K
Q

Can't create Policy: 'no matches for kind "Policy"'

1/17/2019

I am following the instructions here on how to create a policy to audit actions in Kubernetes.

When I run the following YAML file:

kubectl apply -f - <<EOF  
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      # Resource "pods" doesn't match requests to any subresource of pods,
      # which is consistent with the RBAC policy.
      resources: ["pods"]
EOF

I received the following error:

error: unable to recognize "STDIN": no matches for kind "Policy" in version "audit.k8s.io/v1"

I tried to change the apiVersion to audit.k8s.io/v1beta1 and also v1 but it failed with the same error.

Notice the flag --audit-policy-file doesn't appear in /etc/kubernetes/manifests/kube-apiserver.yaml but I don't think it is related because this is just about creating an object.

If you want to reproduce you can go to https://labs.play-with-k8s.com, create a cluster and try to create the policy.

-- E235
audit
kubernetes
policy

Similar Questions

Kubelet on ARM failed to start: Failed to start ContainerManager system validation failed - Following Cgroup subsystem not mounted: [cpuset]
My test web app is showing up error, I am using nginx in Dockerfile - ingress in kubernetes minikube
I have problems with Kubernetes Cert-manager
Does Amazon EKS supports X509 client authentication?
GKE Node.JS app: Error during WebSocket handshake

2 Answers

3/10/2019

Got the same on Kubernetes 1.11 using:

apiVersion: audit.k8s.io/v1

Fixed by changing to:

apiVersion: audit.k8s.io/v1beta1
-- AlexL_42
Source: StackOverflow
1/18/2019

The audit policy file is specified when launching the apiserver:

You can pass a file with the policy to kube-apiserver using the --audit-policy-file flag.

-- Jordan Liggitt
Source: StackOverflow