From d66da217260b9cafd8ce892b90c9d3d4a43df8bb Mon Sep 17 00:00:00 2001
From: Kasakaze <li.zhifeng@zte.com.cn>
Date: Mon, 7 Jun 2021 23:38:40 +0800
Subject: [PATCH] make sure serviceaccounts/token is only in the metadata stage
 (#7679)

---
 .../control-plane/templates/apiserver-audit-policy.yaml.j2    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/kubernetes/control-plane/templates/apiserver-audit-policy.yaml.j2 b/roles/kubernetes/control-plane/templates/apiserver-audit-policy.yaml.j2
index 41fc07c48..ca7bcf806 100644
--- a/roles/kubernetes/control-plane/templates/apiserver-audit-policy.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/apiserver-audit-policy.yaml.j2
@@ -67,12 +67,12 @@ rules:
     resources:
       - group: "" # core
         resources: ["events"]
-  # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
+  # Secrets, ConfigMaps, TokenRequest and TokenReviews can contain sensitive & binary data,
   # so only log at the Metadata level.
   - level: Metadata
     resources:
       - group: "" # core
-        resources: ["secrets", "configmaps"]
+        resources: ["secrets", "configmaps", "serviceaccounts/token"]
       - group: authentication.k8s.io
         resources: ["tokenreviews"]
     omitStages: