Create a VM
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user": {
"groups": [
"system:authenticated"
],
"username": "fop-myusername"
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachines"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb": "create" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus": {
"code": 201,
"metadata": {}
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "org-1-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "org-1.zone1.google.gdch.test",
"_gdch_org_name": "org-1",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by RoleBinding \"fop-myusername-vm-admin/myusername-test\" of Role \"project-vm-admin\" to User \"fop-myusername\"",
"mutation.webhook.admission.k8s.io/round_0_index_12": "{\"configuration\":\"gatekeeper-mutating-webhook-configuration\",\"webhook\":\"mutation.gatekeeper.sh\",\"mutated\":false}"
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "6b48ee52-baa4-47d1-9357-98d1bf7bee7e",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachines"
},
"requestReceivedTimestamp": "2023-09-19T21:16:11.086606Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachines?fieldManager=kubectl-client-side-apply",
"responseStatus": {
"code": 201,
"metadata": {}
},
"sourceIPs": [
"10.200.0.1",
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-19T21:16:11.097294Z",
"user": {
"groups": [
"system:authenticated"
],
"username": "fop-myusername"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "create"
}
List VMs
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user": {
"groups": [
"system:authenticated"
],
"username": "fop-myusername"
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"namespace": "myusername-test",
"resource": "virtualmachines"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb": "list" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus": {
"code": 200,
"metadata": {}
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "org-1-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "org-1.zone1.google.gdch.test",
"_gdch_org_name": "org-1",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by RoleBinding \"fop-myusername-vm-admin/myusername-test\" of Role \"project-vm-admin\" to User \"fop-myusername\""
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "e848a3a1-da7e-4b74-8c12-f2af066dda55",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"namespace": "myusername-test",
"resource": "virtualmachines"
},
"requestReceivedTimestamp": "2023-09-19T21:37:40.632532Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachines?limit=500",
"responseStatus": {
"code": 200,
"metadata": {}
},
"sourceIPs": [
"10.200.0.1",
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-19T21:37:40.639807Z",
"user": {
"groups": [
"system:authenticated"
],
"username": "fop-myusername"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "list"
}
Update a VM
This includes start/stop operations. A restart operation also shows up as two update operations (stop and start) by a service account.
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachines"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb": "patch" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus": {
"code": 415,
"message": "the body of the request was in an unknown format - accepted media types include: application/json-patch+json, application/merge-patch+json, application/apply-patch+yaml",
"metadata": {},
"reason": "UnsupportedMediaType",
"status": "Failure"
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "org-1-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-rxgp7",
"_gdch_org_id": "org-1.zone1.google.gdch.test",
"_gdch_org_name": "org-1",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"vmm-controller\" of ClusterRole \"vmm-controller\" to ServiceAccount \"vmm-controller/vm-system\""
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "f094a667-adc8-46cf-9ce7-e0f534b792a9",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachines"
},
"requestReceivedTimestamp": "2023-09-19T21:42:20.229318Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachines/vm1",
"responseStatus": {
"code": 415,
"message": "the body of the request was in an unknown format - accepted media types include: application/json-patch+json, application/merge-patch+json, application/apply-patch+yaml",
"metadata": {},
"reason": "UnsupportedMediaType",
"status": "Failure"
},
"sourceIPs": [
"10.201.64.17"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-19T21:42:20.230057Z",
"user": {
"extra": {
"authentication.kubernetes.io/pod-name": [
"vmm-controller-588b67d499-p7qzv"
],
"authentication.kubernetes.io/pod-uid": [
"b5bec7d9-d813-4c9d-a2c6-7c8b2ab7ae9c"
]
},
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:vm-system",
"system:authenticated"
],
"uid": "24a689d1-aabb-4738-9576-eb3a56e5c3d4",
"username": "system:serviceaccount:vm-system:vmm-controller"
},
"userAgent": "vmm-controller/v0.0.0 (linux/amd64) kubernetes/$Format",
"verb": "patch"
}
Delete a VM
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachines"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb": "delete" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus": {
"code": 200,
"metadata": {}
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "org-1-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "org-1.zone1.google.gdch.test",
"_gdch_org_name": "org-1",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "b487c3cf-3eda-4cc9-bb5f-1d9665038ee0",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachines"
},
"requestReceivedTimestamp": "2023-09-19T20:58:25.165020Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachines/vm1",
"responseStatus": {
"code": 200,
"metadata": {}
},
"sourceIPs": [
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-19T20:58:25.181044Z",
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "delete"
}
Create a VM disk
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user": {
"groups": [
"system:authenticated"
],
"username": "fop-myusername"
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1-boot-disk",
"namespace": "myusername-test",
"resource": "virtualmachinedisks"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb": "create" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus": {
"code": 201,
"metadata": {}
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "org-1-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "org-1.zone1.google.gdch.test",
"_gdch_org_name": "org-1",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by RoleBinding \"fop-myusername-vm-admin/myusername-test\" of Role \"project-vm-admin\" to User \"fop-myusername\"",
"mutation.webhook.admission.k8s.io/round_0_index_12": "{\"configuration\":\"gatekeeper-mutating-webhook-configuration\",\"webhook\":\"mutation.gatekeeper.sh\",\"mutated\":false}"
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "b304923c-1df4-4184-bafd-40161210e85e",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1-boot-disk",
"namespace": "myusername-test",
"resource": "virtualmachinedisks"
},
"requestReceivedTimestamp": "2023-09-19T21:16:11.056904Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachinedisks?fieldManager=kubectl-client-side-apply",
"responseStatus": {
"code": 201,
"metadata": {}
},
"sourceIPs": [
"10.200.0.1",
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-19T21:16:11.071123Z",
"user": {
"groups": [
"system:authenticated"
],
"username": "fop-myusername"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "create"
}
List VM disks
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user": {
"groups": [
"system:authenticated"
],
"username": "fop-myusername"
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"namespace": "myusername-test",
"resource": "virtualmachinedisks"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb": "list" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus": {
"code": 200,
"metadata": {}
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "org-1-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-l7p8r",
"_gdch_org_id": "org-1.zone1.google.gdch.test",
"_gdch_org_name": "org-1",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by RoleBinding \"fop-myusername-vm-admin/myusername-test\" of Role \"project-vm-admin\" to User \"fop-myusername\""
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "3d71f7fd-11d0-4ed7-9d8c-a9bf9f61b46d",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"namespace": "myusername-test",
"resource": "virtualmachinedisks"
},
"requestReceivedTimestamp": "2023-09-19T21:18:43.108931Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachinedisks?limit=500",
"responseStatus": {
"code": 200,
"metadata": {}
},
"sourceIPs": [
"10.200.0.1",
"10.200.0.7"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-19T21:18:43.137015Z",
"user": {
"groups": [
"system:authenticated"
],
"username": "fop-myusername"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "list"
}
Delete a VM disk
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef":{
"namespace":"foo",
"resource":"virtualmachinedisks",
"apiGroup":"virtualmachine.gdc.goog",
"name":"vm1-boot-disk",
"apiVersion":"v1"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb":"delete" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus":{
"metadata":{},
"code":200
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"org-1-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"namespace":"foo",
"resource":"virtualmachinedisks",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1",
"name":"vm1-boot-disk"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/namespaces/foo/virtualmachinedisks/vm1-boot-disk",
"responseStatus":{
"metadata":{},
"code":200
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"delete"
}
List VM types
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef":{
"resource":"virtualmachinetypes",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb":"list" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus":{
"metadata":{},
"code":200
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"org-1-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by RoleBinding 'g-vm-admin-binding/foo' of Role 'g-vm-admin' to User 'fop-myname-test'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"resource":"virtualmachinetypes",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/virtualmachinetypes?limit=500",
"responseStatus":{
"metadata":{},
"code":200
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"list"
}
Create a VM type
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef":{
"resource":"virtualmachinetypes",
"apiGroup":"virtualmachine.gdc.goog",
"name":"test-type",
"apiVersion":"v1"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb":"create" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus":{
"metadata":{},
"code":201
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"org-1-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding 'g-pa-system-binding' of ClusterRole 'g-system-cluster-admin' to User 'fop-myname-test'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"resource":"virtualmachinetypes",
"apiGroup":"virtualmachine.gdc.goog",
"name":"test-type",
"apiVersion":"v1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/virtualmachinetypes?fieldManager=kubectl-client-side-apply",
"responseStatus":{
"metadata":{},
"code":201
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"create"
}
Delete a VM type
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef":{
"resource":"virtualmachinetypes",
"apiGroup":"virtualmachine.gdc.goog",
"name":"test-type",
"apiVersion":"v1"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb":"delete" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus":{
"metadata":{},
"code":200,
"status":"Success"
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"org-1-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding 'g-pa-system-binding' of ClusterRole 'g-system-cluster-admin' to User 'fop-myname-test'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"resource":"virtualmachinetypes",
"apiGroup":"virtualmachine.gdc.goog",
"name":"test-type",
"apiVersion":"v1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/virtualmachinetypes/test-type",
"responseStatus":{
"metadata":{},
"code":200,
"status":"Success"
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"delete"
}
Update a VM type
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef":{
"resource":"virtualmachinetypes",
"apiGroup":"virtualmachine.gdc.goog",
"name":"test-type",
"apiVersion":"v1"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb":"patch" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus":{
"metadata":{},
"code":200
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"org-1-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding 'g-pa-system-binding' of ClusterRole 'g-system-cluster-admin' to User 'fop-myname-test'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"resource":"virtualmachinetypes",
"apiGroup":"virtualmachine.gdc.goog",
"name":"test-type",
"apiVersion":"v1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/virtualmachinetypes/test-type?fieldManager=kubectl-client-side-apply",
"responseStatus":{
"metadata":{},
"code":200
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"patch"
}
Create a VM access request
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef":{
"namespace":"foo",
"resource":"virtualmachineaccessrequests",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb":"create" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus":{
"metadata":{},
"code":201
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"org-1-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by RoleBinding 'g-vm-admin-binding/foo' of Role 'g-vm-admin' to User 'fop-myname-test'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"namespace":"foo",
"resource":"virtualmachineaccessrequests",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/namespaces/foo/virtualmachineaccessrequests?fieldManager=kubectl-create",
"responseStatus":{
"metadata":{},
"code":201
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"create"
}
List VM access requests
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef":{
"namespace":"foo",
"resource":"virtualmachineaccessrequests",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb":"list" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus":{
"metadata":{},
"code":200
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"org-1-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by RoleBinding 'g-vm-admin-binding/foo' of Role 'g-vm-admin' to User 'fop-myname-test'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"namespace":"foo",
"resource":"virtualmachineaccessrequests",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/namespaces/foo/virtualmachineaccessrequests?limit=500",
"responseStatus":{
"metadata":{},
"code":200
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"list"
}
Delete a VM access request
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef":{
"namespace":"foo",
"resource":"virtualmachineaccessrequests",
"apiGroup":"virtualmachine.gdc.goog",
"name":"vm1-jdc9c",
"apiVersion":"v1"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb":"delete" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus":{
"metadata":{},
"code":200
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"org-1-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by RoleBinding 'g-vm-admin-binding/foo' of Role 'g-vm-admin' to User 'fop-myname-test'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"namespace":"foo",
"resource":"virtualmachineaccessrequests",
"apiGroup":"virtualmachine.gdc.goog",
"name":"vm1-jdc9c",
"apiVersion":"v1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1/namespaces/foo/virtualmachineaccessrequests/vm1-jdc9c",
"responseStatus":{
"metadata":{},
"code":200
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "fop-myname-test",
"groups":[
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"delete"
}
List VM images
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user":{
"username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin",
"uid":"225d02e7-ee06-42c9-a561-df1945d83224",
"groups":[
"system:serviceaccounts",
"system:serviceaccounts:gatekeeper-system",
"system: authenticated"
]
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef":{
"resource":"virtualmachineimage",
"apiGroup":"virtualmachineview.gdc.goog",
"apiVersion":"v1alpha1"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb":"list" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus":{
"metadata":{},
"code":200
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"org-1-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding 'gatekeeper-manager-rolebinding' of ClusterRole 'gatekeeper-manager-role' to ServiceAccount 'gatekeeper-admin/gatekeeper-system'"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"resource":"virtualmachineimage",
"apiGroup":"virtualmachineview.gdc.goog",
"apiVersion":"v1alpha1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachineview.gdc.goog/v1alpha1/virtualmachineimage?limit=500",
"responseStatus":{
"metadata":{},
"code":200
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin",
"uid":"225d02e7-ee06-42c9-a561-df1945d83224",
"groups":[
"system:serviceaccounts",
"system:serviceaccounts:gatekeeper-system",
"system: authenticated"
]
},
"userAgent":"gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",
"verb":"list"
}
Create a VM image import
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user":{
"username": "kubernetes-admin",
"groups":[
"system:masters",
"system: authenticated"
]
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef":{
"namespace":"foo",
"resource":"virtualmachineimageimports",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1alpha1",
"name":"import-1"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb":"create" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus":{
"metadata":{},
"code":201
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"org-1-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"annotations":{
"apiserver.latency.k8s.io/response-write":"1.476μs",
"authorization.k8s.io/reason":"",
"apiserver.latency.k8s.io/serialize-response-object":"71.971μs",
"authorization.k8s.io/decision":"allow",
"apiserver.latency.k8s.io/total":"7.405669466s",
"apiserver.latency.k8s.io/validating-webhook":"7.395358418s",
"apiserver.latency.k8s.io/transform-response-object":"2.358μs"
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"namespace":"foo",
"resource":"virtualmachineimageimports",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1alpha1",
"name":"import-1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1alpha1/namespaces/foo/virtualmachineimageimports?fieldManager=kubectl-client-side-apply",
"responseStatus":{
"metadata":{},
"code":201
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "kubernetes-admin",
"groups":[
"system:masters",
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"create"
}
List VM image imports
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user":{
"username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin",
"groups":[
"system:serviceaccounts",
"system:serviceaccounts:gatekeeper-system",
"system: authenticated"
]
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef":{
"resource":"virtualmachineimageimports",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1alpha1"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb":"list" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus":{
"metadata":{},
"code":201
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"org-1-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"resource":"virtualmachineimageimports",
"apiGroup":"virtualmachine.gdc.goog",
"apiVersion":"v1alpha1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1alpha1/virtualmachineimageimports?limit=500",
"responseStatus":{
"metadata":{},
"code":201
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin",
"groups":[
"system:serviceaccounts",
"system:serviceaccounts:gatekeeper-system",
"system: authenticated"
]
},
"userAgent":"gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",
"verb":"list"
}
Delete a VM image import
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user":{
"username": "kubernetes-admin",
"groups":[
"system:masters",
"system: authenticated"
]
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef":{
"namespace":"foo",
"resource":"virtualmachineimageimports",
"apiGroup":"virtualmachine.gdc.goog",
"name":"import-1",
"apiVersion":"v1alpha1"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb":"delete" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus":{
"metadata":{},
"code":200
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster":"org-1-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-8z2rm",
"_gdch_service_name":"apiserver",
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"namespace":"foo",
"resource":"virtualmachineimageimports",
"apiGroup":"virtualmachine.gdc.goog",
"name":"import-1",
"apiVersion":"v1alpha1"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/apis/virtualmachine.gdc.goog/v1alpha1/namespaces/foo/virtualmachineimageimports/import-1",
"responseStatus":{
"metadata":{},
"code":200
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"tsNs":1668204122074601081,
"user":{
"username": "kubernetes-admin",
"groups":[
"system:masters",
"system: authenticated"
]
},
"userAgent":"kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb":"delete"
}
Create an external access policy
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachineexternalaccesses"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb": "create" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus": {
"code": 201,
"metadata": {}
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "org-1-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "org-1.zone1.google.gdch.test",
"_gdch_org_name": "org-1",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "",
"mutation.webhook.admission.k8s.io/round_0_index_12": "{\"configuration\":\"gatekeeper-mutating-webhook-configuration\",\"webhook\":\"mutation.gatekeeper.sh\",\"mutated\":false}"
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "07306f01-f06e-44bf-ae6d-45447b14ea23",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachineexternalaccesses"
},
"requestReceivedTimestamp": "2023-09-20T16:58:09.485136Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachineexternalaccesses?fieldManager=kubectl-create",
"responseStatus": {
"code": 201,
"metadata": {}
},
"sourceIPs": [
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-20T16:58:09.501959Z",
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "create"
}
List external access policies
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"namespace": "myusername-test",
"resource": "virtualmachineexternalaccesses"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb": "list" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus": {
"code": 200,
"metadata": {}
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "org-1-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "org-1.zone1.google.gdch.test",
"_gdch_org_name": "org-1",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "a7396e5b-eeee-4821-9b59-c50c98de8137",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"namespace": "myusername-test",
"resource": "virtualmachineexternalaccesses"
},
"requestReceivedTimestamp": "2023-09-20T17:06:35.634144Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachineexternalaccesses?limit=500",
"responseStatus": {
"code": 200,
"metadata": {}
},
"sourceIPs": [
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-20T17:06:35.637132Z",
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "list"
}
Update an external access policy
This includes start/stop operations. A restart operation also shows up as two update operations (stop and start) by a service account.
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user":{
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachineexternalaccesses"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb": "patch" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus": {
"code": 200,
"metadata": {}
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "org-1-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "org-1.zone1.google.gdch.test",
"_gdch_org_name": "org-1",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "",
"mutation.webhook.admission.k8s.io/round_0_index_12": "{\"configuration\":\"gatekeeper-mutating-webhook-configuration\",\"webhook\":\"mutation.gatekeeper.sh\",\"mutated\":false}"
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "e42f6bbb-f192-4119-a674-66e0d1826dfa",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachineexternalaccesses"
},
"requestReceivedTimestamp": "2023-09-20T17:11:00.525104Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachineexternalaccesses/vm1?fieldManager=kubectl-edit",
"responseStatus": {
"code": 200,
"metadata": {}
},
"sourceIPs": [
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-20T17:11:00.538170Z",
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "patch"
}
Delete an external access policy
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
}
|
|
Target (Fields and values that call the API) |
objectRef |
For example,
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachineexternalaccesses"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb": "delete" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus": {
"code": 200,
"details": {
"group": "virtualmachine.gdc.goog",
"kind": "virtualmachineexternalaccesses",
"name": "vm1",
"uid": "d34ef0ad-f889-458f-804f-0086468a0674"
},
"metadata": {},
"status": "Success"
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "org-1-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-tzdxt",
"_gdch_org_id": "org-1.zone1.google.gdch.test",
"_gdch_org_name": "org-1",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "8290dc63-7aa9-4ab8-92eb-92b2ae6cabca",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachine.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachineexternalaccesses"
},
"requestReceivedTimestamp": "2023-09-20T17:13:21.317256Z",
"requestURI": "/apis/virtualmachine.gdc.goog/v1/namespaces/myusername-test/virtualmachineexternalaccesses/vm1",
"responseStatus": {
"code": 200,
"details": {
"group": "virtualmachine.gdc.goog",
"kind": "virtualmachineexternalaccesses",
"name": "vm1",
"uid": "d34ef0ad-f889-458f-804f-0086468a0674"
},
"metadata": {},
"status": "Success"
},
"sourceIPs": [
"10.200.0.6"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-20T17:13:21.330032Z",
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
},
"userAgent": "kubectl/v1.23.5 (linux/amd64) kubernetes/c285e78",
"verb": "delete"
}
Restart a VM
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user": {
"groups": [
"system:authenticated"
],
"username": "fop-myusername"
}
|
|
Target (Fields and values that call the API) |
requestURI |
It has the following format:
Where namespace and name identify the target object. For example,
|
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus": {
"code": 202,
"metadata": {}
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "org-1-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-rxgp7",
"_gdch_org_id": "org-1.zone1.google.gdch.test",
"_gdch_org_name": "org-1",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by RoleBinding \"fop-myusername-vm-admin/myusername-test\" of Role \"project-vm-admin\" to User \"fop-myusername\""
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "1446c6b9-f728-4f0d-9a70-aa8361749eef",
"kind": "Event",
"level": "Metadata",
"objectRef": {
"apiGroup": "virtualmachineoperations.gdc.goog",
"apiVersion": "v1",
"name": "vm1",
"namespace": "myusername-test",
"resource": "virtualmachines",
"subresource": "restart"
},
"requestReceivedTimestamp": "2023-09-19T22:27:26.787243Z",
"requestURI": "/apis/virtualmachineoperations.gdc.goog/v1/namespaces/myusername-test/virtualmachines/vm1/restart",
"responseStatus": {
"code": 202,
"metadata": {}
},
"sourceIPs": [
"10.200.0.1",
"10.200.0.5"
],
"stage": "ResponseComplete",
"stageTimestamp": "2023-09-19T22:27:26.929619Z",
"user": {
"groups": [
"system:authenticated"
],
"username": "fop-myusername"
},
"userAgent": "Go-http-client/2.0",
"verb": "update"
}
Review emergency access actions from an IO
The Infrastructure Operator (IO) has permissions to perform all the VMM audited operations described in this document on the system cluster. All their actions are audit logged automatically as part of the Kubernetes audit log.
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user |
For example,
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
}
|
|
Target (Fields and values that call the API) |
The VM specific resources have the following pattern for the
|
For example,
"objectRef": {
"resource": "vmruntimes",
"apiGroup": "virtualmachine.private.gdc.goog",
"apiVersion": "v1"
}
|
|
Action (Fields containing the performed operation) |
verb |
"verb":"list" |
| Event timestamp | requestReceivedTimestamp |
For example,
|
| Source of action | _gdch_cluster |
For example,
|
| Outcome | responseStatus |
For example,
"responseStatus": {
"code": 200,
"metadata": {}
}
|
| Other fields | Not applicable | Not applicable |
Example log
{
"_gdch_cluster": "org-1-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-ztsnr",
"responseStatus": {
"code": 200,
"metadata": {}
},
"kind": "Event",
"stageTimestamp": "2022-11-30T00:47:09.475563Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
},
"sourceIPs": [
"10.200.1.109"
],
"objectRef": {
"resource": "vmruntimes",
"apiGroup": "virtualmachine.private.gdc.goog",
"apiVersion": "v1"
},
"apiVersion": "audit.k8s.io/v1",
"verb": "list",
"auditID": "fe338dca-f502-4fde-ba25-98bd29341a83",
"level": "Metadata",
"requestURI": "/apis/virtualmachine.private.gdc.goog/v1/vmruntimes",
"user": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
},
"stage": "ResponseComplete",
"requestReceivedTimestamp": "2022-11-30T00:47:09.472822Z",
"userAgent": "operator/v0.0.0 (linux/amd64) kubernetes/$Format",
"_gdch_service_name": "apiserver"
}