This document describes how to view log entries produced by Binary Authorization for Anthos clusters. These entries can be used to troubleshoot the system setup and use.
This document describes how to use Cloud Audit Logs to query for log entries. You can also query log entries through the Cloud Audit Logs API.
View Cloud Audit Logs entries
In the Google Cloud console, go to the Cloud Audit Logs page.
Select the Google Cloud project you configured in the
cloudAuditLogging
section of your user cluster configuration file.Enter a filter. You can find example filters for Binary Authorization for Anthos clusters log entries in the following sections.
Select the activity log:
Select the Log name combo box.
Enter
externalaudit.googleapis.com
in the text box.Select the log named
externalaudit.googleapis.com
.Click Add.
Make sure you select the time period when the events would have occurred.
Click Run Query.
View rejected Deployment log entries
To find Cloud Audit Logs entries for rejected Deployments, use the following query:
resource.type="k8s_cluster"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
protoPayload.methodName="io.k8s.core.v1.pods.update")
protoPayload.response.status="Failure"
View dry run log entries
To find Cloud Audit Logs entries related to Pod create or update with dry run enabled, use the following query:
resource.type="k8s_cluster"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
protoPayload.methodName="io.k8s.core.v1.pods.update")
labels."binaryauthorization.googleapis.com/dry-run"="true"
View breakglass log entries
To find Cloud Audit Logs entries related to Pod create or update with breakglass enabled, use the following query:
resource.type="k8s_cluster"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
protoPayload.methodName="io.k8s.core.v1.pods.update")
(labels."binaryauthorization.googleapis.com/break-glass"="true" OR
protoPayload.request.metadata.labels."image-policy.k8s.io/break-glass"="true")