For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/kubernetes-audit-policy-not-cover-key-security-concerns.md. A documentation index is available at /llms.txt.

Audit policy does not cover key security concerns

This product is not supported for your selected Datadog site. ().

Metadata

Id: kubernetes-audit-policy-not-cover-key-security-concerns

Platform: Kubernetes

Severity: Low

Category: Observability

Learn More

Description

The audit policy should cover key security concerns about sensitive data logged in Kubernetes audit logs. The policy requires rules for specific resources to be defined at the required audit levels (Metadata, Request, RequestResponse). These resources include: secrets, tokenreviews, configmaps, pods, deployments, and pod/service sub-resources (pods/exec, pods/portforward, pods/proxy, services/proxy). Missing any required level for a listed resource indicates the policy may not adequately prevent sensitive information from being recorded or exposed via audit events.

Compliant Code Examples

apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  - level: Metadata
    resources:
    - group: ""
      resources: ["secrets","configmaps","tokenreviews"]
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods","deployments"]
  - level: RequestResponse
    resources:
    - group: ""
      resources: ["pods/exec", "pods/portforward", "pods/proxy", "services/proxy"]

Non-Compliant Code Examples

apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:

apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
rules:
  - level: RequestResponse
    resources:
    - group: ""
      resources: ["secrets","configmaps","tokenreviews"]
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods","deployments"]
  - level: None
    resources:
    - group: ""
      resources: ["pods/exec", "pods/portforward", "pods/proxy", "services/proxy"]

apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  - level: Metadata
    resources:
    - group: ""
      resources: ["secrets","configmaps","tokenreviews"]
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods"]
  - level: RequestResponse
    resources:
    - group: ""
      resources: ["pods/exec", "pods/portforward", "pods/proxy", "services/proxy"]