Workload location |
Root only workloads |
Audit log source | Kubernetes audit logs |
Audited operations | CRUD operations to the DHCP config |
CRUD operations to the DHCP config
The CRUD operations include data changes to the DHCP config logged in the audit log server.
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | userAgent , user_name |
For example, "userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78", "user": { "username": "kubernetes-admin" } |
Target (Fields and values that call the API) |
requestURI |
For example, "requestURI": "/api/v1/namespaces/gpc-system/configmaps/gpc-dhcp-conf?fieldManager=kubectl-edit" |
Action (Fields containing the performed operation) |
verb |
For example,
|
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_service_name |
For example, "_gdch_service_name": "apiserver" |
Outcome | code |
For example, "responseStatus": { "code": 200, } |
Example log
{
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-2z87b",
"_gdch_service_name": "apiserver",
"annotations": {
"authorization_k8s_io_decision": "allow",
"authorization_k8s_io_reason": ""
},
"apiGroup": "UNKNOWN",
"apiVersion": "audit.k8s.io/v1",
"auditID": "8841cec6-1557-4278-8ba2-1f89b7953a81",
"cluster": "root-admin",
"auditID": "069120c2-c182-4e8f-b863-9c640885bf2b",
"fluentbit_pod": "anthos-audit-logs-forwarder-2z87b",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "UNKNOWN",
"apiVersion": "v1",
"name": "gpc-dhcp-conf",
"namespace": "gpc-system",
"resource": "configmaps"
},
"requestReceivedTimestamp": "2022-12-13T06:59:55.681994Z",
"requestURI": "/api/v1/namespaces/gpc-system/configmaps/gpc-dhcp-conf?fieldManager=kubectl-edit",
"responseStatus": {
"code": 200
},
"service_name": "apiserver",
"stage": "ResponseComplete",
"stageTimestamp": "2022-12-13T06:59:55.699551Z",
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"user": {
"username": "kubernetes-admin"
},
"verb": "patch",
"Detected": "fields",
"Time": "1670915285440",
"tsNs": "1670915285440328017"
}