diff --git a/roles/k8s_master/files/custom/teckids-apiserver.yaml b/roles/k8s_master/files/custom/teckids-apiserver.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..7b00d42185a95d81b14aab39f98c0cbd067f704a
--- /dev/null
+++ b/roles/k8s_master/files/custom/teckids-apiserver.yaml
@@ -0,0 +1,10 @@
+apiVersion: kubeadm.k8s.io/v1beta3
+kind: ClusterConfiguration
+kubernetesVersion: v1.23.5
+apiServer:
+  extraArgs:
+    oidc-issuer-url: "https://ticdesk.teckids.org/oauth"
+    oidc-client-id: "RcO3weOpSnlenZcBaBbXKFoNpElQzxjU0O20T273"
+    oidc-username-claim: "preferred_username"
+    audit-log-path: "/var/log/audit.log"
+    audit-policy-file: "/etc/kubernetes/manifests/custom/teckids-logging.yaml"
diff --git a/roles/k8s_master/files/custom/teckids-logging.yaml b/roles/k8s_master/files/custom/teckids-logging.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..3ee2c2f23bafad3f728ab0776133f40bd2ca34ca
--- /dev/null
+++ b/roles/k8s_master/files/custom/teckids-logging.yaml
@@ -0,0 +1,24 @@
+apiVersion: audit.k8s.io/v1
+kind: Policy
+omitStages:
+  - RequestReceived
+rules:
+  # Log alle Requests für APIs mit deprecated Versionen. Leider kann man hier nicht
+  # auf die API-Version filtern, d.h. im Log werden auch aktuelle API-Versionen auftauchen.
+  - level: Metadata
+    resources:
+      # v1.25
+      - group: batch
+        resources: ["cronjobs"]
+      - group: autoscaling
+        resources: ["horizontalpodautoscalers"]
+      - group: policy
+        resources: ["poddisruptionbudgets", "podsecuritypolicies"]
+      # v1.26
+      - group: autoscaling
+        resources: ["horizontalpodautoscalers"]
+      - group: flowcontrol.apiserver.k8s.io
+        resources: ["flowschemas", "prioritylevelconfigurations"]
+      # v1.27
+      - group: storage.k8s.io
+        resources: ["csistoragecapacities"]