This guide shows you how to view Cloud Logging entries that are generated by continuous validation (CV) with check-based platform policies. To instead view legacy continuous validation (deprecated) entries, see View legacy CV logs.
CV logs check-related issues in podEvent entries.
CV logs configuration-related issues in configErrorEvent
entries—for example, if a platform policy or IAM roles are
misconfigured.
View logs for CV entries
You can search Cloud Logging entries to find CV configuration errors and CV platform policy validation violations.
CV logs errors and violations to Cloud Logging within 24 hours. You can usually see entries within a few hours.
View CV configuration error logs
To view CV configuration error logs, run the following command:
gcloud logging read \
--order="desc" \
--freshness=7d \
--project=CLUSTER_PROJECT_ID \
'logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation" "configErrorEvent"'
The following output shows a configuration error in which a CV platform policy isn't found:
{
"insertId": "141d4f10-72ea-4a43-b3ec-a03da623de42",
"jsonPayload": {
"@type": "type.googleapis.com/google.cloud.binaryauthorization.v1beta1.ContinuousValidationEvent",
"configErrorEvent": {
"description": "Cannot monitor cluster 'us-central1-c.my-cluster': Resource projects/123456789/platforms/gke/policies/my-policy does not exist."
}
},
"resource": {
"type": "k8s_cluster",
"labels": {
"cluster_name": "my-cluster",
"location": "us-central1-c",
"project_id": "my-project"
}
},
"timestamp": "2024-05-28T15:31:03.999566Z",
"severity": "WARNING",
"logName": "projects/my-project/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation",
"receiveTimestamp": "2024-05-28T16:30:56.304108670Z"
}
View CV platform policy validation violations
If no images violate the platform policies that you have enabled, no entries appear in the logs.
To view CV log entries for the last seven days, run the following command:
gcloud logging read \
--order="desc" \
--freshness=7d \
--project=CLUSTER_PROJECT_ID \
'logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation" "policyName"'
Replace CLUSTER_PROJECT_ID with the cluster project ID.
Check types
CV logs check violation information to checkResults. In the
entry, the value checkType indicates the check. The values for each check are
as follows:
ImageFreshnessCheckSigstoreSignatureCheckSimpleSigningAttestationCheckSlsaCheckTrustedDirectoryCheckVulnerabilityCheck
Example log
The following example CV Logging entry describes a non-conformant image that violates a trusted directory check:
{
"insertId": "637c2de7-0000-2b64-b671-24058876bb74",
"jsonPayload": {
"podEvent": {
"endTime": "2022-11-22T01:14:30.430151Z",
"policyName": "projects/123456789/platforms/gke/policies/my-policy",
"images": [
{
"result": "DENY",
"checkResults": [
{
"explanation": "TrustedDirectoryCheck at index 0 with display name \"My trusted directory check\" has verdict NOT_CONFORMANT. Image is not in a trusted directory",
"checkSetName": "My check set",
"checkSetIndex": "0",
"checkName": "My trusted directory check",
"verdict": "NON_CONFORMANT",
"checkType": "TrustedDirectoryCheck",
"checkIndex": "0"
}
],
"image": "gcr.io/my-project/hello-app:latest"
}
],
"verdict": "VIOLATES_POLICY",
"podNamespace": "default",
"deployTime": "2022-11-22T01:06:53Z",
"pod": "hello-app"
},
"@type": "type.googleapis.com/google.cloud.binaryauthorization.v1beta1.ContinuousValidationEvent"
},
"resource": {
"type": "k8s_cluster",
"labels": {
"project_id": "my-project",
"location": "us-central1-a",
"cluster_name": "my-test-cluster"
}
},
"timestamp": "2022-11-22T01:44:28.729881832Z",
"severity": "WARNING",
"logName": "projects/my-project/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation",
"receiveTimestamp": "2022-11-22T03:35:47.171905337Z"
}
What's next
- Use the image freshness check
- Use the simple signing attestation check
- Use the Sigstore signature check
- Use the SLSA check
- Use the trusted directory check
- Use the vulnerability check
- View CV logs