mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-11-16 14:35:10 +00:00
ea4764bf47
Automatic merge from submit-queue (batch tested with PRs 46897, 46899, 46864, 46854, 46875) Write audit policy file for GCE/GKE configuration Setup the audit policy configuration for GCE & GKE. Here is the high level summary of the policy: - Default logging everything at `Metadata` - Known write APIs default to `RequestResponse` - Known read-only APIs default to `Request` - Except secrets & configmaps are logged at `Metadata` - Don't log events - Don't log `/version`, swagger or healthchecks In addition to the above, I spent time analyzing the noisiest lines in the audit log from a cluster that soaked for 24 hours (and ran a batch of e2e tests). Of those top requests, those that were identified as low-risk (all read-only, except update kube-system endpoints by controllers) are dropped. I suspect we'll want to tweak this a bit more once we've had a time to soak it on some real clusters. For kubernetes/features#22 /cc @sttts @ericchiang