Workload location |
Root only workloads |
Audit log source | |
Audited operations |
Perform operations on the KRM API Management Plane |
Perform operations on the KRM API Management Plane
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{"uid": "253b9e2f-fde2-4e37-ae7b-36a55d57aafb", "username": "system:serviceaccount: gatekeeper-system: gatekeeper-admin", "extra": {"authentication.kubernet es.io/pod-name": [ "gatekeeper-audit-7fd7bc5d97-x9x8b"], "authentication.kubernetes.io/pod-uid":["e62eaabc-2530-4c36-b793-a98b42c061eb"]}, "groups":["system: serviceaccounts", "system: serviceacc ounts: gatekeeper-system", "system: authenticated"]} |
Target (Fields and values that call the API) |
requestURI |
For example,
|
Action (Fields containing the performed operation) |
verb |
"verb":"list"
|
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | sourceIPs |
For example,
|
Outcome | responseStatus |
For example,
|
Other fields | annotations |
For example, "annotations":{"authorization.k8s.io/decision": "allow","authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"gatekeeper-manager-rolebinding\" of ClusterRole \"gatekeeper-manager-role\" to ServiceAccount \"gatekeeper-admin/gatekeeper-system\""} |
Example log
{
"userAgent":"gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",
"sourceIPs":[
"10.200.0.4"
],
"objectRef":{
"apiGroup":"resourcemanager.gdc.goog",
"resource":"organizations",
"apiVersion":"v1alpha1"
},
"stageTimestamp":"2022-12-06T23:05:22.590986Z",
"kind":"Event",
"apiVersion":"audit.k8s.io/v1",
"level":"Metadata",
"auditID":"38da3a00-47b8-424f-8d63-d89258e2043e",
"requestReceivedTimestamp":"2022-12-06T23:05:22.586546Z",
"verb":"list",
"_gdch_cluster":"root-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-2j85z",
"stage":"ResponseComplete",
"responseStatus":{
"code":200,
"metadata":{}
},
"user":{
"uid":"253b9e2f-fde2-4e37-ae7b-36a55d57aafb",
"username":"system:serviceaccount:gatekeeper-system:gatekeeper-admin",
"extra":{
"authentication.kubernet es.io/pod-name":[
"gatekeeper-audit-7fd7bc5d97-x9x8b"
],
"authentication.kubernetes.io/pod-uid":[
"e62eaabc-2530-4c36-b793-a98b42c061eb"
]
},
"groups":[
"system:serviceaccounts",
"system:serviceaccounts:gatekeeper-system",
"system: authenticated"
]
},
"requestURI":"/apis/resourcemanager.gdc.goog/v1alpha1/organizations?limit=500",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"gatekeeper-manager-rolebinding\" of ClusterRole \"gatekeeper-manager-role\" to ServiceAccount \"gatekeeper-admin/gatekeeper-system\""
},
"_gdch_service_name":"apiserver"
}