Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit policy metadata-only rule should include serviceaccounts/token resource #1561

Open
liggitt opened this issue Jun 6, 2021 · 0 comments
Open

Audit policy metadata-only rule should include serviceaccounts/token resource #1561

liggitt opened this issue Jun 6, 2021 · 0 comments

Comments

@liggitt
Copy link

liggitt commented Jun 6, 2021
edited
Loading

The following files reference a metadata-only audit policy in order to prevent logging request/response contents for sensitive resources:

A recent Kubernetes bugfix means that audit-logging of subresource requests which previously failed will now log successfully. The serviceaccounts/token subresource responds to TokenRequest API calls with a newly minted service account token.

The serviceaccounts/token resource should also be included in the metadata-only audit policy if credentials are not intended to appear in the audit log:

- group: "" # core
  resources: ["secrets", "configmaps", "serviceaccounts/token"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@liggitt