From fc38b6d0cad246901826779c5aaf5f980da1c2cd Mon Sep 17 00:00:00 2001
From: Erwan Miran <mirwan666@gmail.com>
Date: Mon, 20 Aug 2018 07:04:56 +0200
Subject: [PATCH] Ability to define custom audit polcy rules

---
 roles/kubernetes/master/defaults/main.yml                   | 6 ++++++
 .../master/templates/apiserver-audit-policy.yaml.j2         | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml
index e31809bbd..bfd09619b 100644
--- a/roles/kubernetes/master/defaults/main.yml
+++ b/roles/kubernetes/master/defaults/main.yml
@@ -36,6 +36,12 @@ audit_log_maxbackups: 1
 audit_log_maxsize: 100
 # policy file
 audit_policy_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
+# custom audit policy rules (to replace the default ones)
+# audit_policy_custom_rules: >
+#   - level: None
+#     users: []
+#     verbs: []
+#     resources: []
 
 # audit log hostpath
 audit_log_name: audit-logs
diff --git a/roles/kubernetes/master/templates/apiserver-audit-policy.yaml.j2 b/roles/kubernetes/master/templates/apiserver-audit-policy.yaml.j2
index 40d6a8bb5..6f304a0da 100644
--- a/roles/kubernetes/master/templates/apiserver-audit-policy.yaml.j2
+++ b/roles/kubernetes/master/templates/apiserver-audit-policy.yaml.j2
@@ -1,6 +1,9 @@
 apiVersion: audit.k8s.io/v1beta1
 kind: Policy
 rules:
+{% if audit_policy_custom_rules is defined and audit_policy_custom_rules != "" -%}
+{{ audit_policy_custom_rules | indent(2, true) }}
+{% else %}
   # The following requests were manually identified as high-volume and low-risk,
   # so drop them.
   - level: None
@@ -123,3 +126,4 @@ rules:
   - level: Metadata
     omitStages:
       - "RequestReceived"
+{% endif %}
-- 
GitLab