diff --git a/charts/t8s-cluster/files/audit-config.yaml b/charts/t8s-cluster/files/audit-config.yaml
new file mode 100644
index 0000000000..4ae55a2ef5
--- /dev/null
+++ b/charts/t8s-cluster/files/audit-config.yaml
@@ -0,0 +1,9 @@
+apiVersion: audit.k8s.io/v1
+kind: Policy
+# Long-running requests like watches will not generate an audit event in RequestReceived.
+omitStages:
+  - "RequestReceived"
+rules:
+  - level: Metadata
+    verbs: [] # All verbs
+    resources: [] # All resources
diff --git a/charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl b/charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl
index 4bb4db755c..128edb3114 100644
--- a/charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl
+++ b/charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl
@@ -167,6 +167,10 @@ server = {{ printf "https://%s" .registry | quote }}
 {{- include "t8s-cluster.clusterClass.configPath" (dict) -}}/{{- include "t8s-cluster.clusterClass.apiServer.authenticationConfigFileName" (dict) -}}
 {{- end -}}
 
+{{- define "t8s-cluster.clusterClass.apiServer.auditConfigPath" -}}
+{{- include "t8s-cluster.clusterClass.configPath" (dict) -}}/{{- include "t8s-cluster.clusterClass.apiServer.auditConfigFileName" (dict) -}}
+{{- end -}}
+
 {{- define "t8s-cluster.clusterClass.apiServer.eventRateLimitConfigPath" -}}
 {{- include "t8s-cluster.clusterClass.configPath" (dict) -}}/{{- include "t8s-cluster.clusterClass.apiServer.eventRateLimitConfigFileName" (dict) -}}
 {{- end -}}
@@ -179,6 +183,10 @@ server = {{ printf "https://%s" .registry | quote }}
 authentication-config.yaml
 {{- end -}}
 
+{{- define "t8s-cluster.clusterClass.apiServer.auditConfigFileName" -}}
+audit-config.yaml
+{{- end -}}
+
 {{- define "t8s-cluster.clusterClass.apiServer.eventRateLimitConfigFileName" -}}
 event-rate-limit-config.yaml
 {{- end -}}
@@ -191,6 +199,8 @@ admission-control-config.yaml
   {{- $args := include "t8s-cluster.clusterClass.args.base" (dict "context" .context) | fromYaml -}}
   {{- $args = mustMerge (include "t8s-cluster.clusterClass.args.sharedController" (dict "context" .context) | fromYaml) $args -}}
   {{- $args = set $args "authentication-config" (include "t8s-cluster.clusterClass.apiServer.authenticationConfigPath" (dict)) -}}
+  {{- $args = set $args "audit-policy-file" (include "t8s-cluster.clusterClass.apiServer.auditConfigPath" (dict)) -}}
+  {{- $args = set $args "audit-log-path" "-" -}}
   {{- $args = set $args "admission-control-config-file" (include "t8s-cluster.clusterClass.apiServer.admissionControlConfigPath" (dict)) -}}
   {{- $args = set $args "enable-admission-plugins" (include "t8s-cluster.clusterClass.apiServer.admissionPlugins" (dict) | fromYamlArray | join ",") -}}
   {{- $args = set $args "event-ttl" "4h" -}}
@@ -200,11 +210,15 @@ admission-control-config.yaml
 
 {{- define "t8s-cluster.clusterClass.apiServer.staticFiles" -}}
   {{- toYaml (dict
-      "admission-control-config.yaml" (dict
+      (include "t8s-cluster.clusterClass.apiServer.admissionControlConfigFileName" (dict)) (dict
         "path" (include "t8s-cluster.clusterClass.apiServer.admissionControlConfigPath" (dict))
         "fileName" (include "t8s-cluster.clusterClass.apiServer.admissionControlConfigFileName" (dict))
       )
-      "event-rate-limit-config.yaml" (dict
+      (include "t8s-cluster.clusterClass.apiServer.auditConfigFileName" (dict)) (dict
+        "path" (include "t8s-cluster.clusterClass.apiServer.auditConfigPath" (dict))
+        "fileName" (include "t8s-cluster.clusterClass.apiServer.auditConfigFileName" (dict))
+      )
+      (include "t8s-cluster.clusterClass.apiServer.eventRateLimitConfigFileName" (dict)) (dict
         "path" (include "t8s-cluster.clusterClass.apiServer.eventRateLimitConfigPath" (dict))
         "fileName" (include "t8s-cluster.clusterClass.apiServer.eventRateLimitConfigFileName" (dict))
       )
@@ -214,10 +228,10 @@ admission-control-config.yaml
 
 {{- define "t8s-cluster.clusterClass.apiServer.dynamicFiles" -}}
   {{- toYaml (dict
-      "authentication-config.yaml" (dict
+      (include "t8s-cluster.clusterClass.apiServer.authenticationConfigFileName" (dict)) (dict
         "path" (include "t8s-cluster.clusterClass.apiServer.authenticationConfigPath" (dict))
         "fileName" (include "t8s-cluster.clusterClass.apiServer.authenticationConfigFileName" (dict))
-        "content" (include "t8s-cluster.clusterClass.apiServer.authenticationConfig" (dict "context" .))
+        "content" (include "t8s-cluster.clusterClass.apiServer.authenticationConfig" (dict "context" .context))
       )
     )
   -}}