Reputation: 13470
Can't create Policy: 'no matches for kind "Policy"'
I am following the instructions here on how to create a policy to audit actions in Kubernetes.
When I run the following YAML file:
kubectl apply -f - <<EOF
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
EOF
I received the following error:
error: unable to recognize "STDIN": no matches for kind "Policy" in version "audit.k8s.io/v1"
I tried to change the apiVersion to audit.k8s.io/v1beta1 and also v1 but it failed with the same error.
Notice the flag --audit-policy-file doesn't appear in /etc/kubernetes/manifests/kube-apiserver.yaml but I don't think it is related because this is just about creating an object.
If you want to reproduce you can go to https://labs.play-with-k8s.com, create a cluster and try to create the policy.
Upvotes: 6
Views: 3650
Answers (3)
Reputation: 75
As of 2022.08:
For kubernetes v1.21 (or even lower version) and higher, the kube-audit used Policy API version is apiVersion: audit.k8s.io/v1, old version v1alpha1, v1beta1 are DEPRECATED.
Both following files
k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go
k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go
said:
DEPRECATED - This group version of Policy is deprecated by audit.k8s.io/v1/Policy
You can NOT use kube apply -f a-policy.yaml to create a Policy object, the error message is no matches for kind "Policy" in version "audit.k8s.io/v1".
The only way is to add such param --audit-policy-file='/policy.yaml' to kube-apiserver when it is started.
Namely, kube-apiserver does NOT support dynamicly watching a Policy object and enabling the kube-audit. Well, it is not in kubernetes style.
When your policy.yaml is not effectively parsed by kube-apiserver (e.g. wrong API version), which will crash. It is a bit complex to debug such a policy.yam. Read kubernetes document and source code, try again and again, until the kube-apiserver startsup successfuly with your given policy-file.
Upvotes: 0
Reputation: 21
Got the same on Kubernetes 1.11 using:
apiVersion: audit.k8s.io/v1
Fixed by changing to:
apiVersion: audit.k8s.io/v1beta1
Upvotes: 2
Reputation: 18161
The audit policy file is specified when launching the apiserver:
You can pass a file with the policy to kube-apiserver using the --audit-policy-file flag.
Upvotes: 1
Related Questions
- Configure Audit in GKE
- kubernetes apiserver not starting after audit logging parameters
- Kubernetes: cannot see network policies created with calico
- Setting kubernetes audit policies within Google Kubernetes Engine
- How to setup an audit policy into kube-apiserver?
- How can I change the kube-apiserver audit-policy.yaml on OpenShift?
- Kubernetes scheduler policy config causes seemingly irrelevant error
- K8S Audit changes are not being saved in master after restart
- apiserver not coming up after adding audit-policy-file param
- Pod Security Policy not working as intended