From a3ff6126045a966641710453650d15a458455e4f Mon Sep 17 00:00:00 2001 From: Michele Zuccala Date: Wed, 21 Sep 2022 10:09:32 +0200 Subject: [PATCH] docs: add k8s audit config examples Signed-off-by: Michele Zuccala --- examples/k8s-audit/audit-policy.yaml | 87 ++++++++++++++++++++ examples/k8s-audit/audit-webhook-config.yaml | 14 ++++ 2 files changed, 101 insertions(+) create mode 100644 examples/k8s-audit/audit-policy.yaml create mode 100644 examples/k8s-audit/audit-webhook-config.yaml diff --git a/examples/k8s-audit/audit-policy.yaml b/examples/k8s-audit/audit-policy.yaml new file mode 100644 index 0000000..57f7e70 --- /dev/null +++ b/examples/k8s-audit/audit-policy.yaml @@ -0,0 +1,87 @@ +apiVersion: audit.k8s.io/v1beta1 # This is required. +kind: Policy +# Don't generate audit events for all requests in RequestReceived stage. +omitStages: + - "RequestReceived" +rules: + # Log pod changes at RequestResponse level + - level: RequestResponse + resources: + - group: "" + # Resource "pods" doesn't match requests to any subresource of +pods, + # which is consistent with the RBAC policy. + resources: ["pods", "deployments"] + + - level: RequestResponse + resources: + - group: "rbac.authorization.k8s.io" + # Resource "pods" doesn't match requests to any subresource of +pods, + # which is consistent with the RBAC policy. + resources: ["clusterroles", "clusterrolebindings"] + + # Log "pods/log", "pods/status" at Metadata level + - level: Metadata + resources: + - group: "" + resources: ["pods/log", "pods/status"] + + # Don't log requests to a configmap called "controller-leader" + - level: None + resources: + - group: "" + resources: ["configmaps"] + resourceNames: ["controller-leader"] + + # Don't log watch requests by the "system:kube-proxy" on endpoints or +services + - level: None + users: ["system:kube-proxy"] + verbs: ["watch"] + resources: + - group: "" # core API group + resources: ["endpoints", "services"] + + # Don't log authenticated requests to certain non-resource URL paths. + - level: None + userGroups: ["system:authenticated"] + nonResourceURLs: + - "/api*" # Wildcard matching. + - "/version" + + # Log the request body of configmap changes in kube-system. + - level: Request + resources: + - group: "" # core API group + resources: ["configmaps"] + # This rule only applies to resources in the "kube-system" namespace. + # The empty string "" can be used to select non-namespaced resources. + namespaces: ["kube-system"] + + # Log configmap changes in all other namespaces at the RequestResponse +level. + - level: RequestResponse + resources: + - group: "" # core API group + resources: ["configmaps"] + + # Log secret changes in all other namespaces at the Metadata level. + - level: Metadata + resources: + - group: "" # core API group + resources: ["secrets"] + + # Log all other resources in core and extensions at the Request level. + - level: Request + resources: + - group: "" # core API group + - group: "extensions" # Version of group should NOT be included. + + # A catch-all rule to log all other requests at the Metadata level. + - level: Metadata + # Long-running requests like watches that fall under this rule will +not + # generate an audit event in RequestReceived. + omitStages: + - "RequestReceived" diff --git a/examples/k8s-audit/audit-webhook-config.yaml b/examples/k8s-audit/audit-webhook-config.yaml new file mode 100644 index 0000000..110fdee --- /dev/null +++ b/examples/k8s-audit/audit-webhook-config.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Config +clusters: + - name: kind + cluster: + server: http://localhost:30976/k8s-audit +contexts: + - context: + cluster: kind + user: "" + name: default-context +current-context: default-context +preferences: {} +users: []