A recent Kubernetes bugfix means that audit-logging of subresource requests which previously failed will now log successfully. The serviceaccounts/token subresource responds to TokenRequest API calls with a newly minted service account token.
The serviceaccounts/token resource should also be included in the metadata-only audit policy if credentials are not intended to appear in the audit log:
kubeop
commented
3 years ago
The following files reference a metadata-only audit policy in order to prevent logging request/response contents for sensitive resources:
A recent Kubernetes bugfix means that audit-logging of subresource requests which previously failed will now log successfully. The
serviceaccounts/tokensubresource responds toTokenRequestAPI calls with a newly minted service account token.The
serviceaccounts/tokenresource should also be included in the metadata-only audit policy if credentials are not intended to appear in the audit log: