ea4764bf47
Automatic merge from submit-queue (batch tested with PRs 46897, 46899, 46864, 46854, 46875) Write audit policy file for GCE/GKE configuration Setup the audit policy configuration for GCE & GKE. Here is the high level summary of the policy: - Default logging everything at `Metadata` - Known write APIs default to `RequestResponse` - Known read-only APIs default to `Request` - Except secrets & configmaps are logged at `Metadata` - Don't log events - Don't log `/version`, swagger or healthchecks In addition to the above, I spent time analyzing the noisiest lines in the audit log from a cluster that soaked for 24 hours (and ran a batch of e2e tests). Of those top requests, those that were identified as low-risk (all read-only, except update kube-system endpoints by controllers) are dropped. I suspect we'll want to tweak this a bit more once we've had a time to soak it on some real clusters. For kubernetes/features#22 /cc @sttts @ericchiang |
||
|---|---|---|
| .. | ||
| mounter | ||
| nvidia-gpus | ||
| configure-helper.sh | ||
| configure.sh | ||
| health-monitor.sh | ||
| helper.sh | ||
| master-helper.sh | ||
| master.yaml | ||
| node-helper.sh | ||
| node.yaml | ||
| README.md | ||
Container-VM Image
Container-VM Image is a container-optimized OS image for the Google Cloud Platform (GCP). It is primarily for running Google services on GCP. Unlike the open preview version of container-vm, the new Container-VM Image is based on the open source ChromiumOS project, allowing us greater control over the build management, security compliance, and customizations for GCP.