k8s-idm-lab icon indicating copy to clipboard operation
k8s-idm-lab copied to clipboard

Published 20 hours ago verified publisher icon TremoloSecurity

Audit policy metadata-only rule should include `serviceaccounts/token` resource

Open liggitt opened this issue 3 years ago • 1 comments

The following files reference a metadata-only audit policy in order to prevent logging request/response contents for sensitive resources:

  • https://github.com/TremoloSecurity/k8s-idm-lab/blob/master/k8s-audit-policy.yaml

A recent Kubernetes bugfix means that audit-logging of subresource requests which previously failed will now log successfully. The serviceaccounts/token subresource responds to TokenRequest API calls with a newly minted service account token.

The serviceaccounts/token resource should also be included in the metadata-only audit policy if credentials are not intended to appear in the audit log:

- group: "" # core
  resources: ["secrets", "configmaps", "serviceaccounts/token"]

liggitt avatar Jun 06 '21 00:06 liggitt

sorry i missed this! i'll get this updated

mlbiam avatar Jun 28 '21 00:06 mlbiam