Viewing audit logs

This page shows you how to view information about deployment status and policy enforcement in Cloud Audit Logs. To learn more about Cloud Audit Logs user interface terminology used in this page, see Viewing logs.

Overview

When you use Binary Authorization to deploy a container image to Google Kubernetes Engine (GKE), GKE writes details about the deployment to the audit logs in Google Cloud's operations suite. These audit log entries include enforcement status messages. You can view these log entries in the Google Cloud Console or at the command line using the gcloud logging read command.

For the searches later in this guide, you access Cloud Audit Logs and select the project with the events you want to view.

For general access to Cloud Logging, do the following:

  1. Go to the Google Cloud's operations suite Logging > Logs (Logs Explorer) page in the Cloud Console:

    Go to Logs Explorer

  2. Choose the Google Cloud project for which you want to view Cloud Logging.

Enforcement status messages

GKE writes messages to the audit log for the following enforcement conditions:

  • Blocked deployment: Deployment was blocked due to Binary Authorization policy.
  • Breakglass event: Deployment bypassed policy check using breakglass mechanism. For more information, see Using breakglass.
  • Fail open: Deployment was allowed because Binary Authorization backend was unavailable.
  • Dry run: Deployment allowed with policy violations because dry run mode was set in the Binary Authorization policy.

Blocked deployment events in Cloud Logging

When a container image is blocked because it violates a Binary Authorization policy, you can find the blocked-deployment events using the following query:

protoPayload.response.reason: "Forbidden"
protoPayload.response.status: "Failure"

Query Cloud Audit Logs for blocked deployment events

This section describes how to query Cloud Audit Logs for blocked deployment events.

Logs Explorer

To view blocked deployment events in the Cloud Logging Logs Explorer, do the following:

  1. Go to the Logs Viewer page.

  2. Enter the following query in the search-query box:

    resource.type="k8s_cluster"
    logName:"cloudaudit.googleapis.com%2Factivity"
    (protoPayload.methodName="io.k8s.core.v1.pods.create" OR
     protoPayload.methodName="io.k8s.core.v1.pods.update")
    protoPayload.response.status="Failure"
    protoPayload.response.reason="Forbidden"
    
  3. Select the time range in the time-range selector.

Legacy Logs Viewer

To view blocked deployment events in the Legacy Logs Viewer, do the following:

  1. Go to the Logs Viewer page.

  2. Select Go back to the Legacy Logs Viewer from the Options drop-down menu.

  3. Choose the Google Cloud project for which you want to view Cloud Logging entries.

  4. Using the basic selector drop-down menu , select GKE Cluster Operations and then select or search for your cluster name.

  5. In the Log selector menu drop-down menu , select cloudaudit.googleapis.com/activity.

  6. Enter the following query into the search-query box:

    FAILURE
    NOT "kube-system"
    NOT "istio-system"
    
  7. Select the time range in the time-range selector.

gcloud

To view policy violation events from the past week in Cloud Logging using the gcloud command-line tool, run the following command:

gcloud logging read --order="desc" --freshness=7d \
  'resource.type="k8s_cluster" AND
  logName:"cloudaudit.googleapis.com%2Factivity" AND
  protoPayload.response.status="FAILURE"'

Breakglass events in Cloud Logging

Binary Authorization enables you to override the policy using a breakglass label in the podspec.

Query Cloud Logging for pods with breakglass specified

Logs Explorer

To view breakglass events in the Cloud Logging Logs Explorer, do the following:

  1. Go to the Logs Viewer page.

  2. Enter the following in the search-query box:

    resource.type="k8s_cluster"
    logName:"cloudaudit.googleapis.com%2Factivity"
    (protoPayload.methodName="io.k8s.core.v1.pods.create" OR
    protoPayload.methodName="io.k8s.core.v1.pods.update")
    "image-policy.k8s.io/break-glass"
    

    View breakglass deployments in Cloud Logging

  3. Select the time range in the time-range selector.

Legacy Logs Viewer

To view events containing break-glass in Legacy Logs Viewer, do the following:

  1. Go to the Logs Viewer page.

  2. Select Go back to the Legacy Logs Viewer from the Options drop-down menu.

  3. Choose the Google Cloud project for which you want to view Cloud Logging entries.

  4. Using the basic selector drop-down menu , select GKE Cluster Operations and then select or search for your cluster name.

  5. In the Log selector menu drop-down menu , select cloudaudit.googleapis.com/activity.

  6. Enter the following query into the search-query box:

    "image-policy.k8s.io/break-glass"
    
  7. Select the time range in the time-range selector.

gcloud

To view breakglass events from the past week in Cloud Logging using the the gcloud tool, run the following command:

gcloud logging read --order="desc" --freshness=7d \
  'resource.type="k8s_cluster" AND
  logName:"cloudaudit.googleapis.com%2Factivity" AND
  protoPayload.methodName="io.k8s.core.v1.pods.create" AND
  "image-policy.k8s.io/break-glass"'

Fail open events in Cloud Logging

Fail open occurs when a container image deployment is attempted, Binary Authorization enforcement is unavailable or times out, and the container image is allowed to deploy.

In this case, the verification result is unknown and a log entry is recorded.

Query Cloud Logging fail open events

Logs Explorer

To view fail open events in the Cloud Logging Logs Explorer, do the following:

  1. Go to the Logs Viewer page.

  2. Enter the following in the search-query box:

    resource.type="k8s_cluster"
    logName:"cloudaudit.googleapis.com%2Factivity"
    (protoPayload.methodName="io.k8s.core.v1.pods.create" OR
     protoPayload.methodName="io.k8s.core.v1.pods.update")
    ("image-policy.k8s.io/failed-open" OR
    "imagepolicywebhook.image-policy.k8s.io/failed-open")
    
  3. Select the time range in the time-range selector.

Legacy Logs Viewer

To view fail open events in Cloud Logging, do the following:

  1. Go to the Logs Viewer page.

  2. Choose the Google Cloud project for which you want to view Cloud Logging entries.

  3. Using the basic selector drop-down menu , select GKE Cluster Operations and then select or search for your cluster name.

  4. In the Log selector menu drop-down menu , select cloudaudit.googleapis.com/activity.

  5. Enter the following query into the search-query box:

    "image-policy.k8s.io/failed-open" OR
    "imagepolicywebhook.image-policy.k8s.io/failed-open"
    
  6. Select the time range in the time-range selector.

gcloud

To view fail open events from the past week in Cloud Logging using the gcloud tool, run the following command:

gcloud logging read --order="desc" --freshness=7d \
  'resource.type="k8s_cluster" AND
  logName:"cloudaudit.googleapis.com%2Factivity" AND
  protoPayload.methodName="io.k8s.core.v1.pods.create" AND
  "image-policy.k8s.io/failed-open" OR
  "imagepolicywebhook.image-policy.k8s.io/failed-open"'

Dry run events in Cloud Logging

Dry run mode is an enforcement mode in a policy that enables non-conformant images to be deployed, but writes details about the deployment to the audit log. Dry run mode allows you to test a policy in your production environment before it goes into effect.

When a container image fails to pass the required checks in a policy, but is permitted to be deployed by dry run mode, Cloud Audit Logs contains imagepolicywebhook.image-policy.k8s.io/dry-run: "true".

Query Cloud Logging for dry run events

Logs Explorer

To view dry run events in the Cloud Logging Logs Explorer, do the following:

  1. Go to the Logs Viewer page.

  2. Enter the following in the search-query box:

    resource.type="k8s_cluster"
    logName:"cloudaudit.googleapis.com%2Factivity"
    (protoPayload.methodName="io.k8s.core.v1.pods.create" OR
     protoPayload.methodName="io.k8s.core.v1.pods.update")
    labels."imagepolicywebhook.image-policy.k8s.io/dry-run"="true"
    
  3. Select the time range in the time-range selector.

Legacy Logs Viewer

To view dry run deployment events in Cloud Logging, perform the following steps:

  1. Go to the Logs Viewer page.

  2. Choose the Google Cloud project for which you want to view Cloud Logging entries.

  3. Using the basic selector drop-down menu , select GKE Cluster Operations and then select or search for your cluster name.

  4. In the Log selector menu drop-down menu , select cloudaudit.googleapis.com/activity.

  5. Enter the following query into the search-query box:

    "imagepolicywebhook.image-policy.k8s.io/dry-run"
    
  6. Select the time range in the time-range selector.

gcloud

To view dry run deployment events from the past week in Cloud Logging using the gcloud tool, run the following command:

gcloud logging read --order="desc" --freshness=7d \
  'labels."imagepolicywebhook.image-policy.k8s.io/dry-run"="true"'