View audit logs for Google Distributed Cloud

This document describes how to view log entries produced by Binary Authorization for Google Distributed Cloud software. These entries can be used to troubleshoot the system setup and use.

To enable Cloud Audit Logs, you must configure the cloudAuditLogging section of your user cluster configuration file to properly forward log events. If your GKE clusters on GDC are not configured to forward log entries, you can view local audit logs by using keyword searches. Entries in local logs are formatted as described in this document.

This document describes how to use Cloud Audit Logs to query for log entries. You can also query log entries through the Cloud Audit Logs API.

View Cloud Audit Logs entries

  1. In the Google Cloud console, go to the Cloud Audit Logs page.

    Go to Cloud Audit Logs

  2. Select the Google Cloud project you configured in the cloudAuditLogging section of your user cluster configuration file.

  3. Enter a filter. You can find example filters for Binary Authorization for Distributed Cloud log entries in the following sections.

  4. Select the activity log:

    1. Select the Log name combo box.

    2. Enter externalaudit.googleapis.com in the text field.

    3. Select the log named externalaudit.googleapis.com.

    4. Click Add.

    5. Make sure you select the time period when the events would have occurred.

  5. Click Run Query.

View rejected Deployment log entries

To find Cloud Audit Logs entries for rejected Deployments, use the following query:

resource.type="k8s_cluster"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
 protoPayload.methodName="io.k8s.core.v1.pods.update")
protoPayload.response.status="Failure"

View dry run log entries

To find Cloud Audit Logs entries related to Pod create or update with dry run enabled, use the following query:

resource.type="k8s_cluster"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
 protoPayload.methodName="io.k8s.core.v1.pods.update")
labels."binaryauthorization.googleapis.com/dry-run"="true"

View breakglass log entries

To find Cloud Audit Logs entries related to Pod create or update with breakglass enabled, use the following query:

resource.type="k8s_cluster"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
  protoPayload.methodName="io.k8s.core.v1.pods.update")
(labels."binaryauthorization.googleapis.com/break-glass"="true" OR
  protoPayload.request.metadata.labels."image-policy.k8s.io/break-glass"="true")