This guide shows you how to view Cloud Logging entries that are generated by continuous validation (CV) with check-based platform policies. To instead view legacy continuous validation (deprecated) entries, see View legacy CV logs.
CV logs check-related issues in podEvent
entries.
CV logs configuration-related issues in configErrorEvent
entries—for example, if a platform policy or IAM roles are
misconfigured.
View logs for CV entries
CV logs platform policy violations to Cloud Logging within 24 hours. You can usually see entries within a couple of hours.
If no images violate the platform policies that you have enabled, no entries appear in the logs.
To view CV log entries for the last seven days, run the following command:
gcloud logging read \
--order="desc" \
--freshness=7d \
--project=CLUSTER_PROJECT_ID \
'logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation" "policyName"'
Replace CLUSTER_PROJECT_ID
with the cluster project ID.
Check types
CV logs check violation information to checkResults
. In the
entry, the value checkType
indicates the check. The values for each check are
as follows:
ImageFreshnessCheck
SigstoreSignatureCheck
SimpleSigningAttestationCheck
SlsaCheck
TrustedDirectoryCheck
VulnerabilityCheck
Example log
The following example CV Logging entry describes a non-conformant image that violates a trusted directory check:
{
"insertId": "637c2de7-0000-2b64-b671-24058876bb74",
"jsonPayload": {
"podEvent": {
"endTime": "2022-11-22T01:14:30.430151Z",
"policyName": "projects/123456789/platforms/gke/policies/my-policy",
"images": [
{
"result": "DENY",
"checkResults": [
{
"explanation": "TrustedDirectoryCheck at index 0 with display name \"My trusted directory check\" has verdict NOT_CONFORMANT. Image is not in a trusted directory",
"checkSetName": "My check set",
"checkSetIndex": "0",
"checkName": "My trusted directory check",
"verdict": "NON_CONFORMANT",
"checkType": "TrustedDirectoryCheck",
"checkIndex": "0"
}
],
"image": "gcr.io/my-project/hello-app:latest"
}
],
"verdict": "VIOLATES_POLICY",
"podNamespace": "default",
"deployTime": "2022-11-22T01:06:53Z",
"pod": "hello-app"
},
"@type": "type.googleapis.com/google.cloud.binaryauthorization.v1beta1.ContinuousValidationEvent"
},
"resource": {
"type": "k8s_cluster",
"labels": {
"project_id": "my-project",
"location": "us-central1-a",
"cluster_name": "my-test-cluster"
}
},
"timestamp": "2022-11-22T01:44:28.729881832Z",
"severity": "WARNING",
"logName": "projects/my-project/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation",
"receiveTimestamp": "2022-11-22T03:35:47.171905337Z"
}
What's next
- Use the image freshness check
- Use the simple signing attestation check
- Use the Sigstore signature check
- Use the SLSA check
- Use the trusted directory check
- Use the vulnerability check
- View CV logs