AuditSink represents a cluster level audit sink
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
AuditSinkList is a list of AuditSink items.
AuditSinkSpec holds the spec for the audit sink
Policy defines the policy for selecting which events should be sent to the webhook required
Policy defines the configuration of how audit events are logged
The Level that all requests are recorded at. available options: None, Metadata, Request, RequestResponse required
ServiceReference holds a reference to Service.legacy.k8s.io
Webhook holds the configuration of the webhook
ClientConfig holds the connection parameters for the webhook required
WebhookClientConfig contains the information to make a connection with the webhook
caBundle is a PEM encoded CA bundle which will be used to validate the webhook’s server
certificate. If unspecified, system trust roots on the apiserver are used.
service is a reference to the service for this webhook. Either
url must be
If the webhook is running within the cluster, then you should use
Port 443 will be used if it is open, otherwise it is an error.
url gives the location of the webhook, in standard URL form (
Exactly one of
service must be specified.
host should not refer to a service running in the cluster; use the
instead. The host might be resolved via external DNS in some apiservers (e.g.,
kube-apiserver cannot resolve in-cluster DNS as that would be a layering violation).
host may also be an IP address.
Please note that using
127.0.0.1 as a
host is risky unless you take
great care to run this webhook on all hosts which run an apiserver which might need to make
calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn
up in a new cluster.
The scheme must be “https”; the URL must begin with “https://“.
A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.
Attempting to use a user or basic auth e.g. “user:password@” is not allowed. Fragments (“#…”) and query parameters (“?…”) are not allowed, either.
WebhookThrottleConfig holds the configuration for throttling events
ThrottleBurst is the maximum number of events sent at the same moment default 15 QPS