// the call to `parseForm` below), but return failure only after we are
	// able to validate that it is a valid STS request, so that we are able
	// to send an appropriate audit log.
	user, apiErrCode := checkAssumeRoleAuth(ctx, r)

	if err := parseForm(r); err != nil {
		writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
		return
	}

				Name:      dobj.ObjectName,
				VersionID: dobj.VersionID,
			}
			traceFn := globalLifecycleSys.trace(oi)
			tags := newLifecycleAuditEvent(lcEventSrc_Scanner, lcEvent[i]).Tags()

			// Send audit for the lifecycle delete operation
			auditLogLifecycle(
				ctx,
				oi,
				ILMExpiry, tags, traceFn)

			evArgs := eventArgs{
				EventName:  event.ObjectRemovedDelete,
				BucketName: bucket,

* Added generators for `apps/v1` deployments. ([#61288](https://github.com/kubernetes/kubernetes/pull/61288), [@ayushpateria](https://github.com/ayushpateria))

### SIG Auth

* RBAC information is now included in audit logs via audit.Event annotations:
    * authorization.k8s.io/decision = {allow, forbid}

		}

		if err != nil {
			if errors.Is(err, context.Canceled) {
				return
			}

			h.config.LogOnceIf(
				context.Background(),
				fmt.Errorf("unable to send audit/log entry(s) to '%s' err '%w': %d", name, err, count),
				name,
			)

			time.Sleep(retryIntvl)
			if maxRetries == 0 {
				goto retry
			}
			retries++
			if retries <= maxRetries {

	Rule              *struct {
		DefaultRetention DefaultRetention `xml:"DefaultRetention"`
	} `xml:"Rule,omitempty"`
}

// String returns the human readable format of object lock configuration, used in audit logs.
func (config Config) String() string {
	parts := []string{
		fmt.Sprintf("Enabled: %v", config.Enabled()),
	}
	if config.Rule != nil {
		if config.Rule.DefaultRetention.Mode != "" {

### API Change

- A new field `omitManagedFields` has been added to both `audit.Policy` and `audit.PolicyRule` 
  so cluster operators can opt in to omit managed fields of the request and response bodies from 

				},
				VariableLabels: map[string]string{"target_id": st.ID.ID, "target_name": st.ID.Name},
				Value:          float64(st.FailedRequests),
			})
		}

		// Audit and system:
		audit := logger.CurrentStats()
		for id, st := range audit {
			metrics = append(metrics, MetricV2{
				Description: MetricDescription{
					Namespace: minioNamespace,
					Subsystem: auditSubsystem,

- **API Machinery**
  - [alpha] Generate audit logs for every request user performs against secured API server endpoint. ([docs](http://kubernetes.io/docs/admin/audit/)) ([kubernetes/features#22](https://github.com/kubernetes/enhancements/issues/22))

https://HOSTNAME:PORT/minio/v2/metrics/cluster
```

Replace ``HOSTNAME:PORT`` with the hostname of your MinIO deployment.
For deployments behind a load balancer, use the load balancer hostname instead of a single node hostname.

## Audit Metrics

| Name                              | Description                                               |
|:----------------------------------|:----------------------------------------------------------|

* The kube-apiserver [basic audit log](https://kubernetes.io/docs/admin/audit/) can be enabled in GCE by exporting the environment variable `ENABLE_APISERVER_BASIC_AUDIT=true` before running `cluster/kube-up.sh`. This will log to `/var/log/kube-apiserver-audit.log` and use the same `logrotate` settings as `/var/log/kube-apiserver.log`. ([#41211](https://github.com/kubernetes/kubernetes/pull/41211),...