Merge pull request #1303 from sanchezl/apirequestcount-skip-audit

Bug 2049687: superfluous apirequestcount entries in audit log

pkg/operator/apiserver/audit/manifests/base-policy.yaml

@@ -19,3 +19,10 @@
       - "/version"
       - "/healthz"
       - "/readyz"
+    # Don't log requests by "system:apiserver" on apirequestcounts
+    - level: None
+      users: ["system:apiserver"]
+      resources:
+        - group: "apiserver.openshift.io"
+          resources: ["apirequestcounts", "apirequestcounts/*"]
+      namespaces: [""]

pkg/operator/apiserver/audit/testdata/allrequestbodies.yaml

@@ -21,6 +21,13 @@ rules:
   - "/version"
   - "/healthz"
   - "/readyz"
+# Don't log requests by "system:apiserver" on apirequestcounts
+- level: None
+  users: ["system:apiserver"]
+  resources:
+    - group: "apiserver.openshift.io"
+      resources: ["apirequestcounts", "apirequestcounts/*"]
+  namespaces: [""]
 # exclude resources where the body is security-sensitive
 - level: Metadata
   resources:

pkg/operator/apiserver/audit/testdata/default.yaml

@@ -21,6 +21,13 @@
       - "/version"
       - "/healthz"
       - "/readyz"
+      # Don't log requests by "system:apiserver" on apirequestcounts
+    - level: None
+      users: ["system:apiserver"]
+      resources:
+        - group: "apiserver.openshift.io"
+          resources: ["apirequestcounts", "apirequestcounts/*"]
+      namespaces: [""]
     # Log the full Identity API resource object so that the audit trail
     # allows us to match the username with the IDP identity.
     - level: RequestResponse

pkg/operator/apiserver/audit/testdata/multipleCr.yaml

@@ -21,6 +21,13 @@ rules:
   - "/version"
   - "/healthz"
   - "/readyz"
+# Don't log requests by "system:apiserver" on apirequestcounts
+- level: None
+  users: ["system:apiserver"]
+  resources:
+    - group: "apiserver.openshift.io"
+      resources: ["apirequestcounts", "apirequestcounts/*"]
+  namespaces: [""]
 # exclude resources where the body is security-sensitive
 - level: Metadata
   resources:

pkg/operator/apiserver/audit/testdata/none.yaml

@@ -21,4 +21,11 @@ rules:
   - "/version"
   - "/healthz"
   - "/readyz"
+# Don't log requests by "system:apiserver" on apirequestcounts
+- level: None
+  users: ["system:apiserver"]
+  resources:
+    - group: "apiserver.openshift.io"
+      resources: ["apirequestcounts", "apirequestcounts/*"]
+  namespaces: [""]
 - level: None

pkg/operator/apiserver/audit/testdata/oauth.yaml

@@ -21,6 +21,13 @@ rules:
   - "/version"
   - "/healthz"
   - "/readyz"
+# Don't log requests by "system:apiserver" on apirequestcounts
+- level: None
+  users: ["system:apiserver"]
+  resources:
+    - group: "apiserver.openshift.io"
+      resources: ["apirequestcounts", "apirequestcounts/*"]
+  namespaces: [""]
 # exclude resources where the body is security-sensitive
 - level: Metadata
   resources:

pkg/operator/apiserver/audit/testdata/writerequestbodies.yaml

@@ -21,6 +21,13 @@ rules:
   - "/version"
   - "/healthz"
   - "/readyz"
+# Don't log requests by "system:apiserver" on apirequestcounts
+- level: None
+  users: ["system:apiserver"]
+  resources:
+    - group: "apiserver.openshift.io"
+      resources: ["apirequestcounts", "apirequestcounts/*"]
+  namespaces: [""]
 # exclude resources where the body is security-sensitive
 - level: Metadata
   resources: