Can't create Policy: 'no matches for kind "Policy"'

Question

I am following the instructions here on how to create a policy to audit actions in Kubernetes.

When I run the following YAML file:

kubectl apply -f - <<EOF  
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      # Resource "pods" doesn't match requests to any subresource of pods,
      # which is consistent with the RBAC policy.
      resources: ["pods"]
EOF

I received the following error:

error: unable to recognize "STDIN": no matches for kind "Policy" in version "audit.k8s.io/v1"

I tried to change the apiVersion to audit.k8s.io/v1beta1 and also v1 but it failed with the same error.

Notice the flag --audit-policy-file doesn't appear in /etc/kubernetes/manifests/kube-apiserver.yaml but I don't think it is related because this is just about creating an object.

If you want to reproduce you can go to https://labs.play-with-k8s.com, create a cluster and try to create the policy.

Answer 1

Got the same on Kubernetes 1.11 using:

apiVersion: audit.k8s.io/v1

Fixed by changing to:

apiVersion: audit.k8s.io/v1beta1

Answer 2

The audit policy file is specified when launching the apiserver:

You can pass a file with the policy to kube-apiserver using the --audit-policy-file flag.