feat: configure audit policy to redact MachineAccountKey private keys from audit logs

JoseSzycho · JoseSzycho · commit 6f02eacfeb66 · 2026-04-01T16:28:13.000-03:00
diff --git a/config/components/apiserver-audit-logging/audit-policy-configmap.yaml b/config/components/apiserver-audit-logging/audit-policy-configmap.yaml
@@ -142,6 +142,14 @@ data:
         - group: "" # core API group
           resources: ["secrets", "configmaps"]
 
+      # Log MachineAccountKey at Metadata level to redact private key from audit logs
+      # The privateKey is only returned in the response body on creation, so we omit
+      # the response to prevent credential leakage in audit logs
+      - level: Metadata
+        resources:
+        - group: "identity.miloapis.com"
+          resources: ["machineaccountkeys"]
+
       # Log Milo API resources at RequestResponse level to capture full context
       - level: RequestResponse
         resources:
diff --git a/pkg/apis/identity/v1alpha1/machineaccountkey_types.go b/pkg/apis/identity/v1alpha1/machineaccountkey_types.go
@@ -53,8 +53,9 @@ type MachineAccountKeyStatus struct {
 	// persisted to etcd. Any value present on a GET or LIST response indicates a
 	// bug in the server implementation.
 	//
-	// Note: private key material will appear in API server audit logs for creation
-	// events. This matches the behavior of similar systems (GCP service account keys).
+	// Note: The private key is NOT logged in API server audit logs. The audit policy
+	// is configured to log MachineAccountKey resources at the Metadata level only,
+	// which redacts the response body containing the private key.
 	//
 	// +kubebuilder:validation:Optional
 	PrivateKey string `json:"privateKey,omitempty"`
