Viewing Binary Authorization for GKE on-prem audit log entries

This document describes how to view Binary Authorization for GKE on-prem log entries. These entries can be used to troubleshoot the system setup and use.

This document describes how to use Cloud Audit Logs to query for log entries. You can also query log entries through the Cloud Audit Logs API.

View Cloud Audit Logs entries

  1. In the Cloud Console, go to the Cloud Audit Logs page.

    Go to the Cloud Audit Logs page

  2. Select the Google Cloud project you configured in the cloudAuditLogging section of your user cluster configuration file.

  3. Enter a filter. You can find example filters for Binary Authorization for GKE on-prem log entries in the following sections.

  4. Select the activity log:

    1. Select the Log name combo box.

    2. Enter externalaudit.googleapis.com in the text box.

    3. Select the log named externalaudit.googleapis.com.

    4. Click Add.

    5. Make sure you select the time period when the events would have occurred.

  5. Click Run Query.

View rejected Deployment log entries

To find Cloud Audit Logs entries for rejected Deployments, use the following query:

resource.type="k8s_cluster"
protoPayload.serviceName="anthosgke.googleapis.com"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
 protoPayload.methodName="io.k8s.core.v1.pods.update")
protoPayload.response.status="Failure"

View dry run log entries

To find Cloud Audit Logs entries related to Pod create or update with dry run enabled, use the following query:

resource.type="k8s_cluster"
protoPayload.serviceName="anthosgke.googleapis.com"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
 protoPayload.methodName="io.k8s.core.v1.pods.update")
labels."binaryauthorization.googleapis.com/dry-run"="true"

View breakglass log entries

To find Cloud Audit Logs entries related to Pod create or update with breakglass enabled, use the following query:

resource.type="k8s_cluster"
protoPayload.serviceName="anthosgke.googleapis.com"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
  protoPayload.methodName="io.k8s.core.v1.pods.update")
labels."binaryauthorization.googleapis.com/break-glass"="true"