Barahalikar Siddharth:
while exploring audit policy, i can across this rule,
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
Here I would like to understand this line The empty string "" can be used to select non-namespaced resources.
Let’s assume I want to log data when someone deletes a ClusterRole,
# Cluster role
- level: Request
resources:
- group: "API related to clusterrole"
verbs: ["delete"]
resources: ["clusterrole"]
namespaces: [""]
What happens if I also give a specific namespace
# Cluster role
- level: Request
resources:
- group: "API related to clusterrole"
verbs: ["delete"]
resources: ["clusterrole"]
namespaces: ["prod"]