Can't create Policy: 'no matches for kind "Policy"'

Asked 17/1, 2019 at 14:49 Answered 25/8, 2022 at 9:41

I am following the instructions here on how to create a policy to audit actions in Kubernetes.

When I run the following YAML file:

kubectl apply -f - <<EOF  
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      # Resource "pods" doesn't match requests to any subresource of pods,
      # which is consistent with the RBAC policy.
      resources: ["pods"]
EOF

I received the following error:

error: unable to recognize "STDIN": no matches for kind "Policy" in version "audit.k8s.io/v1"

I tried to change the apiVersion to audit.k8s.io/v1beta1 and also v1 but it failed with the same error.

Notice the flag --audit-policy-file doesn't appear in /etc/kubernetes/manifests/kube-apiserver.yaml but I don't think it is related because this is just about creating an object.

If you want to reproduce you can go to https://labs.play-with-k8s.com, create a cluster and try to create the policy.

Aleasealeatory answered 17/1, 2019 at 14:49 Comment(0)

Got the same on Kubernetes 1.11 using:

apiVersion: audit.k8s.io/v1

Fixed by changing to:

apiVersion: audit.k8s.io/v1beta1

Rank answered 10/3, 2019 at 16:18 Comment(0)

The audit policy file is specified when launching the apiserver:

You can pass a file with the policy to kube-apiserver using the --audit-policy-file flag.

Julenejulep answered 18/1, 2019 at 6:25 Comment(5)

when Im adding --audit-policy-file='/policy.yaml' OR --audit-policy-file OR --audit-policy-file=/policy.yaml the kube-apiserver crash all the time. Only after I am removing one of the line I mentioned it start to work normal again. – Aleasealeatory 19/1, 2019 at 14:50

Make sure the policy file is visible to the apiserver process at the specified path – Julenejulep 19/1, 2019 at 15:4

It is visible, I changed the location to be inside /etc/kubernetes/manifests and it still crashes the API server. After I remove the line --audit-policy-file='/etc/kubernetes/manifests/policy.yaml' it returns to work again. – Aleasealeatory 19/1, 2019 at 18:18

@Aleasealeatory did you solve your issue? – Faden 20/10, 2021 at 9:5

@Faden no, but it was long time since I tried it. Maybe now it will work. – Aleasealeatory 20/10, 2021 at 11:1

As of 2022.08:

For kubernetes v1.21 (or even lower version) and higher, the kube-audit used Policy API version is apiVersion: audit.k8s.io/v1, old version v1alpha1, v1beta1 are DEPRECATED.

Both following files

k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go

said:

DEPRECATED - This group version of Policy is deprecated by audit.k8s.io/v1/Policy

You can NOT use kube apply -f a-policy.yaml to create a Policy object, the error message is no matches for kind "Policy" in version "audit.k8s.io/v1".

The only way is to add such param --audit-policy-file='/policy.yaml' to kube-apiserver when it is started.

Namely, kube-apiserver does NOT support dynamicly watching a Policy object and enabling the kube-audit. Well, it is not in kubernetes style.

When your policy.yaml is not effectively parsed by kube-apiserver (e.g. wrong API version), which will crash. It is a bit complex to debug such a policy.yam. Read kubernetes document and source code, try again and again, until the kube-apiserver startsup successfuly with your given policy-file.

Misbegotten answered 25/8, 2022 at 9:41 Comment(0)

Recommended topics

Hot tags