make sure serviceaccounts/token is only in the metadata stage (#7679)

d66da217 · Kasakaze · GitHub · 1069b05e · d66da217
Unverified Commit d66da217 authored 3 years ago by Kasakaze Committed by GitHub 3 years ago
--- a/roles/kubernetes/control-plane/templates/apiserver-audit-policy.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/apiserver-audit-policy.yaml.j2
@@ -67,12 +67,12 @@ rules:
    resources:
      - group: "" # core
        resources: ["events"]
-  # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
+  # Secrets, ConfigMaps, TokenRequest and TokenReviews can contain sensitive & binary data,
  # so only log at the Metadata level.
  - level: Metadata
    resources:
      - group: "" # core
-        resources: ["secrets", "configmaps"]
+        resources: ["secrets", "configmaps", "serviceaccounts/token"]
      - group: authentication.k8s.io
        resources: ["tokenreviews"]
    omitStages: