• Users attempting to modify the Kubernetes Audit Policy by directly editing the KubeadmControlPlane (KCP) object via kubectl edit kcp find that changes may not persist or face difficulties to manage across re-provisioning.
• SSH-based verification shows that the /etc/kubernetes/audit-policy.yaml does not reflect the intended changes or the cluster fails to reconcile as expected.

TKGM 2.5.x

• In TKG 2.x, class-based clusters derive their configuration from a ClusterClass.
• The KubeadmControlPlane is a managed sub-component; direct modifications to its .spec are reconciled against the parent ClusterClass.
• If the Audit Policy is not defined within the ClusterClass (via variables or patches), the control plane will revert to default settings or fail to apply the customization during node rotation.

To apply a custom Audit Policy, you must define a custom ClusterClass that patches the KubeadmControlPlaneTemplate using the below document .

https://techdocs.broadcom.com/us/en/vmware-tanzu/standalone-components/tanzu-kubernetes-grid/2-5/tkg/workload-clusters-cclass.html

Note:  VMware does not test and validate customclass customization as this is an experimental feature. Hence, the scope of troubleshooting will be limited and will be on best effort basis.