Version 1.0. This version is no longer supported as outlined in the Anthos version support policy. For the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware (GKE on-prem), upgrade to a supported version. You can find the most recent version here.

Audit logging

This page describes how to access Kubernetes apiserver audit logs.


Each GKE On-Prem cluster has Kubernetes Audit Logging, which keeps a chronological record of calls made to the cluster's Kubernetes API server. Audit logs are useful for investigating suspicious API requests or for collecting statistics.

Audit logs from each apiserver are dumped to a persistent disk, so that VM restarts/upgrades won't cause the logs to disapppear. GKE On-Prem retains up to 10GB of audit logs.

Accessing Kubernetes audit logs

You can only access audit logs through the admin cluster:

  1. View the Kubernetes API servers running in your clusters:

    kubectl get pods --all-namespaces -l component=kube-apiserver
  2. Download the API server's audit logs:

    kubectl cp -n [NAMESPACE] [APISERVER_POD_NAME]:/var/log/kube-audit/kube-apiserver-audit.log /tmp/kubeaudit.log

    This command fetches the latest log file, which can contain up to 1GB of data for admin cluster and up to 850GB for user clusters.

    Older audit records are kept in separate files. To view those files:

    kubectl exec -n [NAMESPACE] [APISERVER_POD_NAME] -- ls /var/log/kube-audit -la

    Each audit log's filename has a timestamp that indicates when the file was rotated. A file contains audit logs up to that time and date.

Audit policy

Audit logging behavior is determined by a statically-configured Kubernetes audit logging policy. Changing this policy is currently not supported.