Audit logging policy to log operations executed by serviceaccounts of specific namespace

Hello!

I’m trying to create an audit logging policy to log cluster operations executed by some service accounts. The service accounts are all created in to a single namespace. I read that audit logging policy supports logging of user operations, such:

  - level: Metadata
    users: ["system:kube-proxy"]
    verbs: ["delete"]
    resources:
    - group: ""
      resources: ["services"]

Is it possible to select all service accounts from a namespace with wildcard? Let’s say I have constantly updating list of service accounts in a namespace operative:

system:serviceaccount:operative:foo
system:serviceaccount:operative:bar
system:serviceaccount:operative:baz

Is there a way to create a policy to hit all operations done by serviceaccounts foo, bar, baz and other accounts created in the future?

Cluster information:

Kubernetes version: 1.23
Cloud being used: bare-metal (self-hosted on AWS)
Installation method: kOps
Host OS: Ubuntu 22.04
CNI and version:
CRI and version:

Ok, so I got it working with setting the userGroups:

  - level: Metadata
    userGroups: ["system:serviceaccounts:operative"]
    verbs: ["delete"]
    resources:
    - group: ""
      resources: ["services"]

I had tried userGroups: ["system:serviceaccount:operative"] but that was not a proper name for the userGroups method since serviceaccount (singular) refers to the users method.