Cloud Audit Logs

Overview

GKE on Azure supports audit logging at both the Cloud API and Kubernetes cluster level. This document provides information about Kubernetes cluster audit logging. For information about Cloud API audit logging, see Cloud API audit logging information.

GKE on Azure makes use of Kubernetes Audit Logging, which keeps a chronological record of calls made to a cluster's Kubernetes API server. Audit logs are useful for investigating suspicious API requests and for collecting statistics.

In cluster versions 1.23 and higher, GKE on Azure writes Cloud Audit Logs in a Google Cloud project by default. Writing to Cloud Audit Logs has the following benefits:

  • Audit logs for all GKE clusters can be centralized.
  • Log entries written to Cloud Audit Logs are immutable.
  • Cloud Audit Logs entries are retained for 400 days.
  • Cloud Audit Logs is included in the price of Anthos.

Limitations

The current version of Cloud Audit Logs for GKE on Azure has several limitations:

  • Data access (get, list, watch requests) logging is not supported.

  • Modifying the Kubernetes audit policy is not supported.

  • Cloud Audit Logs is not resilient to extended network outages. If the log entries cannot be exported to Google Cloud, they are cached in a 10G disk buffer. If that buffer fills, then subsequent entries are dropped.

Audit policy

Cloud Audit Logs behavior is determined by a statically-configured Kubernetes audit logging policy. Changing this policy is currently not supported, but will be available in a future release.

Access Cloud Audit Logs

You can access Cloud Audit Logs in the Google Cloud console or with the Google Cloud CLI.

Console

  1. In the Google Cloud console, go to the Logs Explorer page in the Logging menu.

    Go to the Logs page

  2. Click the Show query toggle.

  3. Fill the text box with the following filter:

    resource.type="k8s_cluster"
    logName="projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity"
    

    The screen looks like the following:

    Logs Explorer with Show query toggled and populated query

  4. Click Run query to display all audit logs from GKE on Azure clusters that were configured to log in to this project.

gcloud

List the first two log entries in your project's Admin Activity log that apply to the k8s_cluster resource type:

gcloud logging read \
    'logName="projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity"
    AND resource.type="k8s_cluster" ' \
    --limit 2 \
    --freshness 300d

where PROJECT_ID is your project ID.

The output shows two log entries. Notice that for each log entry, the logName field has the value projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity and protoPayload.serviceName is equal to gkemulticloud.googleapis.com.