审计日志

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  - level: Metadata

// Policy defines the configuration of audit logging, and the rules for how different request
// categories are logged.
type Policy struct {
    metav1.TypeMeta `json:",inline"`
    // ObjectMeta is included for interoperability with API infrastructure.
    // +optional
    metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

    // Rules specify the audit Level a request should be recorded at.
    // A request may match multiple rules, in which case the FIRST matching rule is used.
    // The default audit level is None, but can be overridden by a catch-all rule at the end of the list.
    // PolicyRules are strictly ordered.
    Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`

    // OmitStages is a list of stages for which no events are created. Note that this can also
    // be specified per rule in which case the union of both are omitted.
    // +optional
    OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,3,rep,name=omitStages"`

    // OmitManagedFields indicates whether to omit the managed fields of the request
    // and response bodies from being written to the API audit log.
    // This is used as a global default - a value of 'true' will omit the managed fileds,
    // otherwise the managed fields will be included in the API audit log.
    // Note that this can also be specified per rule in which case the value specified
    // in a rule will override the global default.
    // +optional
    OmitManagedFields bool `json:"omitManagedFields,omitempty" protobuf:"varint,4,opt,name=omitManagedFields"`
}

// PolicyRule maps requests based off metadata to an audit Level.
// Requests must match the rules of every field (an intersection of rules).
type PolicyRule struct {
    // The Level that requests matching this rule are recorded at.
    Level Level `json:"level" protobuf:"bytes,1,opt,name=level,casttype=Level"`

    // The users (by authenticated user name) this rule applies to.
    // An empty list implies every user.
    // +optional
    Users []string `json:"users,omitempty" protobuf:"bytes,2,rep,name=users"`
    // The user groups this rule applies to. A user is considered matching
    // if it is a member of any of the UserGroups.
    // An empty list implies every user group.
    // +optional
    UserGroups []string `json:"userGroups,omitempty" protobuf:"bytes,3,rep,name=userGroups"`

    // The verbs that match this rule.
    // An empty list implies every verb.
    // +optional
    Verbs []string `json:"verbs,omitempty" protobuf:"bytes,4,rep,name=verbs"`

    // Rules can apply to API resources (such as "pods" or "secrets"),
    // non-resource URL paths (such as "/api"), or neither, but not both.
    // If neither is specified, the rule is treated as a default for all URLs.

    // Resources that this rule matches. An empty list implies all kinds in all API groups.
    // +optional
    Resources []GroupResources `json:"resources,omitempty" protobuf:"bytes,5,rep,name=resources"`
    // Namespaces that this rule matches.
    // The empty string "" matches non-namespaced resources.
    // An empty list implies every namespace.
    // +optional
    Namespaces []string `json:"namespaces,omitempty" protobuf:"bytes,6,rep,name=namespaces"`

    // NonResourceURLs is a set of URL paths that should be audited.
    // *s are allowed, but only as the full, final step in the path.
    // Examples:
    //  "/metrics" - Log requests for apiserver metrics
    //  "/healthz*" - Log all health checks
    // +optional
    NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,7,rep,name=nonResourceURLs"`

    // OmitStages is a list of stages for which no events are created. Note that this can also
    // be specified policy wide in which case the union of both are omitted.
    // An empty list means no restrictions will apply.
    // +optional
    OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,8,rep,name=omitStages"`

    // OmitManagedFields indicates whether to omit the managed fields of the request
    // and response bodies from being written to the API audit log.
    // - a value of 'true' will drop the managed fields from the API audit log
    // - a value of 'false' indicates that the managed fileds should be included
    //   in the API audit log
    // Note that the value, if specified, in this rule will override the global default
    // If a value is not specified then the global default specified in
    // Policy.OmitManagedFields will stand.
    // +optional
    OmitManagedFields *bool `json:"omitManagedFields,omitempty" protobuf:"varint,9,opt,name=omitManagedFields"`
}

// Stage defines the stages in request handling that audit events may be generated.
type Stage string

// Valid audit stages.
const (
    // The stage for events generated as soon as the audit handler receives the request, and before it
    // is delegated down the handler chain.
    StageRequestReceived Stage = "RequestReceived"
    // The stage for events generated once the response headers are sent, but before the response body
    // is sent. This stage is only generated for long-running requests (e.g. watch).
    StageResponseStarted Stage = "ResponseStarted"
    // The stage for events generated once the response body has been completed, and no more bytes
    // will be sent.
    StageResponseComplete Stage = "ResponseComplete"
    // The stage for events generated when a panic occurred.
    StagePanic Stage = "Panic"
)

// Level defines the amount of information logged during auditing
type Level string

// Valid audit levels
const (
    // LevelNone disables auditing
    LevelNone Level = "None"
    // LevelMetadata provides the basic level of auditing.
    LevelMetadata Level = "Metadata"
    // LevelRequest provides Metadata level of auditing, and additionally
    // logs the request object (does not apply for non-resource requests).
    LevelRequest Level = "Request"
    // LevelRequestResponse provides Request level of auditing, and additionally
    // logs the response object (does not apply for non-resource requests).
    LevelRequestResponse Level = "RequestResponse"
)

// GroupResources represents resource kinds in an API group.
type GroupResources struct {
    // Group is the name of the API group that contains the resources.
    // The empty string represents the core API group.
    // +optional
    Group string `json:"group,omitempty" protobuf:"bytes,1,opt,name=group"`
    // Resources is a list of resources this rule applies to.
    //
    // For example:
    // 'pods' matches pods.
    // 'pods/log' matches the log subresource of pods.
    // '*' matches all resources and their subresources.
    // 'pods/*' matches all subresources of pods.
    // '*/scale' matches all scale subresources.
    //
    // If wildcard is present, the validation rule will ensure resources do not
    // overlap with each other.
    //
    // An empty list implies all resources and subresources in this API groups apply.
    // +optional
    Resources []string `json:"resources,omitempty" protobuf:"bytes,2,rep,name=resources"`
    // ResourceNames is a list of resource instance names that the policy matches.
    // Using this field requires Resources to be specified.
    // An empty list implies that every instance of the resource is matched.
    // +optional
    ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,3,rep,name=resourceNames"`
}