Authorization webhook not going into opa pod

[letthefireflieslive]

the policy is working properly for mutating webhook, but authorization webhook seems to not be working, it stills reads the secret. Nothing was there when i try to check opa pod logs when hitting 'oc get secret'.

openshift v3.9.0+2e78773-56
kubernetes v1.9.1+a0ce1bc657
etcd 3.2.16

/var/lib/minishift/openshift.local.config/master/master-config.yaml

  pluginConfig:
    MutatingAdmissionWebhook:
      configuration:
        apiVersion: apiserver.config.k8s.io/v1alpha1
        kind: WebhookAdmission
        kubeConfigFile: /dev/null
    ValidatingAdmissionWebhook:
      configuration:
        apiVersion: apiserver.config.k8s.io/v1alpha1
        kind: WebhookAdmission
        kubeConfigFile: /dev/null
    GenericAdmissionWebhook:
      configuration:
        apiVersion: v1
        disable: false
        kind: DefaultAdmissionConfig
      location: ""
    openshift.io/ImagePolicy:
      configuration:
        apiVersion: v1
        executionRules:
          - matchImageAnnotations:
              - key: images.openshift.io/deny-execution
                value: "true"
            name: execution-denied
            onResources:
              - resource: pods
              - resource: builds
            reject: true
            skipOnResolutionFailure: true
        kind: ImagePolicyConfig
      location: ""
aggregatorConfig:
  proxyClientInfo:
    certFile: aggregator-front-proxy.crt
    keyFile: aggregator-front-proxy.key
apiLevels:
  - v1
apiVersion: v1
auditConfig:
  auditFilePath: ""
  enabled: false
  logFormat: ""
  maximumFileRetentionDays: 0
  maximumFileSizeMegabytes: 0
  maximumRetainedFiles: 0
  policyConfiguration: null
  policyFile: ""
  webHookKubeConfig: ""
  webHookMode: ""
authConfig:
  requestHeader:
    clientCA: front-proxy-ca.crt
    clientCommonNames:
      - aggregator-front-proxy
    extraHeaderPrefixes:
      - X-Remote-Extra-
    groupHeaders:
      - X-Remote-Group
    usernameHeaders:
      - X-Remote-User
controllerConfig:
  controllers:
    - '*'
  election: null
  serviceServingCert:
    signer:
      certFile: service-signer.crt
      keyFile: service-signer.key
controllerLeaseTTL: 0
controllers: '*'
corsAllowedOrigins:
  - //127\.0\.0\.1(:|$)
  - //192\.168\.99\.108:8443$
  - //localhost(:|$)
disabledFeatures: null
dnsConfig:
  allowRecursiveQueries: true
  bindAddress: 0.0.0.0:8053
  bindNetwork: tcp4
etcdClientInfo:
  ca: ca.crt
  certFile: master.etcd-client.crt
  keyFile: master.etcd-client.key
  urls:
    - https://127.0.0.1:4001
etcdConfig:
  address: 127.0.0.1:4001
  peerAddress: 127.0.0.1:7001
  peerServingInfo:
    bindAddress: 0.0.0.0:7001
    bindNetwork: tcp4
    certFile: etcd.server.crt
    clientCA: ca.crt
    keyFile: etcd.server.key
    namedCertificates: null
  servingInfo:
    bindAddress: 0.0.0.0:4001
    bindNetwork: tcp4
    certFile: etcd.server.crt
    clientCA: ca.crt
    keyFile: etcd.server.key
    namedCertificates: null
  storageDirectory: /var/lib/origin/openshift.local.etcd
etcdStorageConfig:
  kubernetesStoragePrefix: kubernetes.io
  kubernetesStorageVersion: v1
  openShiftStoragePrefix: openshift.io
  openShiftStorageVersion: v1
imageConfig:
  format: openshift/origin-${component}:v3.9.0
  latest: false
imagePolicyConfig:
  allowedRegistriesForImport:
    - domainName: docker.io
    - domainName: '*.docker.io'
    - domainName: '*.redhat.com'
    - domainName: gcr.io
    - domainName: quay.io
    - domainName: registry.centos.org
    - domainName: registry.redhat.io
    - domainName: '*.amazonaws.com'
  disableScheduledImport: false
  maxImagesBulkImportedPerRepository: 5
  maxScheduledImageImportsPerMinute: 60
  scheduledImageImportMinimumIntervalSeconds: 900
jenkinsPipelineConfig:
  autoProvisionEnabled: true
  parameters: null
  serviceName: jenkins
  templateName: jenkins-persistent
  templateNamespace: openshift
kind: MasterConfig
kubeletClientInfo:
  ca: ca.crt
  certFile: master.kubelet-client.crt
  keyFile: master.kubelet-client.key
  port: 10250
kubernetesMasterConfig:
  admissionConfig:
    pluginConfig: null
  apiLevels: null
  apiServerArguments:
    authorization-mode:
      - Node
      - Webhook
      - RBAC
    authorization-webhook-config-file:
      - /var/lib/minishift/openshift.local.config/master/opa-policy-controller.kubeconfig
    runtime-config:
      - apis/admissionregistration.k8s.io/v1alpha1=true
    storage-backend:
      - etcd3
    storage-media-type:
      - application/vnd.kubernetes.protobuf
  controllerArguments: null
  disabledAPIGroupVersions: {}
  masterCount: 1
  masterEndpointReconcileTTL: 15
  masterIP: 127.0.0.1
  podEvictionTimeout: 5m
  proxyClientInfo:
    certFile: master.proxy-client.crt
    keyFile: master.proxy-client.key
  schedulerArguments: null
  schedulerConfigFile: ""
  servicesNodePortRange: 30000-32767
  servicesSubnet: 172.30.0.0/16
  staticNodeNames: null
masterClients:
  externalKubernetesClientConnectionOverrides:
    acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
    burst: 400
    contentType: application/vnd.kubernetes.protobuf
    qps: 200
  externalKubernetesKubeConfig: ""
  openshiftLoopbackClientConnectionOverrides:
    acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
    burst: 600
    contentType: application/vnd.kubernetes.protobuf
    qps: 300
  openshiftLoopbackKubeConfig: openshift-master.kubeconfig
masterPublicURL: https://192.168.99.108:8443
networkConfig:
  clusterNetworkCIDR: 10.128.0.0/14
  clusterNetworks:
    - cidr: 10.128.0.0/14
      hostSubnetLength: 9
  externalIPNetworkCIDRs: null
  hostSubnetLength: 9
  ingressIPNetworkCIDR: 172.29.0.0/16
  networkPluginName: ""
  serviceNetworkCIDR: 172.30.0.0/16
oauthConfig:
  alwaysShowProviderSelection: false
  assetPublicURL: https://192.168.99.108:8443/console/
  grantConfig:
    method: auto
    serviceAccountMethod: prompt
  identityProviders:
    - challenge: true
      login: true
      mappingMethod: claim
      name: anypassword
      provider:
        apiVersion: v1
        kind: AllowAllPasswordIdentityProvider
  masterCA: ca-bundle.crt
  masterPublicURL: https://192.168.99.108:8443
  masterURL: https://127.0.0.1:8443
  sessionConfig:
    sessionMaxAgeSeconds: 300
    sessionName: ssn
    sessionSecretsFile: ""
  templates: null
  tokenConfig:
    accessTokenMaxAgeSeconds: 86400
    authorizeTokenMaxAgeSeconds: 300
pauseControllers: false
policyConfig:
  bootstrapPolicyFile: policy.json
  openshiftInfrastructureNamespace: openshift-infra
  openshiftSharedResourcesNamespace: openshift
  userAgentMatchingConfig:
    defaultRejectionMessage: ""
    deniedClients: null
    requiredClients: null
projectConfig:
  defaultNodeSelector: ""
  projectRequestMessage: ""
  projectRequestTemplate: ""
  securityAllocator:
    mcsAllocatorRange: s0:/2
    mcsLabelsPerProject: 5
    uidAllocatorRange: 1000000000-1999999999/10000
routingConfig:
  subdomain: 192.168.99.108.nip.io
serviceAccountConfig:
  limitSecretReferences: false
  managedNames:
    - default
    - builder
    - deployer
  masterCA: ca-bundle.crt
  privateKeyFile: serviceaccounts.private.key
  publicKeyFiles:
    - serviceaccounts.public.key
servingInfo:
  bindAddress: 0.0.0.0:8443
  bindNetwork: tcp4
  certFile: master.server.crt
  clientCA: ca.crt
  keyFile: master.server.key
  maxRequestsInFlight: 1200
  namedCertificates: null
  requestTimeoutSeconds: 3600
volumeConfig:
  dynamicProvisioningEnabled: true

/var/lib/minishift/openshift.local.config/master/opa-policy-controller.kubeconfig

# Kubernetes API version
apiVersion: v1
# kind of the API object
kind: Config
# clusters refers to the remote service.
clusters:
  - name: opa-server
    cluster:
      # CA for verifying the remote service.
      certificate-authority: /var/lib/minishift/openshift.local.config/master/ca-bundle.crt
      # URL of remote service to query. Must use 'https'. May not include parameters.
      server: https://opa.opa.svc

# users refers to the API Server's webhook configuration.
users:
  - name: opa-user
    user:
      client-certificate: /var/lib/minishift/openshift.local.config/master/master.kubelet-client.crt # cert for the webhook plugin to use
      client-key: /var/lib/minishift/openshift.local.config/master/master.kubelet-client.key          # key matching the cert

# kubeconfig files require a context. Provide one for the API Server.
current-context: opa-webhook
contexts:
- context:
    cluster: opa-server
    user: opa-user
  name: opa-webhook

configmap in opa namespace

package authorization
import data.k8s.matches

##############################################################################
#
# Policy : denies cluster-admin users access to read secrets in administrative projects 
# 
# 
#
##############################################################################

deny[{
	"id": "unreadable-secret",
	"resource": {"kind": "secrets", "namespace": namespace, "name": name},
	"resolution": {"message": "cluster administrator are not allowed to read secrets in non-administrative namespaces"},
}] {   
	matches[["secrets", namespace, name, resource]]
	resource.spec.resourceAttributes.verb = "get"
	resource.spec.group[_] = "cluster-admin"
	not re_match("^(openshift-*|kube-*)", resource.spec.resourceAttributes.namespace)
}

[letthefireflieslive]

I turned on audit log, I can see logs here when i tried to run oc get secret or oc describe xxx secret. If authorization webhook mode is configured properly, should I expect a log with SubjectAccessReview string in the logs?