Create a VM
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user": { "groups": [ "system:authenticated" ], "username": "fop-myusername" } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef": { "apiGroup": "virtualmachine.gdc.goog", "apiVersion": "v1", "name": "vm1", "namespace": "myusername-test", "resource": "virtualmachines" } |
Action (Fields containing the performed operation) |
verb |
"verb": "create" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus": { "code": 201, "metadata": {} } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "zone1.google.gdch.test",
"_gdch_org_name": "root",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by RoleBinding \"fop-myusername-vm-admin/myusername-test\" of Role \"project-vm-admin\" to User \"fop-myusername\"",
"mutation.webhook.admission.k8s.io/round_0_index_12": "{\"configuration\":\"gatekeeper-mutating-webhook-configuration\",\"webhook\":\"mutation.gatekeeper.sh\",\"mutated\":false}"
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "6b48ee52-baa4-47d1-9357-98d1bf7bee7e",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachines"
},
"requestReceivedTimestamp": "2023-09-19T21:16:11.086606Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachines?fieldManager=kubectl-client-side-apply",
"responseStatus": {
"code": 201,
"metadata": {}
},
"sourceIPs": [
"10.200.0.1",
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-19T21:16:11.097294Z",
"user": {
"groups": [
"system:authenticated"
],
"username": "fop-myusername"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "create"
}
List VMs
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user": { "groups": [ "system:authenticated" ], "username": "fop-myusername" } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef": { "apiGroup": "virtualmachine.gdc.goog", "apiVersion": "v1", "namespace": "myusername-test", "resource": "virtualmachines" } |
Action (Fields containing the performed operation) |
verb |
"verb": "list" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus": { "code": 200, "metadata": {} } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "zone1.google.gdch.test",
"_gdch_org_name": "root",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by RoleBinding \"fop-myusername-vm-admin/myusername-test\" of Role \"project-vm-admin\" to User \"fop-myusername\""
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "e848a3a1-da7e-4b74-8c12-f2af066dda55",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"namespace": "myusername-test",
"resource": "virtualmachines"
},
"requestReceivedTimestamp": "2023-09-19T21:37:40.632532Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachines?limit=500",
"responseStatus": {
"code": 200,
"metadata": {}
},
"sourceIPs": [
"10.200.0.1",
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-19T21:37:40.639807Z",
"user": {
"groups": [
"system:authenticated"
],
"username": "fop-myusername"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "list"
}
Update a VM
This includes start/stop operations. A restart operation also shows up as two update operations (stop and start) by a service account.
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{ "username": "fop-myname-test", "groups":[ "system: authenticated" ] } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef": { "apiGroup": "virtualmachine.gdc.goog", "apiVersion": "v1", "name": "vm1", "namespace": "myusername-test", "resource": "virtualmachines" } |
Action (Fields containing the performed operation) |
verb |
"verb": "patch" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus": { "code": 415, "message": "the body of the request was in an unknown format - accepted media types include: application/json-patch+json, application/merge-patch+json, application/apply-patch+yaml", "metadata": {}, "reason": "UnsupportedMediaType", "status": "Failure" } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-rxgp7",
"_gdch_org_id": "zone1.google.gdch.test",
"_gdch_org_name": "root",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"vmm-controller\" of ClusterRole \"vmm-controller\" to ServiceAccount \"vmm-controller/vm-system\""
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "f094a667-adc8-46cf-9ce7-e0f534b792a9",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachines"
},
"requestReceivedTimestamp": "2023-09-19T21:42:20.229318Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachines/vm1",
"responseStatus": {
"code": 415,
"message": "the body of the request was in an unknown format - accepted media types include: application/json-patch+json, application/merge-patch+json, application/apply-patch+yaml",
"metadata": {},
"reason": "UnsupportedMediaType",
"status": "Failure"
},
"sourceIPs": [
"10.201.64.17"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-19T21:42:20.230057Z",
"user": {
"extra": {
"authentication.kubernetes.io/pod-name": [
"vmm-controller-588b67d499-p7qzv"
],
"authentication.kubernetes.io/pod-uid": [
"b5bec7d9-d813-4c9d-a2c6-7c8b2ab7ae9c"
]
},
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:vm-system",
"system:authenticated"
],
"uid": "24a689d1-aabb-4738-9576-eb3a56e5c3d4",
"username": "system:serviceaccount:vm-system:vmm-controller"
},
"userAgent": "vmm-controller/v0.0.0 (linux/amd64) kubernetes/$Format",
"verb": "patch"
}
Delete a VM
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user": { "groups": [ "system:masters", "system:authenticated" ], "username": "kubernetes-admin" } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef": { "apiGroup": "virtualmachine.gdc.goog", "apiVersion": "v1", "name": "vm1", "namespace": "myusername-test", "resource": "virtualmachines" } |
Action (Fields containing the performed operation) |
verb |
"verb": "delete" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus": { "code": 200, "metadata": {} } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "zone1.google.gdch.test",
"_gdch_org_name": "root",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "b487c3cf-3eda-4cc9-bb5f-1d9665038ee0",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachines"
},
"requestReceivedTimestamp": "2023-09-19T20:58:25.165020Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachines/vm1",
"responseStatus": {
"code": 200,
"metadata": {}
},
"sourceIPs": [
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-19T20:58:25.181044Z",
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "delete"
}
Create a VM disk
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user": { "groups": [ "system:authenticated" ], "username": "fop-myusername" } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef": { "apiGroup": "virtualmachine.gdc.goog", "apiVersion": "v1", "name": "vm1-boot-disk", "namespace": "myusername-test", "resource": "virtualmachinedisks" } |
Action (Fields containing the performed operation) |
verb |
"verb": "create" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus": { "code": 201, "metadata": {} } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "zone1.google.gdch.test",
"_gdch_org_name": "root",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by RoleBinding \"fop-myusername-vm-admin/myusername-test\" of Role \"project-vm-admin\" to User \"fop-myusername\"",
"mutation.webhook.admission.k8s.io/round_0_index_12": "{\"configuration\":\"gatekeeper-mutating-webhook-configuration\",\"webhook\":\"mutation.gatekeeper.sh\",\"mutated\":false}"
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "b304923c-1df4-4184-bafd-40161210e85e",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1-boot-disk",
"namespace": "myusername-test",
"resource": "virtualmachinedisks"
},
"requestReceivedTimestamp": "2023-09-19T21:16:11.056904Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachinedisks?fieldManager=kubectl-client-side-apply",
"responseStatus": {
"code": 201,
"metadata": {}
},
"sourceIPs": [
"10.200.0.1",
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-19T21:16:11.071123Z",
"user": {
"groups": [
"system:authenticated"
],
"username": "fop-myusername"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "create"
}
List VM disks
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user": { "groups": [ "system:authenticated" ], "username": "fop-myusername" } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef": { "apiGroup": "virtualmachine.gdc.goog", "apiVersion": "v1", "namespace": "myusername-test", "resource": "virtualmachinedisks" } |
Action (Fields containing the performed operation) |
verb |
"verb": "list" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus": { "code": 200, "metadata": {} } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-l7p8r",
"_gdch_org_id": "zone1.google.gdch.test",
"_gdch_org_name": "root",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by RoleBinding \"fop-myusername-vm-admin/myusername-test\" of Role \"project-vm-admin\" to User \"fop-myusername\""
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "3d71f7fd-11d0-4ed7-9d8c-a9bf9f61b46d",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"namespace": "myusername-test",
"resource": "virtualmachinedisks"
},
"requestReceivedTimestamp": "2023-09-19T21:18:43.108931Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachinedisks?limit=500",
"responseStatus": {
"code": 200,
"metadata": {}
},
"sourceIPs": [
"10.200.0.1",
"10.200.0.7"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-19T21:18:43.137015Z",
"user": {
"groups": [
"system:authenticated"
],
"username": "fop-myusername"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "list"
}
Delete a VM disk
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{ "username": "fop-myname-test", "groups":[ "system: authenticated" ] } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef":{ "namespace":"foo", "resource":"virtualmachinedisks", "apiGroup":"virtualmachine.gdc.goog", "name":"vm1-boot-disk", "apiVersion":"v1" } |
Action (Fields containing the performed operation) |
verb |
"verb":"delete" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":200 } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"root-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"namespace":"foo",
"resource":"virtualmachinedisks",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1",
"name":"vm1-boot-disk"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/namespaces/foo/virtualmachinedisks/vm1-boot-disk",
"responseStatus":{
"metadata":{},
"code":200
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"delete"
}
List VM types
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{ "username": "fop-myname-test", "groups":[ "system: authenticated" ] } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef":{ "resource":"virtualmachinetypes", "apiGroup":"virtualmachine.gdc.goog", "apiVersion":"v1" } |
Action (Fields containing the performed operation) |
verb |
"verb":"list" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":200 } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"root-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by RoleBinding 'g-vm-admin-binding/foo' of Role 'g-vm-admin' to User 'fop-myname-test'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"resource":"virtualmachinetypes",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/virtualmachinetypes?limit=500",
"responseStatus":{
"metadata":{},
"code":200
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"list"
}
Create a VM type
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{ "username": "fop-myname-test", "groups":[ "system: authenticated" ] } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef":{ "resource":"virtualmachinetypes", "apiGroup":"virtualmachine.gdc.goog", "name":"test-type", "apiVersion":"v1" } |
Action (Fields containing the performed operation) |
verb |
"verb":"create" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":201 } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"root-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding 'g-pa-system-binding' of ClusterRole 'g-system-cluster-admin' to User 'fop-myname-test'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"resource":"virtualmachinetypes",
"apiGroup":"virtualmachine.gdc.goog",
"name":"test-type",
"apiVersion":"v1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/virtualmachinetypes?fieldManager=kubectl-client-side-apply",
"responseStatus":{
"metadata":{},
"code":201
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"create"
}
Delete a VM type
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{ "username": "fop-myname-test", "groups":[ "system: authenticated" ] } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef":{ "resource":"virtualmachinetypes", "apiGroup":"virtualmachine.gdc.goog", "name":"test-type", "apiVersion":"v1" } |
Action (Fields containing the performed operation) |
verb |
"verb":"delete" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":200, "status":"Success" } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"root-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding 'g-pa-system-binding' of ClusterRole 'g-system-cluster-admin' to User 'fop-myname-test'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"resource":"virtualmachinetypes",
"apiGroup":"virtualmachine.gdc.goog",
"name":"test-type",
"apiVersion":"v1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/virtualmachinetypes/test-type",
"responseStatus":{
"metadata":{},
"code":200,
"status":"Success"
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"delete"
}
Update a VM type
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{ "username": "fop-myname-test", "groups":[ "system: authenticated" ] } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef":{ "resource":"virtualmachinetypes", "apiGroup":"virtualmachine.gdc.goog", "name":"test-type", "apiVersion":"v1" } |
Action (Fields containing the performed operation) |
verb |
"verb":"patch" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":200 } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"root-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding 'g-pa-system-binding' of ClusterRole 'g-system-cluster-admin' to User 'fop-myname-test'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"resource":"virtualmachinetypes",
"apiGroup":"virtualmachine.gdc.goog",
"name":"test-type",
"apiVersion":"v1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/virtualmachinetypes/test-type?fieldManager=kubectl-client-side-apply",
"responseStatus":{
"metadata":{},
"code":200
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"patch"
}
Create a VM access request
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{ "username": "fop-myname-test", "groups":[ "system: authenticated" ] } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef":{ "namespace":"foo", "resource":"virtualmachineaccessrequests", "apiGroup":"virtualmachine.gdc.goog", "apiVersion":"v1" } |
Action (Fields containing the performed operation) |
verb |
"verb":"create" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":201 } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"root-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by RoleBinding 'g-vm-admin-binding/foo' of Role 'g-vm-admin' to User 'fop-myname-test'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"namespace":"foo",
"resource":"virtualmachineaccessrequests",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/namespaces/foo/virtualmachineaccessrequests?fieldManager=kubectl-create",
"responseStatus":{
"metadata":{},
"code":201
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"create"
}
List VM access requests
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{ "username": "fop-myname-test", "groups":[ "system: authenticated" ] } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef":{ "namespace":"foo", "resource":"virtualmachineaccessrequests", "apiGroup":"virtualmachine.gdc.goog", "apiVersion":"v1" } |
Action (Fields containing the performed operation) |
verb |
"verb":"list" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":200 } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"root-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by RoleBinding 'g-vm-admin-binding/foo' of Role 'g-vm-admin' to User 'fop-myname-test'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"namespace":"foo",
"resource":"virtualmachineaccessrequests",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/namespaces/foo/virtualmachineaccessrequests?limit=500",
"responseStatus":{
"metadata":{},
"code":200
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"list"
}
Delete a VM access request
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{ "username": "fop-myname-test", "groups":[ "system: authenticated" ] } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef":{ "namespace":"foo", "resource":"virtualmachineaccessrequests", "apiGroup":"virtualmachine.gdc.goog", "name":"vm1-jdc9c", "apiVersion":"v1" } |
Action (Fields containing the performed operation) |
verb |
"verb":"delete" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":200 } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"root-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by RoleBinding 'g-vm-admin-binding/foo' of Role 'g-vm-admin' to User 'fop-myname-test'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"namespace":"foo",
"resource":"virtualmachineaccessrequests",
"apiGroup":"virtualmachine.gdc.goog",
"name":"vm1-jdc9c",
"apiVersion":"v1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/namespaces/foo/virtualmachineaccessrequests/vm1-jdc9c",
"responseStatus":{
"metadata":{},
"code":200
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"delete"
}
List VM images
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{ "username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin", "uid":"225d02e7-ee06-42c9-a561-df1945d83224", "groups":[ "system:serviceaccounts", "system:serviceaccounts:gatekeeper-system", "system: authenticated" ] } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef":{ "resource":"virtualmachineimage", "apiGroup":"virtualmachineview.gdc.goog", "apiVersion":"v1alpha1" } |
Action (Fields containing the performed operation) |
verb |
"verb":"list" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":200 } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"root-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding 'gatekeeper-manager-rolebinding' of ClusterRole 'gatekeeper-manager-role' to ServiceAccount 'gatekeeper-admin/gatekeeper-system'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"resource":"virtualmachineimage",
"apiGroup":"virtualmachineview.gdc.goog",
"apiVersion":"v1alpha1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachineview.gdc.goog/v1alpha1/virtualmachineimage?limit=500",
"responseStatus":{
"metadata":{},
"code":200
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin",
"uid":"225d02e7-ee06-42c9-a561-df1945d83224",
"groups":[
"system:serviceaccounts",
"system:serviceaccounts:gatekeeper-system",
"system: authenticated"
]
},
"userAgent":"gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",
"verb":"list"
}
Create a VM image import
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{ "username": "kubernetes-admin", "groups":[ "system:masters", "system: authenticated" ] } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef":{ "namespace":"foo", "resource":"virtualmachineimageimports", "apiGroup":"virtualmachine.gdc.goog", "apiVersion":"v1alpha1", "name":"import-1" } |
Action (Fields containing the performed operation) |
verb |
"verb":"create" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":201 } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"root-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"apiserver.latency.k8s.io/response-write":"1.476μs",
"authorization.k8s.io/reason":"",
"apiserver.latency.k8s.io/serialize-response-object":"71.971μs",
"authorization.k8s.io/decision":"allow",
"apiserver.latency.k8s.io/total":"7.405669466s",
"apiserver.latency.k8s.io/validating-webhook":"7.395358418s",
"apiserver.latency.k8s.io/transform-response-object":"2.358μs"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"namespace":"foo",
"resource":"virtualmachineimageimports",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1alpha1",
"name":"import-1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1alpha1/namespaces/foo/virtualmachineimageimports?fieldManager=kubectl-client-side-apply",
"responseStatus":{
"metadata":{},
"code":201
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "kubernetes-admin",
"groups":[
"system:masters",
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"create"
}
List VM image imports
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{ "username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin", "groups":[ "system:serviceaccounts", "system:serviceaccounts:gatekeeper-system", "system: authenticated" ] } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef":{ "resource":"virtualmachineimageimports", "apiGroup":"virtualmachine.gdc.goog", "apiVersion":"v1alpha1" } |
Action (Fields containing the performed operation) |
verb |
"verb":"list" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":201 } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"root-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"resource":"virtualmachineimageimports",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1alpha1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1alpha1/virtualmachineimageimports?limit=500",
"responseStatus":{
"metadata":{},
"code":201
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin",
"groups":[
"system:serviceaccounts",
"system:serviceaccounts:gatekeeper-system",
"system: authenticated"
]
},
"userAgent":"gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",
"verb":"list"
}
Delete a VM image import
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{ "username": "kubernetes-admin", "groups":[ "system:masters", "system: authenticated" ] } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef":{ "namespace":"foo", "resource":"virtualmachineimageimports", "apiGroup":"virtualmachine.gdc.goog", "name":"import-1", "apiVersion":"v1alpha1" } |
Action (Fields containing the performed operation) |
verb |
"verb":"delete" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":200 } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"root-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"namespace":"foo",
"resource":"virtualmachineimageimports",
"apiGroup":"virtualmachine.gdc.goog",
"name":"import-1",
"apiVersion":"v1alpha1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1alpha1/namespaces/foo/virtualmachineimageimports/import-1",
"responseStatus":{
"metadata":{},
"code":200
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "kubernetes-admin",
"groups":[
"system:masters",
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"delete"
}
Create an external access policy
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user": { "groups": [ "system:masters", "system:authenticated" ], "username": "kubernetes-admin" } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef": { "apiGroup": "virtualmachine.gdc.goog", "apiVersion": "v1", "name": "vm1", "namespace": "myusername-test", "resource": "virtualmachineexternalaccesses" } |
Action (Fields containing the performed operation) |
verb |
"verb": "create" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus": { "code": 201, "metadata": {} } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "zone1.google.gdch.test",
"_gdch_org_name": "root",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "",
"mutation.webhook.admission.k8s.io/round_0_index_12": "{\"configuration\":\"gatekeeper-mutating-webhook-configuration\",\"webhook\":\"mutation.gatekeeper.sh\",\"mutated\":false}"
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "07306f01-f06e-44bf-ae6d-45447b14ea23",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachineexternalaccesses"
},
"requestReceivedTimestamp": "2023-09-20T16:58:09.485136Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachineexternalaccesses?fieldManager=kubectl-create",
"responseStatus": {
"code": 201,
"metadata": {}
},
"sourceIPs": [
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-20T16:58:09.501959Z",
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "create"
}
List external access policies
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user": { "groups": [ "system:masters", "system:authenticated" ], "username": "kubernetes-admin" } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef": { "apiGroup": "virtualmachine.gdc.goog", "apiVersion": "v1", "namespace": "myusername-test", "resource": "virtualmachineexternalaccesses" } |
Action (Fields containing the performed operation) |
verb |
"verb": "list" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus": { "code": 200, "metadata": {} } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "zone1.google.gdch.test",
"_gdch_org_name": "root",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "a7396e5b-eeee-4821-9b59-c50c98de8137",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"namespace": "myusername-test",
"resource": "virtualmachineexternalaccesses"
},
"requestReceivedTimestamp": "2023-09-20T17:06:35.634144Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachineexternalaccesses?limit=500",
"responseStatus": {
"code": 200,
"metadata": {}
},
"sourceIPs": [
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-20T17:06:35.637132Z",
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "list"
}
Update an external access policy
This includes start/stop operations. A restart operation also shows up as two update operations (stop and start) by a service account.
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{ "groups": [ "system:masters", "system:authenticated" ], "username": "kubernetes-admin" } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef": { "apiGroup": "virtualmachine.gdc.goog", "apiVersion": "v1", "name": "vm1", "namespace": "myusername-test", "resource": "virtualmachineexternalaccesses" } |
Action (Fields containing the performed operation) |
verb |
"verb": "patch" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus": { "code": 200, "metadata": {} } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "zone1.google.gdch.test",
"_gdch_org_name": "root",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "",
"mutation.webhook.admission.k8s.io/round_0_index_12": "{\"configuration\":\"gatekeeper-mutating-webhook-configuration\",\"webhook\":\"mutation.gatekeeper.sh\",\"mutated\":false}"
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "e42f6bbb-f192-4119-a674-66e0d1826dfa",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachineexternalaccesses"
},
"requestReceivedTimestamp": "2023-09-20T17:11:00.525104Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachineexternalaccesses/vm1?fieldManager=kubectl-edit",
"responseStatus": {
"code": 200,
"metadata": {}
},
"sourceIPs": [
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-20T17:11:00.538170Z",
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "patch"
}
Delete an external access policy
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user": { "groups": [ "system:masters", "system:authenticated" ], "username": "kubernetes-admin" } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef": { "apiGroup": "virtualmachine.gdc.goog", "apiVersion": "v1", "name": "vm1", "namespace": "myusername-test", "resource": "virtualmachineexternalaccesses" } |
Action (Fields containing the performed operation) |
verb |
"verb": "delete" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus": { "code": 200, "details": { "group": "virtualmachine.gdc.goog", "kind": "virtualmachineexternalaccesses", "name": "vm1", "uid": "d34ef0ad-f889-458f-804f-0086468a0674" }, "metadata": {}, "status": "Success" } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "zone1.google.gdch.test",
"_gdch_org_name": "root",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "8290dc63-7aa9-4ab8-92eb-92b2ae6cabca",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachineexternalaccesses"
},
"requestReceivedTimestamp": "2023-09-20T17:13:21.317256Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachineexternalaccesses/vm1",
"responseStatus": {
"code": 200,
"details": {
"group": "virtualmachine.gdc.goog",
"kind": "virtualmachineexternalaccesses",
"name": "vm1",
"uid": "d34ef0ad-f889-458f-804f-0086468a0674"
},
"metadata": {},
"status": "Success"
},
"sourceIPs": [
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-20T17:13:21.330032Z",
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "delete"
}
Restart a VM
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user": { "groups": [ "system:authenticated" ], "username": "fop-myusername" } |
Target (Fields and values that call the API) |
requestURI |
It has the following format:
Where namespace and name identify the target object. For example,
|
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus": { "code": 202, "metadata": {} } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-rxgp7",
"_gdch_org_id": "zone1.google.gdch.test",
"_gdch_org_name": "root",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by RoleBinding \"fop-myusername-vm-admin/myusername-test\" of Role \"project-vm-admin\" to User \"fop-myusername\""
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "1446c6b9-f728-4f0d-9a70-aa8361749eef",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachineoperations.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachines",
"subresource": "restart"
},
"requestReceivedTimestamp": "2023-09-19T22:27:26.787243Z",
"requestURI": "/apis/virtualmachineoperations.gdc.goog/v1/namespaces/myusername-test/virtualmachines/vm1/restart",
"responseStatus": {
"code": 202,
"metadata": {}
},
"sourceIPs": [
"10.200.0.1",
"10.200.0.5"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-19T22:27:26.929619Z",
"user": {
"groups": [
"system:authenticated"
],
"username": "fop-myusername"
},
"userAgent": "Go-http-client/2.0",
"verb": "update"
}
Review emergency access actions from an IO
The Infrastructure Operator (IO) has permissions to perform all the VMM audited operations described in this document on the system cluster. All their actions are audit logged automatically as part of the Kubernetes audit log.
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user": { "groups": [ "system:masters", "system:authenticated" ], "username": "kubernetes-admin" } |
Target (Fields and values that call the API) |
The VM specific resources have the following pattern for the
|
For example, "objectRef": { "resource": "vmruntimes", "apiGroup": "virtualmachine.private.gdc.goog", "apiVersion": "v1" } |
Action (Fields containing the performed operation) |
verb |
"verb":"list" |
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | responseStatus |
For example, "responseStatus": { "code": 200, "metadata": {} } |
Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-ztsnr",
"responseStatus": {
"code": 200,
"metadata": {}
},
"kind": "Event",
"stageTimestamp": "2022-11-30T00:47:09.475563Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
},
"sourceIPs": [
"10.200.1.109"
],
"objectRef": {
"resource": "vmruntimes",
"apiGroup": "virtualmachine.private.gdc.goog",
"apiVersion": "v1"
},
"apiVersion": "audit.k8s.io/v1",
"verb": "list",
"auditID": "fe338dca-f502-4fde-ba25-98bd29341a83",
"level": "Metadata",
"requestURI": "/apis/virtualmachine.private.gdc.goog/v1/vmruntimes",
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
},
"stage": "ResponseComplete",
"requestReceivedTimestamp": "2022-11-30T00:47:09.472822Z",
"userAgent": "operator/v0.0.0 (linux/amd64) kubernetes/$Format",
"_gdch_service_name": "apiserver"
}