Virtual networking (VNET)

Workload location

File and block storage
Audit log source

Kubernetes audit logs
Audited operations

CRUD operations on the project network policy

Log type: KRM API management plane audit logs.

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity user

For example,

"user": {
  "uid": "6e805ff0-3f8c-4073-b4e1-6a0582ff1263",
  "username": "system:serviceaccount:gpc-system:fleet-admin-controller",
  "extra": {
    "authentication.kubernetes.io/pod-uid": [
      "45ce2b16-3584-448e-8caf-49cb299dfb55"
    ],
    "authentication.kubernetes.io/pod-name": [
      "fleet-admin-controller-5b5d848876-764mt"
    ]
  },
  "groups": [
    "system:serviceaccounts",
    "system:serviceaccounts:gpc-system",
    "system:authenticated"
  ]
}

Target

(Fields and values that call the API)

 requestURI

"requestURI": "/apis/networking.gdc.goog/v1alpha1/namespaces/platform-obs/projectnetworkpolicies"

Action

(Fields containing the performed operation)

 verb

For example,

"verb": "patch"
Event timestamp requestReceivedTimestamp

For example,

"requestReceivedTimestamp": "2022-12-09T04:21:55.497089Z"
Source of action sourceIPs

For example,

"sourceIPs": [
  "10.253.164.215"
]
Outcome stage

For example,

"stage": "ResponseComplete"
Other fields Not applicable Not applicable

Example log

{
  "auditID": "ff8266f6-685f-4239-9ab8-c55083d575e0",
  "responseStatus": {
    "code": 200,
    "metadata": {}
  },
  "level": "Metadata",
  "requestURI": "/apis/networking.gdc.goog/v1alpha1/namespaces/platform-obs/projectnetworkpolicies/base-policy-allow-intra-project-traffic/status",
  "user": {
    "uid": "6e805ff0-3f8c-4073-b4e1-6a0582ff1263",
    "username": "system:serviceaccount:gpc-system:fleet-admin-controller",
    "extra": {
      "authentication.kubernetes.io/pod-uid": [
        "45ce2b16-3584-448e-8caf-49cb299dfb55"
      ],
      "authentication.kubernetes.io/pod-name": [
        "fleet-admin-controller-5b5d848876-764mt"
      ]
    },
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:gpc-system",
      "system:authenticated"
    ]
  },
  "_gdch_cluster": "org-1-admin",
  "objectRef": {
    "resource": "projectnetworkpolicies",
    "apiGroup": "networking.gdc.goog",
    "name": "base-policy-allow-intra-project-traffic",
    "apiVersion": "v1alpha1",
    "namespace": "platform-obs",
    "subresource": "status"
  },
  "verb": "patch",
  "kind": "Event",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-4267r",
  "stage": "ResponseComplete",
  "apiVersion": "audit.k8s.io/v1",
  "requestReceivedTimestamp": "2022-12-09T04:21:55.497089Z",
  "sourceIPs": [
    "10.253.164.215"
  ],
  "userAgent": "fleet-admin-cm/v0.0.0 (linux/amd64) kubernetes/$Format",
  "stageTimestamp": "2022-12-09T04:21:55.505045Z",
  "annotations": {
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"fleet-admin-controller\" of ClusterRole \"fleet-admin-controller\" to ServiceAccount \"fleet-admin-controller/gpc-system\"",
    "authorization.k8s.io/decision": "allow"
  },
  "_gdch_service_name": "apiserver"
}

CRUD operations on the load balancer

Log type: KRM API management plane audit logs.

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity user

For example,

"user": {
  "groups": [
    "system:masters",
    "system:authenticated"
  ],
  "username": "kubernetes-admin"
}

Target

(Fields and values that call the API)

 objectRef.resource 

"objectRef": {
  "resource": "services"
}

Action

(Fields containing the performed operation)

 verb

For example,

"verb": "get"
Event timestamp requestReceivedTimestamp

For example,

"requestReceivedTimestamp": "2022-12-09T04:29:53.577417Z"
Source of action sourceIPs

For example,

"sourceIPs": [
  "10.200.0.5"
]
Outcome stage

For example,

"stage": "ResponseComplete"
Other fields Not applicable Not applicable

Example log

{
  "apiVersion": "audit.k8s.io/v1",
  "level": "Metadata",
  "_gdch_cluster": "org-1-admin",
  "auditID": "113e562b-0576-4b97-bc5f-168a60428f6d",
  "user": {
    "groups": [
      "system:masters",
      "system:authenticated"
    ],
    "username": "kubernetes-admin"
  },
  "stageTimestamp": "2022-12-09T04:29:53.579903Z",
  "sourceIPs": [
    "10.200.0.5"
  ],
  "responseStatus": {
    "code": 200,
    "metadata": {}
  },
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": ""
  },
  "stage": "ResponseComplete",
  "requestURI": "/api/v1/namespaces/harbor-system/services/harbor-harbor-harbor-core",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-8kc9n",
  "verb": "get",
  "objectRef": {
    "apiVersion": "v1",
    "apiGroup": "UNKNOWN",
    "resource": "services",
    "namespace": "harbor-system",
    "name": "harbor-harbor-harbor-core"
  },
  "userAgent": "root-admin-cm/v0.0.0 (linux/amd64) kubernetes/$Format",
  "kind": "Event",
  "requestReceivedTimestamp": "2022-12-09T04:29:53.577417Z",
  "_gdch_service_name": "apiserver"
}