本指南介绍如何查看由使用基于检查的平台政策的持续验证 (CV) 生成的 Cloud Logging 条目。如需改为查看旧版持续验证(已弃用)条目,请参阅查看旧版 CV 日志。
CV 会在 podEvent 条目中记录与检查相关的问题。
CV 会在 configErrorEvent 条目中记录与配置相关的问题,例如平台政策或 IAM 角色配置错误。
查看 CV 条目的日志
CV 会在 24 小时内将平台违反政策的行为记录到 Cloud Logging。您通常会在几个小时内看到这些条目。
如果没有映像违反了您启用的平台政策,则日志中不会显示任何条目。
如需查看过去 7 天的 CV 日志条目,请运行以下命令:
gcloud logging read \
--order="desc" \
--freshness=7d \
--project=CLUSTER_PROJECT_ID \
'logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation" "policyName"'
将 CLUSTER_PROJECT_ID 替换为集群项目 ID。
检查类型
CV 日志会将违规信息记录到 checkResults。在该条目中,值 checkType 表示检查。每项检查的值如下所示:
ImageFreshnessCheckSigstoreSignatureCheckSimpleSigningAttestationCheckSlsaCheckTrustedDirectoryCheckVulnerabilityCheck
日志示例
以下 CV Logging 条目示例描述了违反可信目录检查的不符合规则的映像:
{
"insertId": "637c2de7-0000-2b64-b671-24058876bb74",
"jsonPayload": {
"podEvent": {
"endTime": "2022-11-22T01:14:30.430151Z",
"policyName": "projects/123456789/platforms/gke/policies/my-policy",
"images": [
{
"result": "DENY",
"checkResults": [
{
"explanation": "TrustedDirectoryCheck at index 0 with display name \"My trusted directory check\" has verdict NOT_CONFORMANT. Image is not in a trusted directory",
"checkSetName": "My check set",
"checkSetIndex": "0",
"checkName": "My trusted directory check",
"verdict": "NON_CONFORMANT",
"checkType": "TrustedDirectoryCheck",
"checkIndex": "0"
}
],
"image": "gcr.io/my-project/hello-app:latest"
}
],
"verdict": "VIOLATES_POLICY",
"podNamespace": "default",
"deployTime": "2022-11-22T01:06:53Z",
"pod": "hello-app"
},
"@type": "type.googleapis.com/google.cloud.binaryauthorization.v1beta1.ContinuousValidationEvent"
},
"resource": {
"type": "k8s_cluster",
"labels": {
"project_id": "my-project",
"location": "us-central1-a",
"cluster_name": "my-test-cluster"
}
},
"timestamp": "2022-11-22T01:44:28.729881832Z",
"severity": "WARNING",
"logName": "projects/my-project/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation",
"receiveTimestamp": "2022-11-22T03:35:47.171905337Z"
}