Audit Annotations

    Note: The following annotations are not used within the Kubernetes API. When you enable auditing in your cluster, audit event data is written using Event from API group audit.k8s.io. The annotations apply to audit events. Audit events are different from objects in the (API group events.k8s.io).

    Example: pod-security.kubernetes.io/exempt: namespace

    Value must be one of user, , or runtimeClass which correspond to dimensions. This annotation indicates on which dimension was based the exemption from the PodSecurity enforcement.

    pod-security.kubernetes.io/enforce-policy

    Example: pod-security.kubernetes.io/enforce-policy: restricted:latest

    Value must be privileged:<version>, baseline:<version>, restricted:<version> which correspond to levels accompanied by a version which must be latest or a valid Kubernetes version in the format . This annotations informs about the enforcement level that allowed or denied the pod during PodSecurity admission.

    See Pod Security Standards for more information.

    Example: pod-security.kubernetes.io/audit-violations: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "example" must set securityContext.allowPrivilegeEscalation=false), ...

    See Pod Security Standards for more information.

    authorization.k8s.io/decision

    Example: authorization.k8s.io/decision: "forbid"

    This annotation indicates whether or not a request was authorized in Kubernetes audit logs.

    See Auditing for more information.

    Example: authorization.k8s.io/reason: "Human-readable reason for the decision"

    This annotation gives reason for the decision in Kubernetes audit logs.

    See for more information.

    missing-san.invalid-cert.kubernetes.io/$hostname

    Used by Kubernetes version v1.24 and later

    This annotation indicates a webhook or aggregated API server is using an invalid certificate that is missing subjectAltNames. Support for these certificates was disabled by default in Kubernetes 1.19, and removed in Kubernetes 1.23.

    Requests to endpoints using these certificates will fail. Services using these certificates should replace them as soon as possible to avoid disruption when running in Kubernetes 1.23+ environments.

    There’s more information about this in the Go documentation: .

    Example: insecure-sha1.invalid-cert.kubernetes.io/example-svc.example-namespace.svc: "uses an insecure SHA-1 signature"

    Used by Kubernetes version v1.24 and later

    This annotation indicates a webhook or aggregated API server is using an insecure certificate signed with a SHA-1 hash. Support for these insecure certificates is disabled by default in Kubernetes 1.24, and will be removed in a future release.

    There’s more information about this in the Go documentation: .