Use kube-audit-admin instead of kube-audit

[BernieWhite]

Existing rule

None

Suggested rule

Create a new rule Azure.AKS.AuditAdmin to flag when the kube-audit log is collected with diagnostic settings.

When kube-audit is enabled, this can significantly increase cost for monitoring AKS clusters.

Instead enable collection for kube-audit-admin, which excludes the get and list audit events, but includes changes.

Pillar

Cost Optimization

Additional context

Related to #2249

• https://learn.microsoft.com/azure/aks/monitor-aks#resource-logs

[BenjaminEngeset]

Hi @BernieWhite.

How did PSRule treat extension resource types pre and in-flight?

Pre it is defined as an own resource, but when exporting it's under resources as a child resource?

[BernieWhite]

@BenjaminEngeset

• Extensions resources at pre-flight are automatically nested in the resources property of the extended resource. For extension resources this normally involves a scope property which is interpreted by PSRule.
• Similarly in-flight extension resources are nested in resources however they need to be identified and specifically queried because they are not automatically listed by ARM.

The code for visiting resource types for exporting in-flight child and extension resources is here: https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/Pipeline/Export/ResourceExportVisitor.cs

[BenjaminEngeset]

Thanks, @BernieWhite, that was truly helpful.

I will create the rule.