C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

make sure serviceaccounts/token is only in the metadata stage (#7679)

Browse source
This commit is contained in:
Kasakaze 2021-06-07 23:38:40 +08:00 committed by GitHub
parent 1069b05e68
commit d66da21726
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
roles/kubernetes/control-plane/templates/apiserver-audit-policy.yaml.j2
View file

@ -67,12 +67,12 @@ rules:
resources: resources:
- group: "" # core - group: "" # core
resources: ["events"] resources: ["events"]
# Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data, # Secrets, ConfigMaps, TokenRequest and TokenReviews can contain sensitive & binary data,
# so only log at the Metadata level. # so only log at the Metadata level.
- level: Metadata - level: Metadata
resources: resources:
- group: "" # core - group: "" # core
resources: ["secrets", "configmaps"] resources: ["secrets", "configmaps", "serviceaccounts/token"]
- group: authentication.k8s.io - group: authentication.k8s.io
resources: ["tokenreviews"] resources: ["tokenreviews"]
omitStages: omitStages: