From 7dc4140b2b9a3de64a6a249980efe44e49f8f7f2 Mon Sep 17 00:00:00 2001
From: Patrick Barker <patrickbarkerco@gmail.com>
Date: Mon, 20 Aug 2018 20:02:12 -0600
Subject: [PATCH] adds dynamic audit debug documentation

---
 .../tasks/debug-application-cluster/audit.md  | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/content/en/docs/tasks/debug-application-cluster/audit.md b/content/en/docs/tasks/debug-application-cluster/audit.md
index 1f05e076a117a..ceec7d1466aa4 100644
--- a/content/en/docs/tasks/debug-application-cluster/audit.md
+++ b/content/en/docs/tasks/debug-application-cluster/audit.md
@@ -199,6 +199,44 @@ same format as described above to the aggregated apiserver and set up the log in
 to pick up audit logs. Different apiservers can have different audit configurations and different
 audit policies.
 
+## Dynamic Auditing
+
+As of version 1.12 audit backends can be configured dynamically as api objects. 
+
+To enable the feature a number of api server flags must be set:
+- `--audit-dynamic-configuration` the primary switch, once the feature progresses to GA this will be 
+  the only flag needed
+- `--feature-gates=DynamicAuditing=true` Feature gate
+- `--runtime-config=audit.k8s.io/v1alpha1=true` Forces alpha version
+- `--storage-versions=audit.k8s.io/v1alpha1` Uses storage for alpha version
+
+Once enabled, a backend can be provisioned:
+```yaml
+apiVersion: audit.k8s.io/v1beta1
+kind: AuditConfiguration
+metadata:
+  name: <name>
+policy:
+  rules:
+  - level: <level>
+  omitStages:
+  - stage: <stage>
+backend:
+  webhook:
+    initialBackoff: <10s>
+    throttleBurst: <15>
+    throttleEnabled: <true>
+    throttleQPS: <10>
+    clientConfig:
+      url: <backend url>
+      service:
+        name: <service name>
+        namespace: <service namespace>
+      caBundle: <ca bundle>
+```
+
+The full api defintion can be found in the [types file](https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go). Multiple objects will exist as independent solutions. If the policy section is omitted the backend will resort to the static policy set by the apiserver flags if available. Dynamic policy will have no effect on backends configured from runtime flags. Administrators should be cognizant that allowing write access to this feature grants read access to all cluster data. Access should be regarded as a `cluster-admin` level privilege.
+
 ## Log Collector Examples
 
 ### Use fluentd to collect and distribute audit events from log file