Don't audit log tokens in TokenReviews

2025-11-04 04:08:16 +00:00 · 2017-06-22 13:38:44 -07:00
parent 8b0cd5b9c5
commit dcdcb19c47
1 changed files with 3 additions and 1 deletions
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -568,12 +568,14 @@ rules:
      - group: "" # core
        resources: ["events"]

-  # Secrets & ConfigMaps can contain sensitive & binary data,
+  # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
  # so only log at the Metadata level.
  - level: Metadata
    resources:
      - group: "" # core
        resources: ["secrets", "configmaps"]
+      - group: authentication.k8s.io
+        resources: ["tokenreviews"]
  # Get repsonses can be large; skip them.
  - level: Request
    verbs: ["get", "list", "watch"]