| 工作负载位置 |
文件存储和块存储 |
| 审核日志源 |
|
| 接受审核的操作 |
|
项目网络政策的 CRUD 操作
日志类型:KRM API 管理平面审核日志。
| 包含审核信息的日志条目中的字段 | ||
|---|---|---|
| 审核元数据 | 审核字段名称 | 值 |
| 用户或服务身份 | user |
例如, "user": { "uid": "6e805ff0-3f8c-4073-b4e1-6a0582ff1263", "username": "system:serviceaccount:gpc-system:fleet-admin-controller", "extra": { "authentication.kubernetes.io/pod-uid": [ "45ce2b16-3584-448e-8caf-49cb299dfb55" ], "authentication.kubernetes.io/pod-name": [ "fleet-admin-controller-5b5d848876-764mt" ] }, "groups": [ "system:serviceaccounts", "system:serviceaccounts:gpc-system", "system:authenticated" ] } |
|
目标 (调用 API 的字段和值) |
requestURI |
|
|
操作 (包含所执行操作的字段) |
verb |
例如,
|
| 活动时间戳 | requestReceivedTimestamp |
例如,
|
| 操作来源 | sourceIPs |
例如, "sourceIPs": [ "10.253.164.215" ] |
| 结果 | stage |
例如,
|
| 其他字段 | 不适用 | 不适用 |
日志示例
{
"auditID": "ff8266f6-685f-4239-9ab8-c55083d575e0",
"responseStatus": {
"code": 200,
"metadata": {}
},
"level": "Metadata",
"requestURI": "/apis/networking.gdc.goog/v1alpha1/namespaces/platform-obs/projectnetworkpolicies/base-policy-allow-intra-project-traffic/status",
"user": {
"uid": "6e805ff0-3f8c-4073-b4e1-6a0582ff1263",
"username": "system:serviceaccount:gpc-system:fleet-admin-controller",
"extra": {
"authentication.kubernetes.io/pod-uid": [
"45ce2b16-3584-448e-8caf-49cb299dfb55"
],
"authentication.kubernetes.io/pod-name": [
"fleet-admin-controller-5b5d848876-764mt"
]
},
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:gpc-system",
"system:authenticated"
]
},
"_gdch_cluster": "org-1-admin",
"objectRef": {
"resource": "projectnetworkpolicies",
"apiGroup": "networking.gdc.goog",
"name": "base-policy-allow-intra-project-traffic",
"apiVersion": "v1alpha1",
"namespace": "platform-obs",
"subresource": "status"
},
"verb": "patch",
"kind": "Event",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-4267r",
"stage": "ResponseComplete",
"apiVersion": "audit.k8s.io/v1",
"requestReceivedTimestamp": "2022-12-09T04:21:55.497089Z",
"sourceIPs": [
"10.253.164.215"
],
"userAgent": "fleet-admin-cm/v0.0.0 (linux/amd64) kubernetes/$Format",
"stageTimestamp": "2022-12-09T04:21:55.505045Z",
"annotations": {
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"fleet-admin-controller\" of ClusterRole \"fleet-admin-controller\" to ServiceAccount \"fleet-admin-controller/gpc-system\"",
"authorization.k8s.io/decision": "allow"
},
"_gdch_service_name": "apiserver"
}
对负载均衡器执行 CRUD 操作
日志类型:KRM API 管理平面审核日志。
| 包含审核信息的日志条目中的字段 | ||
|---|---|---|
| 审核元数据 | 审核字段名称 | 值 |
| 用户或服务身份 | user |
例如, "user": { "groups": [ "system:masters", "system:authenticated" ], "username": "kubernetes-admin" } |
|
目标 (调用 API 的字段和值) |
objectRef.resource |
"objectRef": { "resource": "services" } |
|
操作 (包含所执行操作的字段) |
verb |
例如,
|
| 活动时间戳 | requestReceivedTimestamp |
例如,
|
| 操作来源 | sourceIPs |
例如, "sourceIPs": [ "10.200.0.5" ] |
| 结果 | stage |
例如,
|
| 其他字段 | 不适用 | 不适用 |
日志示例
{
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"_gdch_cluster": "org-1-admin",
"auditID": "113e562b-0576-4b97-bc5f-168a60428f6d",
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
},
"stageTimestamp": "2022-12-09T04:29:53.579903Z",
"sourceIPs": [
"10.200.0.5"
],
"responseStatus": {
"code": 200,
"metadata": {}
},
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
},
"stage": "ResponseComplete",
"requestURI": "/api/v1/namespaces/harbor-system/services/harbor-harbor-harbor-core",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-8kc9n",
"verb": "get",
"objectRef": {
"apiVersion": "v1",
"apiGroup": "UNKNOWN",
"resource": "services",
"namespace": "harbor-system",
"name": "harbor-harbor-harbor-core"
},
"userAgent": "root-admin-cm/v0.0.0 (linux/amd64) kubernetes/$Format",
"kind": "Event",
"requestReceivedTimestamp": "2022-12-09T04:29:53.577417Z",
"_gdch_service_name": "apiserver"
}
组织基础架构集群和 Management API 服务器的节点流日志
日志类型:数据平面。
| 包含审核信息的日志条目中的字段 | ||
|---|---|---|
| 审核元数据 | 审核字段名称 | 值 |
| 用户或服务身份 | src |
例如, "src": { "pod_name": "konnectivity-agent-58fdb55d57-5h2gj", "workload_kind": "Deployment", "workload_name": "konnectivity-agent", "pod_namespace": "kube-system", "namespace": "kube-system" } |
|
目标 (调用 API 的字段和值) |
dest |
例如, "dest": { "node_name": "xwxwxwx-default-pool-16baec8f-zkjw", "workload_kind": "Node" } |
|
操作 (包含所执行操作的字段) |
不适用 | 不适用 |
| 活动时间戳 | timestamp |
例如,
|
| 操作来源 | src |
例如, "src": { "pod_name": "konnectivity-agent-58fdb55d57-5h2gj", "workload_kind": "Deployment", "workload_name": "konnectivity-agent", "pod_namespace": "kube-system", "namespace": "kube-system" } |
| 结果 | disposition |
例如,
|
| 其他字段 | 不适用 | 不适用 |
日志示例
{
"connection": {
"src_ip": "10.4.0.7",
"dest_ip": "10.128.0.16",
"src_port": 52932,
"dest_port": 10250,
"protocol": "tcp",
"direction": "ingress"
},
"disposition": "allow",
"src": {
"pod_name": "konnectivity-agent-58fdb55d57-5h2gj",
"workload_kind": "Deployment",
"workload_name": "konnectivity-agent",
"pod_namespace": "kube-system",
"namespace": "kube-system"
},
"dest": {
"node_name": "xwxwxwx-default-pool-16baec8f-zkjw",
"workload_kind": "Node"
},
"count": 1,
"node_name": "xwxwxwx-default-pool-16baec8f-zkjw",
"timestamp": "2022-11-21T20:34:32.027881823Z"
}
组织基础架构集群和 Management API 服务器的工作负载流日志
日志类型:数据平面。
| 包含审核信息的日志条目中的字段 | ||
|---|---|---|
| 审核元数据 | 审核字段名称 | 值 |
| 用户或服务身份 | src |
例如, "src": { "instance": "10.4.0.1" } |
|
目标 (调用 API 的字段和值) |
dest |
例如, "dest": { "pod_name": "kube-dns-6d5d89dccb-5fjzs", "workload_kind": "Deployment", "workload_name": "kube-dns", "pod_namespace": "kube_system", "namespace": "kube-system" } |
|
操作 (包含所执行操作的字段) |
不适用 | 不适用 |
| 活动时间戳 | timestamp |
例如,
|
| 操作来源 | src |
例如, "src": { "instance": "10.4.0.1" } |
| 结果 | disposition |
例如,
|
| 其他字段 | 不适用 | 不适用 |
日志示例
{
"connection": {
"src_ip": "10.4.0.1",
"dest_ip": "10.4.0.9",
"src_port": 46768,
"dest_port": 10054,
"protocol": "tcp",
"direction": "ingress"
},
"disposition": "allow",
"policies": [
{
"kind": "CiliumClusterwideNetworkPolicy",
"name": "allow-all"
}
],
"src": {
"instance": "10.4.0.1"
},
"dest": {
"pod_name": "kube-dns-6d5d89dccb-5fjzs",
"workload_kind": "Deployment",
"workload_name": "kube-dns",
"pod_namespace": "kube_system",
"namespace": "kube-system"
},
"count": 1,
"node_name": "xwxwxwx-default-pool-16baec8f-zkjw",
"timestamp": "2022-11-21T20:34:32.027881823Z"
}