Certificate Manager (CERT)

Workload location

Root and organization workloads

Audit log source

Kubernetes audit logs

Audited operations

Create a Certificate

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity user.username

For example,

"user":{
  "username": "system:serviceaccount:kube-system:metrics-server-operator"
  }

Target

(Fields and values that call the API)

requestURI

"requestURI": "/apis/cert-manager.io/v1/namespaces/gke-managed-metrics-server/ certificates/metrics-server-cert"

Action

(Fields containing the performed operation)

verb

"verb": "get"

Event timestamp ts

For example,

"requestReceivedTimestamp": "2023-01-19T18:25:29.964302Z"

Source of action sourceIPs

For example,

"sourceIPs": "10.253.128.143"

Outcome stage

For example,

"stage": "ResponseComplete"
  }

Other fields
  • kind
  • objectRef

For example,

"kind": "Event"
"objectRef": {
    "namespace": "gke-managed-metrics-server",
    "apiGroup": "cert-manager.io",
    "resource": "certificates",
    "name": "metrics-server-cert",
    "apiVersion": "v1"
  }

Example log

{
  "objectRef": {
    "namespace": "gke-managed-metrics-server",
    "apiGroup": "cert-manager.io",
    "resource": "certificates",
    "name": "metrics-server-cert",
    "apiVersion": "v1"
  },
  "_gdch_service_name": "apiserver",
  "_gdch_tenant_id": "infra-obs",
  "kind": "Event",
  "requestURI": "/apis/cert-manager.io/v1/namespaces/gke-managed-metrics-server/certificates/metrics-server-cert",
  "requestReceivedTimestamp": "2023-01-19T18:25:29.964302Z",
  "auditID": "7190b768-89fa-4fbf-9413-77f273f537d8",
  "stageTimestamp": "2023-01-19T18:25:29.966946Z",
  "user": {
    "uid": "41e7bf0b-fc7b-4fdb-b8df-b6b58b896831",
    "extra": {
      "authentication.kubernetes.io/pod-uid": [
        "b5ea1eeb-95d9-4845-85c5-1fcd2c3d1f9e"
      ],
      "authentication.kubernetes.io/pod-name": [
        "metrics-server-operator-76fcd579d7-gp5df"
      ]
    },
    "username": "system:serviceaccount:kube-system:metrics-server-operator",
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:kube-system",
      "system:authenticated"
    ]
  },
  "level": "Metadata",
  "annotations": {
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"metrics-server-operator\" of ClusterRole \"metrics-server-operator\" to ServiceAccount \"metrics-server-operator/kube-system\"",
    "authorization.k8s.io/decision": "allow"
  },
  "stage": "ResponseComplete",
  "userAgent": "manager/v0.0.0 (linux/amd64) kubernetes/$Format",
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "sourceIPs": [
    "10.253.128.143"
  ],
  "verb": "get",
  "apiVersion": "audit.k8s.io/v1",
  "_gdch_org_name": "root",
  "_gdch_org_id": "root.zone1.google.gdch.test",
  "_gdch_cluster": "root-admin",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-zthjs"
}

Request a certificate

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity user.username

For example,

"user":{
  "username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin"
  }

Target

(Fields and values that call the API)

requestURI

"requestURI": "/apis/cert-manager.io/v1/certificaterequests?limit=500"

Action

(Fields containing the performed operation)

verb

"verb": "list"

Event timestamp requestReceivedTimestamp

For example,

"requestReceivedTimestamp": "2023-01-19T18:30:11.574690Z"

Source of action sourceIPs

For example,

"sourceIPs":["10.253.128.74"]

Outcome responseStatus.code

For example,

"responseStatus":{
  "code":200
  }

Other fields
  • kind
  • objectRef

For example,

"kind": "Event",
"objectRef": {
    "apiGroup": "cert-manager.io",
    "resource": "certificaterequests",
    "apiVersion": "v1"
  }

Example log

{
  "objectRef": {
    "apiGroup": "cert-manager.io",
    "resource": "certificaterequests",
    "apiVersion": "v1"
  },
  "_gdch_service_name": "apiserver",
  "_gdch_tenant_id": "infra-obs",
  "kind": "Event",
  "requestURI": "/apis/cert-manager.io/v1/certificaterequests?limit=500",
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "apiVersion": "audit.k8s.io/v1",
  "stage": "ResponseComplete",
  "verb": "list",
  "level": "Metadata",
  "requestReceivedTimestamp": "2023-01-19T18:30:11.574690Z",
  "auditID": "dda83584-94dc-4388-bb68-ffa932d94e85",
  "stageTimestamp": "2023-01-19T18:30:11.641010Z",
  "annotations": {
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"gatekeeper-manager-rolebinding\" of ClusterRole \"gatekeeper-manager-role\" to ServiceAccount \"gatekeeper-admin/gatekeeper-system\"",
    "authorization.k8s.io/decision": "allow"
  },
  "sourceIPs": [
    "10.253.128.74"
  ],
  "userAgent": "gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",
  "user": {
    "extra": {
      "authentication.kubernetes.io/pod-name": [
        "gatekeeper-audit-5f8c9cc9bf-sjbfr"
      ],
      "authentication.kubernetes.io/pod-uid": [
        "dc956543-76d9-4654-a757-4f4a11c38fa7"
      ]
    },
    "uid": "af529d1d-7139-4afc-b8fd-380218e344b7",
    "username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin",
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:gatekeeper-system",
      "system:authenticated"
    ]
  },
  "_gdch_org_name": "root",
  "_gdch_org_id": "root.zone1.google.gdch.test",
  "_gdch_cluster": "root-admin",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-zthjs"
}

TLS secret

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity user.username

For example,

"user":{
  "username": "kubernetes-admin"
  }

Target

(Fields and values that call the API)

requestURI

"requestURI": "/api/v1/namespaces/istio-system/secrets/web-tls"

Action

(Fields containing the performed operation)

verb

"verb": "get"

Event timestamp stageTimestamp

For example,

"stageTimestamp": "2023-01-19T18:37:17.571558Z"

Source of action sourceIPs

For example,

"sourceIPs":[""10.200.0.2""]

Outcome responseStatus.code

For example,

"requestReceivedTimestamp": "2023-01-19T18:37:17.568664Z"
  }

Other fields
  • kind
  • objectRef

For example,

"kind": "Event",
"objectRef": {
    "namespace": "istio-system",
    "apiVersion": "v1",
    "name": "web-tls",
    "apiGroup": "UNKNOWN",
    "resource": "secrets"
  }

Example log

{
  "objectRef": {
    "namespace": "istio-system",
    "apiVersion": "v1",
    "name": "web-tls",
    "apiGroup": "UNKNOWN",
    "resource": "secrets"
  },
  "auditID": "83d2c117-fb8b-4dfe-9a16-413c084162c0",
  "_gdch_service_name": "apiserver",
  "_gdch_tenant_id": "infra-obs",
  "kind": "Event",
  "requestURI": "/api/v1/namespaces/istio-system/secrets/web-tls",
  "stageTimestamp": "2023-01-19T18:37:17.571558Z",
  "verb": "get",
  "user": {
    "username": "kubernetes-admin",
    "groups": [
      "system:masters",
      "system:authenticated"
    ]
  },
  "level": "Metadata",
  "sourceIPs": [
    "10.200.0.2"
  ],
  "apiVersion": "audit.k8s.io/v1",
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "stage": "ResponseComplete",
  "requestReceivedTimestamp": "2023-01-19T18:37:17.568664Z",
  "userAgent": "k9s/v0.0.0 (linux/amd64) kubernetes/$Format",
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": ""
  },
  "_gdch_org_name": "root",
  "_gdch_org_id": "root.zone1.google.gdch.test",
  "_gdch_cluster": "root-admin",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-zthjs"
}