Viewing audit logs

This page shows you how to view information about deployment status and policy enforcement in Cloud Logging. To learn more about Cloud Logging terminology used in this page, see Viewing logs.

Overview

When you use Binary Authorization to deploy a container image to Google Kubernetes Engine (GKE), GKE writes details about the deployment to the audit logs in Google Cloud's operations suite. These audit log entries include enforcement status messages. You can view these log entries in the Google Cloud Console or at the command line using the gcloud logging read command.

For all of the searches below you will access Cloud Logging and select the project with the events you want to view.

For general access to Cloud Logging, do the following:

  1. Go to the Google Cloud's operations suite Logging > Logs (Logs Viewer) page in the Cloud Console:

    Go to the Logs Viewer page

  2. Choose the Google Cloud project for which you want to view Cloud Logging.

Enforcement status messages

GKE writes messages to the audit log for the following enforcement conditions:

  • Blocked deployment: Deployment was blocked due to Binary Authorization policy.
  • Breakglass event: Deployment bypassed policy check using breakglass mechanism. For more information, see Using breakglass.
  • Fail open: Deployment was allowed because Binary Authorization backend was unavailable.
  • Dry run: Deployment allowed with policy violations because dry run mode was set in the Binary Authorization policy.

Blocked deployment events in Cloud Logging

When a container image is blocked because it violates a Binary Authorization policy, GKE writes the following to the audit log for the Kubernetes Cluster (k8s_cluster) resource:

protoPayload.response.reason: "Forbidden"
protoPayload.response.status: "Failure"

Query Cloud Logging for blocked deployment events

   NOT "kube-system"
   NOT "istio-system"

Cloud Logging Viewer (Classic)

To view blocked deployment events in Cloud Logging Viewer (Classic):

  1. Go to the Logs Viewer page.

  2. Choose the Google Cloud project for which you want to view Cloud Logging entries.

  3. Using the basic selector drop-down menu , select Kubernetes Cluster.

  4. In the Log selector menu drop-down menu , select cloudaudit.googleapis.com/activity.

  5. Enter the following query into the search-query box:

    FAILURE
    NOT "kube-system"
    NOT "istio-system"
    
  6. Select the time range in the time-range selector.

Cloud Logging Viewer (Preview)

To view blocked deployment events in Cloud Logging Viewer (Preview):

  1. Go to the Logs Viewer page.

  2. From Classic view, select the version-picker menu, switch the Logs Viewer version from Classic to Preview the new Logs Viewer.

  3. Enter the following query in the search-query box:

    resource.type="k8s_cluster"
    logName:"cloudaudit.googleapis.com%2Factivity"
    (protoPayload.methodName="io.k8s.core.v1.pods.create" OR
     protoPayload.methodName="io.k8s.core.v1.pods.update")
    protoPayload.response.status="FAILURE"
    

    View blocked deployment events in Cloud Logging

  4. Select the time range in the time-range selector.

Command line

To view policy violation events from the past week in Cloud Logging using the CLI:

gcloud beta logging read --order="desc" --freshness=7d \
  'resource.type="k8s_cluster" AND
  logName:"cloudaudit.googleapis.com%2Factivity" AND
  protoPayload.response.status="FAILURE"'

Breakglass events in Cloud Logging

Binary Authorization allows you to override the policy using a breakglass annotation.

When an images fails to pass the required checks in a Binary Authorizationpolicy, but is permitted to be deployed by a policy override, GKE writes the following labels to the audit log for the Kubernetes Cluster (k8s_cluster) resource:

imagepolicywebhook.image-policy.k8s.io/break-glass: "true"
imagepolicywebhook.image-policy.k8s.io/overridden-verification-result: "'IMAGE_PATH@IMAGE_DIGEST': Denied by DENIED_REASON

where:

  • IMAGE_PATH is the fully-qualified path to the container image in you attempted to deploy (for example, gcr.io/example-project/quickstart-image).
  • IMAGE_DIGEST is the unique digest of the container image.
  • DENIED_REASON is the reason the Binary Authorization enforcer denied the deployment.

Query Cloud Logging for breakglass events

Cloud Logging Viewer (Classic)

To view breakglass events in Cloud Logging Viewer (Classic):

  1. Go to the Logs Viewer page.

  2. Choose the Google Cloud project for which you want to view Cloud Logging entries.

  3. Using the basic selector drop-down menu , select Kubernetes Cluster.

  4. In the Log selector menu drop-down menu , select cloudaudit.googleapis.com/activity.

  5. Enter the following query into the search-query box:

    "imagepolicywebhook.image-policy.k8s.io/break-glass"
    
  6. Select the time range in the time-range selector.

Cloud Logging Viewer (Preview)

To view breakglass events in Cloud Logging Viewer (Preview):

  1. Go to the Logs Viewer page.

  2. From Classic view, select the version-picker menu, switch the Logs Viewer version from Classic to Preview the new Logs Viewer.

  3. Enter the following in the search-query box:

    resource.type="k8s_cluster"
    logName:"cloudaudit.googleapis.com%2Factivity"
    (protoPayload.methodName="io.k8s.core.v1.pods.create" OR
     protoPayload.methodName="io.k8s.core.v1.pods.update")
    labels."imagepolicywebhook.image-policy.k8s.io/break-glass"="true"
    

    View breakglass deployments in Cloud Logging

  4. Select the time range in the time-range selector.

Command line

To view breakglass events from the past week in Cloud Logging using the CLI:

gcloud beta logging read --order="desc" --freshness=7d \
  'resource.type="k8s_cluster" AND
  logName:"cloudaudit.googleapis.com%2Factivity" AND
  protoPayload.methodName="io.k8s.core.v1.pods.create" AND
  labels."imagepolicywebhook.image-policy.k8s.io/break-glass"="true"'

Fail open events in Cloud Logging

Fail open occurs when a container image deployment is attempted, the Binary Authorization enforcer is unavailable or times out, and the container image is allowed to deploy.

In this case, the verification result is unknown a log entry is recorded.

Query Cloud Logging fail open events

Cloud Logging Viewer (Classic)

To view fail open events in Cloud Logging Viewer (Classic):

  1. Go to the Logs Viewer page.

  2. Choose the Google Cloud project for which you want to view Cloud Logging entries.

  3. Using the basic selector drop-down menu , select Kubernetes Cluster.

  4. In the Log selector menu drop-down menu , select cloudaudit.googleapis.com/activity.

  5. Enter the following query into the search-query box:

    "image-policy.k8s.io/failed-open"
    
  6. Select the time range in the time-range selector.

Cloud Logging Viewer (Preview)

To view fail open events in Cloud Logging Viewer (Preview):

  1. Go to the Logs Viewer page.

  2. From Classic view, select the version-picker menu, switch the Logs Viewer version from Classic to Preview the new Logs Viewer.

  3. Enter the following in the search-query box:

    resource.type="k8s_cluster"
    logName:"cloudaudit.googleapis.com%2Factivity"
    (protoPayload.methodName="io.k8s.core.v1.pods.create" OR
     protoPayload.methodName="io.k8s.core.v1.pods.update")
    "image-policy.k8s.io/failed-open"
    

    View Fail Open deployments in Cloud Logging

  4. Select the time range in the time-range selector.

Command line

To view fail open events from the past week in Cloud Logging using the CLI:

gcloud beta logging read --order="desc" --freshness=7d \
  'resource.type="k8s_cluster" AND
  logName:"cloudaudit.googleapis.com%2Factivity" AND
  protoPayload.methodName="io.k8s.core.v1.pods.create" AND
  labels."alpha.image-policy.k8s.io/failed-open"="true"'

Dry run events in Cloud Logging

Dry run mode is an enforcement mode in a policy that allows non-conformant images to be deployed, but writes details about the deployment to the audit log. Dry run mode allows you to test a policy in your production environment before it goes into effect.

When a container image fails to pass the required checks in a policy, but is permitted to be deployed by dry run mode, GKE writes the following to the audit log for the Kubernetes Cluster (k8s_cluster) resource:

imagepolicywebhook.image-policy.k8s.io/dry-run: "true"
imagepolicywebhook.image-policy.k8s.io/overridden-verification-result: "'REGISTRY_PATH': Image REGISTRY_PATH denied by projects/PROJECT_ID/attestors/ATTESTOR: Attestor cannot attest to an image deployed by tag

where:

  • REGISTRY_PATH is the fully-qualified to the image in your container image registry
  • ATTESTOR is the full-qualified path to the attestor in Binary Authorization in the format

Query Cloud Logging for dry run events

Cloud Logging Viewer (Classic)

To view dry run deployment events in Cloud Logging Viewer (Classic):

  1. Go to the Logs Viewer page.

  2. Choose the Google Cloud project for which you want to view Cloud Logging entries.

  3. Using the basic selector drop-down menu , select Kubernetes Cluster.

  4. In the Log selector menu drop-down menu , select cloudaudit.googleapis.com/activity.

  5. Enter the following query into the search-query box:

    "imagepolicywebhook.image-policy.k8s.io/dry-run"
    
  6. Select the time range in the time-range selector.

Cloud Logging Viewer (Preview)

To view dry run deployment events in Cloud Logging Viewer (Preview):

  1. Go to the Logs Viewer page.

  2. From Classic view, select the version-picker menu, switch the Logs Viewer version from Classic to Preview the new Logs Viewer.

  3. Enter the following in the search-query box:

    resource.type="k8s_cluster"
    logName:"cloudaudit.googleapis.com%2Factivity"
    (protoPayload.methodName="io.k8s.core.v1.pods.create" OR
     protoPayload.methodName="io.k8s.core.v1.pods.update")
    labels."imagepolicywebhook.image-policy.k8s.io/dry-run"="true"
    

    View dry run deployments in Cloud Logging

  4. Select the time range in the time-range selector.

Command line

To view dry run deployment events from the past week in Cloud Logging using the CLI:

gcloud beta logging read --order="desc" --freshness=7d \
  'labels."imagepolicywebhook.image-policy.k8s.io/dry-run"="true"'