Workload location |
Root and organization workloads |
Audit log source | |
Audited operations |
Create a Certificate
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user.username |
For example, "user":{ "username": "system:serviceaccount:kube-system:metrics-server-operator" } |
Target (Fields and values that call the API) |
requestURI |
|
Action (Fields containing the performed operation) |
verb |
|
Event timestamp |
ts
|
For example,
|
Source of action | sourceIPs |
For example,
|
Outcome | stage |
For example, "stage": "ResponseComplete" } |
Other fields |
|
For example, "kind": "Event" "objectRef": { "namespace": "gke-managed-metrics-server", "apiGroup": "cert-manager.io", "resource": "certificates", "name": "metrics-server-cert", "apiVersion": "v1" } |
Example log
{
"objectRef": {
"namespace": "gke-managed-metrics-server",
"apiGroup": "cert-manager.io",
"resource": "certificates",
"name": "metrics-server-cert",
"apiVersion": "v1"
},
"_gdch_service_name": "apiserver",
"_gdch_tenant_id": "infra-obs",
"kind": "Event",
"requestURI": "/apis/cert-manager.io/v1/namespaces/gke-managed-metrics-server/certificates/metrics-server-cert",
"requestReceivedTimestamp": "2023-01-19T18:25:29.964302Z",
"auditID": "7190b768-89fa-4fbf-9413-77f273f537d8",
"stageTimestamp": "2023-01-19T18:25:29.966946Z",
"user": {
"uid": "41e7bf0b-fc7b-4fdb-b8df-b6b58b896831",
"extra": {
"authentication.kubernetes.io/pod-uid": [
"b5ea1eeb-95d9-4845-85c5-1fcd2c3d1f9e"
],
"authentication.kubernetes.io/pod-name": [
"metrics-server-operator-76fcd579d7-gp5df"
]
},
"username": "system:serviceaccount:kube-system:metrics-server-operator",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:kube-system",
"system:authenticated"
]
},
"level": "Metadata",
"annotations": {
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"metrics-server-operator\" of ClusterRole \"metrics-server-operator\" to ServiceAccount \"metrics-server-operator/kube-system\"",
"authorization.k8s.io/decision": "allow"
},
"stage": "ResponseComplete",
"userAgent": "manager/v0.0.0 (linux/amd64) kubernetes/$Format",
"responseStatus": {
"metadata": {},
"code": 200
},
"sourceIPs": [
"10.253.128.143"
],
"verb": "get",
"apiVersion": "audit.k8s.io/v1",
"_gdch_org_name": "root",
"_gdch_org_id": "root.zone1.google.gdch.test",
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-zthjs"
}
Request a certificate
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user.username |
For example, "user":{ "username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin" } |
Target (Fields and values that call the API) |
requestURI |
|
Action (Fields containing the performed operation) |
verb |
|
Event timestamp |
requestReceivedTimestamp
|
For example,
|
Source of action | sourceIPs |
For example,
|
Outcome | responseStatus.code |
For example, "responseStatus":{ "code":200 } |
Other fields |
|
For example, "kind": "Event", "objectRef": { "apiGroup": "cert-manager.io", "resource": "certificaterequests", "apiVersion": "v1" } |
Example log
{
"objectRef": {
"apiGroup": "cert-manager.io",
"resource": "certificaterequests",
"apiVersion": "v1"
},
"_gdch_service_name": "apiserver",
"_gdch_tenant_id": "infra-obs",
"kind": "Event",
"requestURI": "/apis/cert-manager.io/v1/certificaterequests?limit=500",
"responseStatus": {
"metadata": {},
"code": 200
},
"apiVersion": "audit.k8s.io/v1",
"stage": "ResponseComplete",
"verb": "list",
"level": "Metadata",
"requestReceivedTimestamp": "2023-01-19T18:30:11.574690Z",
"auditID": "dda83584-94dc-4388-bb68-ffa932d94e85",
"stageTimestamp": "2023-01-19T18:30:11.641010Z",
"annotations": {
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"gatekeeper-manager-rolebinding\" of ClusterRole \"gatekeeper-manager-role\" to ServiceAccount \"gatekeeper-admin/gatekeeper-system\"",
"authorization.k8s.io/decision": "allow"
},
"sourceIPs": [
"10.253.128.74"
],
"userAgent": "gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",
"user": {
"extra": {
"authentication.kubernetes.io/pod-name": [
"gatekeeper-audit-5f8c9cc9bf-sjbfr"
],
"authentication.kubernetes.io/pod-uid": [
"dc956543-76d9-4654-a757-4f4a11c38fa7"
]
},
"uid": "af529d1d-7139-4afc-b8fd-380218e344b7",
"username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:gatekeeper-system",
"system:authenticated"
]
},
"_gdch_org_name": "root",
"_gdch_org_id": "root.zone1.google.gdch.test",
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-zthjs"
}
TLS secret
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user.username |
For example, "user":{ "username": "kubernetes-admin" } |
Target (Fields and values that call the API) |
requestURI |
|
Action (Fields containing the performed operation) |
verb |
|
Event timestamp |
stageTimestamp
|
For example,
|
Source of action | sourceIPs |
For example,
|
Outcome | responseStatus.code |
For example, "requestReceivedTimestamp": "2023-01-19T18:37:17.568664Z" } |
Other fields |
|
For example, "kind": "Event", "objectRef": { "namespace": "istio-system", "apiVersion": "v1", "name": "web-tls", "apiGroup": "UNKNOWN", "resource": "secrets" } |
Example log
{
"objectRef": {
"namespace": "istio-system",
"apiVersion": "v1",
"name": "web-tls",
"apiGroup": "UNKNOWN",
"resource": "secrets"
},
"auditID": "83d2c117-fb8b-4dfe-9a16-413c084162c0",
"_gdch_service_name": "apiserver",
"_gdch_tenant_id": "infra-obs",
"kind": "Event",
"requestURI": "/api/v1/namespaces/istio-system/secrets/web-tls",
"stageTimestamp": "2023-01-19T18:37:17.571558Z",
"verb": "get",
"user": {
"username": "kubernetes-admin",
"groups": [
"system:masters",
"system:authenticated"
]
},
"level": "Metadata",
"sourceIPs": [
"10.200.0.2"
],
"apiVersion": "audit.k8s.io/v1",
"responseStatus": {
"metadata": {},
"code": 200
},
"stage": "ResponseComplete",
"requestReceivedTimestamp": "2023-01-19T18:37:17.568664Z",
"userAgent": "k9s/v0.0.0 (linux/amd64) kubernetes/$Format",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
},
"_gdch_org_name": "root",
"_gdch_org_id": "root.zone1.google.gdch.test",
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-zthjs"
}