Halaman ini diterjemahkan oleh Cloud Translation API.

Certificate Manager (CERT)

Lokasi workload	Workload root dan organisasi
Sumber log audit	Log audit Kubernetes
Operasi yang diaudit	Membuat Sertifikat Minta Sertifikat TLS secret

Membuat Sertifikat

Kolom dalam entri log yang berisi informasi audit
Metadata audit	Nama kolom audit	Nilai
Identitas pengguna atau layanan	`user.username`	Misalnya, "user":{ "username": "system:serviceaccount:kube-system:metrics-server-operator" }
Target (Kolom dan nilai yang memanggil API)	`requestURI`	`"requestURI": "/apis/cert-manager.io/v1/namespaces/gke-managed-metrics-server/ certificates/metrics-server-cert"`
Tindakan (Kolom yang berisi operasi yang dilakukan)	`verb`	`"verb": "get"`
Stempel waktu peristiwa	`ts`	Misalnya, `"requestReceivedTimestamp": "2023-01-19T18:25:29.964302Z"`
Sumber tindakan	`sourceIPs`	Misalnya, `"sourceIPs": "10.253.128.143"`
Hasil	`stage`	Misalnya, "stage": "ResponseComplete" }
Kolom lainnya	`kind` `objectRef`	Misalnya, "kind": "Event" "objectRef": { "namespace": "gke-managed-metrics-server", "apiGroup": "cert-manager.io", "resource": "certificates", "name": "metrics-server-cert", "apiVersion": "v1" }

Contoh log

{
  "objectRef": {
    "namespace": "gke-managed-metrics-server",
    "apiGroup": "cert-manager.io",
    "resource": "certificates",
    "name": "metrics-server-cert",
    "apiVersion": "v1"
  },
  "_gdch_service_name": "apiserver",
  "_gdch_tenant_id": "infra-obs",
  "kind": "Event",
  "requestURI": "/apis/cert-manager.io/v1/namespaces/gke-managed-metrics-server/certificates/metrics-server-cert",
  "requestReceivedTimestamp": "2023-01-19T18:25:29.964302Z",
  "auditID": "7190b768-89fa-4fbf-9413-77f273f537d8",
  "stageTimestamp": "2023-01-19T18:25:29.966946Z",
  "user": {
    "uid": "41e7bf0b-fc7b-4fdb-b8df-b6b58b896831",
    "extra": {
      "authentication.kubernetes.io/pod-uid": [
        "b5ea1eeb-95d9-4845-85c5-1fcd2c3d1f9e"
      ],
      "authentication.kubernetes.io/pod-name": [
        "metrics-server-operator-76fcd579d7-gp5df"
      ]
    },
    "username": "system:serviceaccount:kube-system:metrics-server-operator",
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:kube-system",
      "system:authenticated"
    ]
  },
  "level": "Metadata",
  "annotations": {
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"metrics-server-operator\" of ClusterRole \"metrics-server-operator\" to ServiceAccount \"metrics-server-operator/kube-system\"",
    "authorization.k8s.io/decision": "allow"
  },
  "stage": "ResponseComplete",
  "userAgent": "manager/v0.0.0 (linux/amd64) kubernetes/$Format",
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "sourceIPs": [
    "10.253.128.143"
  ],
  "verb": "get",
  "apiVersion": "audit.k8s.io/v1",
  "_gdch_org_name": "root",
  "_gdch_org_id": "root.zone1.google.gdch.test",
  "_gdch_cluster": "root-admin",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-zthjs"
}

Minta sertifikat

Kolom dalam entri log yang berisi informasi audit
Metadata audit	Nama kolom audit	Nilai
Identitas pengguna atau layanan	`user.username`	Misalnya, "user":{ "username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin" }
Target (Kolom dan nilai yang memanggil API)	`requestURI`	`"requestURI": "/apis/cert-manager.io/v1/certificaterequests?limit=500"`
Tindakan (Kolom yang berisi operasi yang dilakukan)	`verb`	`"verb": "list"`
Stempel waktu peristiwa	`requestReceivedTimestamp`	Misalnya, `"requestReceivedTimestamp": "2023-01-19T18:30:11.574690Z"`
Sumber tindakan	`sourceIPs`	Misalnya, `"sourceIPs":["10.253.128.74"]`
Hasil	`responseStatus.code`	Misalnya, "responseStatus":{ "code":200 }
Kolom lainnya	`kind` `objectRef`	Misalnya, "kind": "Event", "objectRef": { "apiGroup": "cert-manager.io", "resource": "certificaterequests", "apiVersion": "v1" }

Contoh log

{
  "objectRef": {
    "apiGroup": "cert-manager.io",
    "resource": "certificaterequests",
    "apiVersion": "v1"
  },
  "_gdch_service_name": "apiserver",
  "_gdch_tenant_id": "infra-obs",
  "kind": "Event",
  "requestURI": "/apis/cert-manager.io/v1/certificaterequests?limit=500",
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "apiVersion": "audit.k8s.io/v1",
  "stage": "ResponseComplete",
  "verb": "list",
  "level": "Metadata",
  "requestReceivedTimestamp": "2023-01-19T18:30:11.574690Z",
  "auditID": "dda83584-94dc-4388-bb68-ffa932d94e85",
  "stageTimestamp": "2023-01-19T18:30:11.641010Z",
  "annotations": {
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"gatekeeper-manager-rolebinding\" of ClusterRole \"gatekeeper-manager-role\" to ServiceAccount \"gatekeeper-admin/gatekeeper-system\"",
    "authorization.k8s.io/decision": "allow"
  },
  "sourceIPs": [
    "10.253.128.74"
  ],
  "userAgent": "gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",
  "user": {
    "extra": {
      "authentication.kubernetes.io/pod-name": [
        "gatekeeper-audit-5f8c9cc9bf-sjbfr"
      ],
      "authentication.kubernetes.io/pod-uid": [
        "dc956543-76d9-4654-a757-4f4a11c38fa7"
      ]
    },
    "uid": "af529d1d-7139-4afc-b8fd-380218e344b7",
    "username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin",
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:gatekeeper-system",
      "system:authenticated"
    ]
  },
  "_gdch_org_name": "root",
  "_gdch_org_id": "root.zone1.google.gdch.test",
  "_gdch_cluster": "root-admin",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-zthjs"
}

Rahasia TLS

Kolom dalam entri log yang berisi informasi audit
Metadata audit	Nama kolom audit	Nilai
Identitas pengguna atau layanan	`user.username`	Misalnya, "user":{ "username": "kubernetes-admin" }
Target (Kolom dan nilai yang memanggil API)	`requestURI`	`"requestURI": "/api/v1/namespaces/istio-system/secrets/web-tls"`
Tindakan (Kolom yang berisi operasi yang dilakukan)	`verb`	`"verb": "get"`
Stempel waktu peristiwa	`stageTimestamp`	Misalnya, `"stageTimestamp": "2023-01-19T18:37:17.571558Z"`
Sumber tindakan	`sourceIPs`	Misalnya, `"sourceIPs":[""10.200.0.2""]`
Hasil	`responseStatus.code`	Misalnya, "requestReceivedTimestamp": "2023-01-19T18:37:17.568664Z" }
Kolom lainnya	`kind` `objectRef`	Misalnya, "kind": "Event", "objectRef": { "namespace": "istio-system", "apiVersion": "v1", "name": "web-tls", "apiGroup": "UNKNOWN", "resource": "secrets" }

Contoh log

{
  "objectRef": {
    "namespace": "istio-system",
    "apiVersion": "v1",
    "name": "web-tls",
    "apiGroup": "UNKNOWN",
    "resource": "secrets"
  },
  "auditID": "83d2c117-fb8b-4dfe-9a16-413c084162c0",
  "_gdch_service_name": "apiserver",
  "_gdch_tenant_id": "infra-obs",
  "kind": "Event",
  "requestURI": "/api/v1/namespaces/istio-system/secrets/web-tls",
  "stageTimestamp": "2023-01-19T18:37:17.571558Z",
  "verb": "get",
  "user": {
    "username": "kubernetes-admin",
    "groups": [
      "system:masters",
      "system:authenticated"
    ]
  },
  "level": "Metadata",
  "sourceIPs": [
    "10.200.0.2"
  ],
  "apiVersion": "audit.k8s.io/v1",
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "stage": "ResponseComplete",
  "requestReceivedTimestamp": "2023-01-19T18:37:17.568664Z",
  "userAgent": "k9s/v0.0.0 (linux/amd64) kubernetes/$Format",
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": ""
  },
  "_gdch_org_name": "root",
  "_gdch_org_id": "root.zone1.google.gdch.test",
  "_gdch_cluster": "root-admin",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-zthjs"
}

Certificate Manager (CERT) Tetap teratur dengan koleksi Simpan dan kategorikan konten berdasarkan preferensi Anda.

Membuat Sertifikat

Minta sertifikat

Rahasia TLS

Certificate Manager (CERT)