Merge pull request #803 from tallclair/audit_proposal

Update advanced audit proposal with policy decisions

1 files changed, 2 insertions, 13 deletions

diff --git a/contributors/design-proposals/auditing.md b/contributors/design-proposals/auditing.md
index 195cf1dd..ff1b9092 100644
--- a/contributors/design-proposals/auditing.md
+++ b/contributors/design-proposals/auditing.md
@@ -301,13 +301,8 @@ rules:
 The policy is checked immediately after authentication in the request handling, and determines how
 the `audit.Event` is formed.
 
-In an [aggregated](aggregated-api-servers.md) deployment, the `kube-aggregator` is responsible for
-checking the policy. The kube-aggregator writes the audit Level from the policy into a request
-header that is passed on to the end-user apiserver, e.g.
-
-```
-Audit-Level: Request
-```
+In an [aggregated](aggregated-api-servers.md) deployment, each apiserver must be independently
+configured for audit logging (including the aggregator).
 
 ### Filters
 
@@ -366,12 +361,6 @@ original sender's IP, an attacker could send there request with a bogus IP at th
 `X-Forwarded-For` chain. To mitigate this, we will log the entire IP chain. This has the additional
 benefit of supporting external proxies.
 
-**Audit Policy.** The audit policy is intended to be set by the kube-aggregator and passed along in
-the `Audit-Level` header. However, we don't want an attacker to be able to simply set `Audit-Level:
-None` on their request. To prevent this, *if an apiserver has an audit policy configured, that
-policy overrides the header*. In practice, this means the kube-aggregator can be configured with an
-audit policy, and it will simply overwrite any audit level previously attached to the request.
-
 ## Sensible (not necessarily sequential) Milestones of Implementation
 
 1. Add `audit.Event` and `audit.OutputBackend` and implement [#27087](https://github.com/kubernetes/kubernetes/pull/27087)'s basic auditing using them, using a single global audit Level, up to `ResponseBody`.