1. Proposed title of this feature request: Support to define fine-grained audit rules for specific groups or resources

2. What is the nature and description of the request?
We are requesting support for fine-grained audit-policy rules that allow:

• Scoping to specific resource groups (e.g., tekton.dev)
• Filtering by authenticated user (vs. system:serviceaccount)

This would help us:

• Improve audit accuracy and traceability.
• Enable faster identification of security-sensitive manual actions.
• Meet compliance requirements without collecting unnecessary logs.

3. Why does the customer need this? (List the business requirements here)
Use Case / Requirement:
In our Tekton-based CI/CD platform running on OpenShift, we need to track the manual creation of resources such as pipelines, tasks, and clustertasks. These resources are sometimes created directly via the OpenShift UI or CLI, bypassing GitOps workflows (e.g., ArgoCD, Bitbucket pipelines).

Why This Is Important:
1. Enables us to audit non-automated changes, which may introduce risk.
2. Improves traceability and accountability for platform-level actions.
3. Strengthens compliance and security monitoring by distinguishing manual human actions from system automation.
4. Helps reduce operational noise and focuses downstream log processing (e.g., SIEM).

Current Limitation:
While audit logging is active and we are able to forward logs using `ClusterLogForwarder`, OpenShift does not currently support audit-policy scoping at the API server level to specific resources (e.g., the `tekton.dev` group) or user identity patterns.

As a result:

• We receive all create events, including those from GitOps/service accounts.
• We cannot proactively isolate human-triggered resource creation.
• This limits our ability to detect unauthorized or risky changes.
• It also increases log volume and storage burden unnecessarily.

4. List any affected packages or components.

Apiserver