View audit logs for Anthos clusters on VMware

Stay organized with collections Save and categorize content based on your preferences.

This document describes how to view log entries produced by Binary Authorization for Anthos clusters on VMware. These entries can be used to troubleshoot the system setup and use.

This document describes how to use Cloud Audit Logs to query for log entries. You can also query log entries through the Cloud Audit Logs API.

View Cloud Audit Logs entries

  1. In the Google Cloud console, go to the Cloud Audit Logs page.

    Go to Cloud Audit Logs

  2. Select the Google Cloud project you configured in the cloudAuditLogging section of your user cluster configuration file.

  3. Enter a filter. You can find example filters for Binary Authorization for Anthos clusters on VMware log entries in the following sections.

  4. Select the activity log:

    1. Select the Log name combo box.

    2. Enter externalaudit.googleapis.com in the text box.

    3. Select the log named externalaudit.googleapis.com.

    4. Click Add.

    5. Make sure you select the time period when the events would have occurred.

  5. Click Run Query.

View rejected Deployment log entries

To find Cloud Audit Logs entries for rejected Deployments, use the following query:

resource.type="k8s_cluster"
protoPayload.serviceName="anthosgke.googleapis.com"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
 protoPayload.methodName="io.k8s.core.v1.pods.update")
protoPayload.response.status="Failure"

View dry run log entries

To find Cloud Audit Logs entries related to Pod create or update with dry run enabled, use the following query:

resource.type="k8s_cluster"
protoPayload.serviceName="anthosgke.googleapis.com"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
 protoPayload.methodName="io.k8s.core.v1.pods.update")
labels."binaryauthorization.googleapis.com/dry-run"="true"

View breakglass log entries

To find Cloud Audit Logs entries related to Pod create or update with breakglass enabled, use the following query:

resource.type="k8s_cluster"
protoPayload.serviceName="anthosgke.googleapis.com"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
  protoPayload.methodName="io.k8s.core.v1.pods.update")
labels."binaryauthorization.googleapis.com/break-glass"="true"