Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audit policy metadata-only rule should include serviceaccounts/token resource #139

Open
liggitt opened this issue Jun 6, 2021 · 1 comment

Comments

@liggitt
Copy link

liggitt commented Jun 6, 2021

The following files reference a metadata-only audit policy in order to prevent logging request/response contents for sensitive resources:

A recent Kubernetes bugfix means that audit-logging of subresource requests which previously failed will now log successfully. The serviceaccounts/token subresource responds to TokenRequest API calls with a newly minted service account token.

The serviceaccounts/token resource should also be included in the metadata-only audit policy if credentials are not intended to appear in the audit log:

- group: "" # core
  resources: ["secrets", "configmaps", "serviceaccounts/token"]
@Rachael-Graham
Copy link
Contributor

Thanks for this issue! Looking into it with the team that produced this audit policy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants