{"id":37185051,"url":"https://github.com/fireflycons/audit-policy-checker","last_synced_at":"2026-01-14T21:23:57.073Z","repository":{"id":323131580,"uuid":"1092218377","full_name":"fireflycons/audit-policy-checker","owner":"fireflycons","description":"Validator for Kubernetes Audit Policy documents","archived":false,"fork":false,"pushed_at":"2025-11-08T08:38:16.000Z","size":15,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-11-08T10:15:25.455Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fireflycons.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-08T08:04:35.000Z","updated_at":"2025-11-08T08:38:21.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/fireflycons/audit-policy-checker","commit_stats":null,"previous_names":["fireflycons/audit-policy-checker"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/fireflycons/audit-policy-checker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fireflycons%2Faudit-policy-checker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fireflycons%2Faudit-policy-checker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fireflycons%2Faudit-policy-checker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fireflycons%2Faudit-policy-checker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fireflycons","download_url":"https://codeload.github.com/fireflycons/audit-policy-checker/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fireflycons%2Faudit-policy-checker/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28434919,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T18:57:19.464Z","status":"ssl_error","status_checked_at":"2026-01-14T18:52:48.501Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-14T21:23:56.321Z","updated_at":"2026-01-14T21:23:57.064Z","avatar_url":"https://github.com/fireflycons.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Audit Policy Checker for Kubernetes\n\nSick of crashing your API Server with malformed audit policy files? This tool's for you!\n\nUse it to pre-validate policy files before uploading them to the API Server, either manually or as part of a CI pipeline.\n\n## Requirements\n\nAccess to a cluster, ideally the cluster to which the policy will be applied since that will also allow rules for custom resources to be checked.\n\nIt looks for cluster credentials in the following order\n1. If path to a kubeconfig is provided with `-k` then it loads that.\n1. Check if running in a pod, then use pod's service account credential.\n1. Look for default kubeconfig.\n\n## What is checked\n\n### File level\n\n* The policy file can be loaded and is syntactically correct for `audit.k8s.io/v1`. This will catch basic YAML errors and should ensure that API server won't crashloop when reading your policy.\n* The policy contains at least one rule.\n* Any top level `omitStages` has valid stage names.\n\n### For each rule\n\n* `level` is an allowed value.\n* `omitStages` if present has valid stage names.\n* `verbs` if present has valid verb names.\n\n### For each group/resource within a rule\n\n* `group` if present is known to the cluster. If you omit `group`, this is still valid, but defaults to `\"\"`, i.e. `v1`\n* `resources` if present then all listed resources are checked for being known to the cluster. If not present, the default is all resources within the group.\n* `namespaces` - If a namespace doesn't exist then a warning will be issued.\n\n## What it does not check\n\n* If a YAML key is missplelled. API server simply ignores keys it doesn't recognize, and since this tool uses the same code as API server for loading policy, then the behavior is the same. You will end up with a rule that does not do what you expect.\n* If you specify the same key twice in a YAML object. This is down to the behavior of the Go YAML parser, which will accept the last occurrence of that key in the input, e.g.\n    ```yaml\n    rules:\n    - level: RequestResponse\n        resources:\n        - group: \"\"\n          resources: [\"pods\"]    # This will be ignored and not part of the rule\n          resources: [\"configmaps\"]\n    ```\n* `users`, `userGroups`, `nonResourceURLs`.\n\n## Installation\n\n1. Download the tarball/zip appropriate for the system you intend to run the tool on.\n1. Extract the archive which contains a standalone executable file and optionally place in a directory in the path.\n\n### Note for KodeKloud CKS students\n\n* You *can* use this in KodeKloud labs/mocks/playgrounds.\n* You *cannot* use it in the real CKS exam, so get to know the kinds of mistakes you commonly make and practice getting it right without this tool!\n\n## Usage\n\n```bash\naudit-policy-check my-policy.yaml\n```\nor\n```\naudit-policy-check -k path/to/my-kubeconfig.config my-policy.yaml\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffireflycons%2Faudit-policy-checker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffireflycons%2Faudit-policy-checker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffireflycons%2Faudit-policy-checker/lists"}