:serviceaccount:d8-cloud-provider-azure:cloud-controller-manager
      - system:serviceaccount:d8-cloud-provider-azure:cloud-data-discoverer
      - system:serviceaccount:d8-cloud-provider-dvp:capdvp-controller-manager
      - system:serviceaccount:d8-cloud-provider-dvp:cloud-controller-manager
      - system:serviceaccount:d8-cloud-provider-dvp:cloud-data-discoverer
      - system:serviceaccount:d8-cloud-provider-dynamix:capd-controller-manager
      - system:serviceaccount:d8-cloud-provider-dynamix:cloud-controller-manager
      - system:serviceaccount:d8-cloud-provider-dynamix:cloud-data-discoverer
      - system:serviceaccount:d8-cloud-provider-gcp:cloud-controller-manager
      - system:serviceaccount:d8-cloud-provider-gcp:cloud-data-discoverer
      - system:serviceaccount:d8-cloud-provider-huaweicloud:caphc-controller-manager
      - system:serviceaccount:d8-cloud-provider-huaweicloud:cloud-controller-manager
      - system:serviceaccount:d8-cloud-provider-huaweicloud:cloud-data-discoverer
      - system:serviceaccount:d8-cloud-provider-openstack:cloud-controller-manager
      - system:serviceaccount:d8-cloud-provider-openstack:cloud-data-discoverer
      - system:serviceaccount:d8-cloud-provider-vcd:capcd-controller-manager
      - system:serviceaccount:d8-cloud-provider-vcd:cloud-controller-manager
      - system:serviceaccount:d8-cloud-provider-vcd:cloud-data-discoverer
      - system:serviceaccount:d8-cloud-provider-vcd:infra-controller-manager
      - system:serviceaccount:d8-cloud-provider-vsphere:cloud-controller-manager
      - system:serviceaccount:d8-cloud-provider-vsphere:cloud-data-discoverer
      - system:serviceaccount:d8-cloud-provider-yandex:capy-controller-manager
      - system:serviceaccount:d8-cloud-provider-yandex:cloud-controller-manager
      - system:serviceaccount:d8-cloud-provider-yandex:cloud-data-discoverer
      - system:serviceaccount:d8-cloud-provider-yandex:cloud-metrics-exporter
      - system:serviceaccount:d8-cloud-provider-zvirt:capz-controller-manager
      - system:serviceaccount:d8-cloud-provider-zvirt:cloud-controller-manager
      - system:serviceaccount:d8-cloud-provider-zvirt:cloud-data-discoverer
      - system:serviceaccount:d8-cni-cilium:agent
      - system:serviceaccount:d8-cni-cilium:egress-gateway-agent
      - system:serviceaccount:d8-cni-cilium:operator
      - system:serviceaccount:d8-cni-cilium:relay
      - system:serviceaccount:d8-cni-cilium:safe-agent-updater
      - system:serviceaccount:d8-cni-cilium:ui
      - system:serviceaccount:d8-cni-flannel:cni-flannel
      - system:serviceaccount:d8-cni-simple-bridge:cni-simple-bridge
      - system:serviceaccount:d8-csi-vsphere:cloud-data-discoverer
      - system:serviceaccount:d8-descheduler:descheduler
      - system:serviceaccount:d8-istio:alliance-healthcheck
      - system:serviceaccount:d8-istio:alliance-ingressgateway
      - system:serviceaccount:d8-istio:alliance-metadata-exporter
      - system:serviceaccount:d8-istio:cni
      - system:serviceaccount:d8-istio:ingress-gateway-controller
      - system:serviceaccount:d8-istio:kiali
      - system:serviceaccount:d8-istio:multicluster-api-proxy
      - system:serviceaccount:d8-istio:multicluster-metrics-exporter
      - system:serviceaccount:d8-istio:waypoint-controller
      - system:serviceaccount:d8-istio:ztunnel
      - system:serviceaccount:d8-local-path-provisioner:local-path-provisioner
      - system:serviceaccount:d8-metallb:controller
      - system:serviceaccount:d8-metallb:l2lb-controller
      - system:serviceaccount:d8-metallb:l2lb-speaker
      - system:serviceaccount:d8-metallb:speaker
      - system:serviceaccount:d8-monitoring:kube-state-metrics
      - system:serviceaccount:d8-monitoring:node-exporter
      - system:serviceaccount:d8-monitoring:oom-kills-exporter
      - system:serviceaccount:d8-multitenancy-manager:multitenancy-manager
      - system:serviceaccount:d8-openvpn:openvpn
      - system:serviceaccount:d8-service-with-healthchecks:agent
      - system:serviceaccount:d8-service-with-healthchecks:controller
      - system:serviceaccount:d8-system:deckhouse
      - system:serviceaccount:d8-system:documentation
      - system:serviceaccount:d8-system:network-policy-engine
      - system:serviceaccount:d8-system:registry-nodeservices
      - system:serviceaccount:d8-system:terraform-auto-converger
      - system:serviceaccount:d8-system:terraform-state-exporter
      - system:serviceaccount:d8-system:webhook-handler
      - system:serviceaccount:d8-upmeter:smoke-mini
      - system:serviceaccount:d8-upmeter:upmeter
      - system:serviceaccount:d8-upmeter:upmeter-agent
      - system:serviceaccount:d8-user-authn:basic-auth-proxy
      - system:serviceaccount:d8-user-authn:dex
      - system:serviceaccount:d8-user-authz:permission-browser-apiserver
      - system:serviceaccount:d8-user-authz:webhook
      - system:serviceaccount:kube-system:d8-control-plane-manager
      - system:serviceaccount:kube-system:d8-control-plane-manager-control-plane-proxy
      - system:serviceaccount:kube-system:d8-kube-dns
      - system:serviceaccount:kube-system:d8-kube-proxy
      - system:serviceaccount:kube-system:d8-node-local-dns
      - system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-admission-controller
      - system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-recommender
      - system:serviceaccount:kube-system:d8-vertical-pod-autoscaler-updater
      - system:serviceaccount:kube-system:node-local-dns-safe-updater
      - system:serviceaccount:kube-system:stale-dns-connections-cleaner
    userGroups:
      - system:serviceaccounts
    verbs:
      - create
      - update
      - patch
      - delete
    omitStages:
      - RequestReceived

  # 13: Log create/update/patch/delete operations for Pod resources.
  - level: Request
    verbs:
      - create
      - delete
      - patch
      - update
    resources:
      - resources:
          - pods
    omitStages:
      - RequestReceived

  # 14: Log create/update/patch/delete operations in system namespaces (`kube-system`, `d8-*`).
  - level: Metadata
    verbs:
      - create
      - update
      - patch
      - delete
    namespaces:
      - d8-admission-policy-engine
      - d8-cert-manager
      - d8-chrony
      - d8-cloud-instance-manager
      - d8-cloud-provider-aws
      - d8-cloud-provider-azure
      - d8-cloud-provider-dvp
      - d8-cloud-provider-dynamix
      - d8-cloud-provider-gcp
      - d8-cloud-provider-huaweicloud
      - d8-cloud-provider-openstack
      - d8-cloud-provider-vcd
      - d8-cloud-provider-vsphere
      - d8-cloud-provider-yandex
      - d8-cloud-provider-zvirt
      - d8-cni-cilium
      - d8-cni-flannel
      - d8-cni-simple-bridge
      - d8-csi-vsphere
      - d8-descheduler
      - d8-istio
      - d8-keepalived
      - d8-local-path-provisioner
      - d8-metallb
      - d8-monitoring
      - d8-multitenancy-manager
      - d8-network-gateway
      - d8-okmeter
      - d8-openvpn
      - d8-service-with-healthchecks
      - d8-system
      - d8-upmeter
      - d8-user-authn
      - d8-user-authz
      - kube-system
    omitStages:
      - RequestReceived

  # 15: Log all LIST operations in all namespaces.
  - level: Metadata
    verbs:
      - list

  # 16: Log create and delete operations for ServiceAccount resources.
  - level: Metadata
    verbs:
      - create
      - delete
    resources:
      - resources:
          - serviceaccounts
    omitStages:
      - RequestReceived

  # 17: Log create/update/delete/patch operations for Role and ClusterRole resources.
  - level: Request
    verbs:
      - create
      - update
      - delete
      - patch
    resources:
      - group: rbac.authorization.k8s.io
        resources:
          - roles
          - clusterroles
    omitStages:
      - RequestReceived

  # 18: Log create/update/delete operations for ClusterRoleBinding resources.
  - level: Request
    verbs:
      - create
      - update
      - delete
    resources:
      - group: rbac.authorization.k8s.io
        resources:
          - clusterrolebindings
    omitStages:
      - RequestReceived

  # 19: Log attach and ephemeral container related pod subresource operations.
  - level: Request
    verbs:
      - get
      - patch
      - create
    resources:
      - resources:
          - pods/attach
          - pods/ephemeralcontainers
    omitStages:
      - RequestReceived

  # 20: Log creation of VirtualMachineOperation resources with request/response payload.
  - level: RequestResponse
    verbs:
      - create
    resources:
      - group: virtualization.deckhouse.io
        resources:
          - virtualmachineoperations

  # 21: Log create/update/patch/delete operations for virtualization.deckhouse.io resources.
  - level: Metadata
    verbs:
      - create
      - update
      - patch
      - delete
    resources:
      - group: virtualization.deckhouse.io

  # 22: Log update/patch operations for internal virtualization subresources.
  - level: Metadata
    verbs:
      - update
      - patch
    resources:
      - group: internal.virtualization.deckhouse.io
        resources:
          - internalvirtualizationvirtualmachineinstances

  # 23: Log GET operations for subresources.virtualization.deckhouse.io API group.
  - level: Metadata
    verbs:
      - get
    resources:
      - group: subresources.virtualization.deckhouse.io

  # 24: Log create/update/patch/delete operations for `Pod` resources.
  - level: Metadata
    verbs:
      - create
      - update
      - patch
      - delete
    resources:
      - resources:
          - pods

  # 25: Log create/update/patch/delete operations in `d8-virtualization` namespace.
  - level: Metadata
    verbs:
      - create
      - update
      - patch
      - delete
    namespaces:
      - d8-virtualization

  # 26: Log create/update/patch/delete operations for ModuleConfig resources.
  - level: Metadata
    verbs:
      - create
      - update
      - patch
      - delete
    resources:
      - group: deckhouse.io
        resources:
          - moduleconfigs

  ############
  # User-defined rules from secret kube-system/audit-policy are inserted here
  ############
  # 27: Do not log requests from authenticated users.
  - level: None
    userGroups:
      - system:authenticated

  # 28: Log all remaining (unauthenticated) requests at Metadata level.
  - level: Metadata