While exploring audit policy, i can across this rule, ``` # Log the request b . . .

kodekloud · April 30, 2021, 1:13pm

Barahalikar Siddharth:
while exploring audit policy, i can across this rule,

  # Log the request body of configmap changes in kube-system.
  - level: Request
    resources:
    - group: "" # core API group
      resources: ["configmaps"]
    # This rule only applies to resources in the "kube-system" namespace.
    # The empty string "" can be used to select non-namespaced resources.
    namespaces: ["kube-system"]

Here I would like to understand this line The empty string "" can be used to select non-namespaced resources.

Let’s assume I want to log data when someone deletes a ClusterRole,

  # Cluster role 
  - level: Request
    resources:
    - group: "API related to clusterrole"
      verbs: ["delete"]
      resources: ["clusterrole"]
    namespaces: [""]

What happens if I also give a specific namespace

# Cluster role 
  - level: Request
    resources:
    - group: "API related to clusterrole"
      verbs: ["delete"]
      resources: ["clusterrole"]
    namespaces: ["prod"]

kodekloud · April 30, 2021, 1:13pm

Fernando Jordan Silva:
Not possible, a clusterrole is a cluster resource, that means that it is non-namespace and is used across all namespaces.
You can check which resources are namespaced or non-namespaced using “kubectl api-resources”

kodekloud · April 30, 2021, 1:13pm

Barahalikar Siddharth:
tried it in a env, and as mentioned it doesn’t work. No log is written