ChenLingPeng · December 2, 2019 08:18
diff --git a/audit-policy.yaml b/audit-policy.yaml
 apiVersion: audit.k8s.io/v1beta1 # This is required.
 kind: Policy
 # Don't generate audit events for all requests in RequestReceived stage.
 omitStages:
  - "RequestReceived"
 rules:
  - level: None
    verbs: ["watch", "get", "list"]
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      # Resource "pods" doesn't match requests to any subresource of pods,
      # which is consistent with the RBAC policy.
      resources: ["pods"]
  # Log "pods/log", "pods/status" at Metadata level
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]

  # Don't log requests to a configmap called "controller-leader"
  - level: None
    resources:
    - group: ""
      resources: ["configmaps"]
      resourceNames: ["controller-leader"]

  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
    - group: "" # core API group
      resources: ["endpoints", "services"]

  # Don't log authenticated requests to certain non-resource URL paths.
  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
    - "/api*" # Wildcard matching.
    - "/version"

  # Log the request body of configmap changes in kube-system.
  - level: Request
    resources:
    - group: "" # core API group
      resources: ["configmaps"]
    # This rule only applies to resources in the "kube-system" namespace.
    # The empty string "" can be used to select non-namespaced resources.
    namespaces: ["kube-system"]

  # Log configmap and secret changes in all other namespaces at the Metadata level.
  - level: Metadata
    resources:
    - group: "" # core API group
      resources: ["secrets", "configmaps"]

  # Log all other resources in core and extensions at the Request level.
  - level: Request
    resources:
    - group: "" # core API group
    - group: "extensions" # Version of group should NOT be included.
    - group: "gaia" # tapp

  # A catch-all rule to log all other requests at the Metadata level.
  - level: Metadata
    # Long-running requests like watches that fall under this rule will not
    # generate an audit event in RequestReceived.
    omitStages:
      - "RequestReceived"
	apiVersion: audit.k8s.io/v1beta1 # This is required.
	kind: Policy
	# Don't generate audit events for all requests in RequestReceived stage.
	omitStages:
	- "RequestReceived"
	rules:
	- level: None
	verbs: ["watch", "get", "list"]
	# Log pod changes at RequestResponse level
	- level: RequestResponse
	resources:
	- group: ""
	# Resource "pods" doesn't match requests to any subresource of pods,
	# which is consistent with the RBAC policy.
	resources: ["pods"]
	# Log "pods/log", "pods/status" at Metadata level
	- level: Metadata
	resources:
	- group: ""
	resources: ["pods/log", "pods/status"]

	# Don't log requests to a configmap called "controller-leader"
	- level: None
	resources:
	- group: ""
	resources: ["configmaps"]
	resourceNames: ["controller-leader"]

	# Don't log watch requests by the "system:kube-proxy" on endpoints or services
	- level: None
	users: ["system:kube-proxy"]
	verbs: ["watch"]
	resources:
	- group: "" # core API group
	resources: ["endpoints", "services"]

	# Don't log authenticated requests to certain non-resource URL paths.
	- level: None
	userGroups: ["system:authenticated"]
	nonResourceURLs:
	- "/api*" # Wildcard matching.
	- "/version"

	# Log the request body of configmap changes in kube-system.
	- level: Request
	resources:
	- group: "" # core API group
	resources: ["configmaps"]
	# This rule only applies to resources in the "kube-system" namespace.
	# The empty string "" can be used to select non-namespaced resources.
	namespaces: ["kube-system"]

	# Log configmap and secret changes in all other namespaces at the Metadata level.
	- level: Metadata
	resources:
	- group: "" # core API group
	resources: ["secrets", "configmaps"]

	# Log all other resources in core and extensions at the Request level.
	- level: Request
	resources:
	- group: "" # core API group
	- group: "extensions" # Version of group should NOT be included.
	- group: "gaia" # tapp

	# A catch-all rule to log all other requests at the Metadata level.
	- level: Metadata
	# Long-running requests like watches that fall under this rule will not
	# generate an audit event in RequestReceived.
	omitStages:
	- "RequestReceived"