Database Service

Workload location

Organization only workloads

Audit log source

Kubernetes audit logs

Audited operations

DBClusters

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User identity user.username

For example,

"user":{"username":"kubernetes-admin"}
  

Target

(Fields and values that call the API)

objectRef

For example,

"objectRef":{
    "name":"emuv2",
    "namespace":"obs-system",
    "resource":"dbclusters",
    "apiGroup":"postgresql.dbadmin.gdc.goog",
    "apiVersion":"v1"
}

Action

(Fields containing the performed operation)

verb
  • "verb":"create"
  • "verb":"update"
  • "verb":"patch"
  • "verb":"list"
Event timestamp requestReceivedTimestamp

For example,

"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z"

Source of action sourceIPs

For example,

["10.200.0.7"]

Outcome responseStatus

For example,

"responseStatus":{
    "metadata":{},
    "code":201
}

Other fields annotations

For example,

"annotations":{
"mutation.webhook.admission.k8s.io/round_0_index_24":
  "{\"configuration\":\"mutating-webhook-configurati on\",\"webhook\":\"mdbcluster.postgresql.dbadmin.gdc.goog\",\"mutated\":true}",
  "authorization.k8s.io/decision": "allow", "authorization.k8s.io/reason":""}
    

Example log

{
  "userAgent": "kubectl/v1.24.2 (linux/amd64) kubernetes/f66044f",
  "apiVersion": "audit.k8s.io/v1",
  "stageTimestamp": "2022-12-02T23:55:23.818903Z",
  "_gdch_cluster": "org-1-admin",
  "level": "Metadata",
  "auditID": "9365cb9f-9403-446a-a88a-f91b88284acf",
  "verb": "create",
  "stage": "ResponseComplete",
  "requestURI": "/a pis/postgresql.dbadmin.gdc.goog/v1/namespaces/obs-system/dbclusters?fieldManager-kubectl -client-side-apply&fieldValidation=Strict",
  "responseStatus": {
    "metadata": {},
    "code": 201
  },
  "annotations": {
    "mutation.webhook.admission.k8s.io/round_0_index_24": "{\"configuration\":\"mutating-webhook-configurati on\",\"webhook\":\"mdbcluster.postgresql.dbadmin.gdc.goog\",\"mutated\":true}",
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": ""
  },
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-t21dm",
  "objectRef": {
    "name": "emuv2",
    "namespace": "obs-system",
    "resource": "dbclusters",
    "apiGrou p": "postgresql.dbadmin.gdc.goog",
    "apiVersion": "v1"
  },
  "sourceIPs": [
    "10.200.0.7"
  ],
  "kind": "Event",
  "user": {
    "username": "kubernetes-admin",
    "groups": [
      "system:masters",
      "system:authenticated"
    ]
  },
  "requestReceivedTimestamp": "2022-12-02T23:55:23.739779Z",
  "_gdch_service_name": "apiserver"
}

Backup

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User identity user.username

For example,

"user":{"username":"system:serviceaccount:ods-fleet-system: fleet-controller-manager"}
  

Target

(Fields and values that call the API)

objectRef

For example,

"objectRef": {
    "apiGroup": "postgresql.dbadmin.gdc.goog",
    "apiVersion": "v1",
    "resource": "backups",
    "namespace": "obs-system",
    "resourceVersion": "3189223",
    "name": "backup1",
    "uid": "3b5f6255-9a6d-4556-94b3-9956a5e6c8c2"
  }

Action

(Fields containing the performed operation)

verb
  • "verb":"create"
  • "verb":"update"
  • "verb":"delete"
  • "verb":"list"
Event timestamp requestReceivedTimestamp

For example,

"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z"

Source of action sourceIPs

For example,

["10.200.0.7"]

Outcome responseStatus

For example,

"responseStatus":{
    "metadata":{},
    "code":200
}

Other fields annotations

For example,

"annotations":{
        "authorization.k8s.io/reason": "RBAC: allowed by Cluster RoleBinding \"fleet -manager-rolebinding\" of Cluster Role \"fleet-manager-role\" to ServiceAccount \"fleet-controller-manager/ods-fleet-system\"",
        "authorization.k8s.io/decision": "allow"
    }
    

Example log

{
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "_gdch_cluster": "org-1-admin",
  "userAgent": "manager/v0.0.0 (linux/amd64) kubernetes/$Format",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-q2pvd",
  "annotations": {
    "authorization.k8s.io/reason": "RBAC: allowed by Cluster RoleBinding \"fleet -manager-rolebinding\" of Cluster Role \"fleet-manager-role\" to ServiceAccount \"fleet-controller-manager/ods-fleet-system\"",
    "authorization.k8s.io/decision": "allow"
  },
  "requestURI": "/apis/postgresql.dbadmin.gdc.goog/v1/namespaces/obs-system/backups/backup1",
  "kind": "Event",
  "leve 1": "Metadata",
  "verb": "update",
  "apiVersion": "audit.k8s.io/v1",
  "requestReceived Timestamp": "2022-12-03T02:10:57.714186Z",
  "stageTimestamp": "2022-12-03T02:10:57.801287Z",
  "auditID": "9b2721c8-db96-491b-90ce-4771979dceb3",
  "user": {
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:ods -fleet-system",
      "system: authenticated"
    ],
    "extra": {
      "authentication.kubernetes.io/pod-name": [
        "fleet-controller-manager-659bc596c4-v6zll"
      ],
      "authentication.kubernetes.io/pod-uid": [
        "6000181a-2050-497e-be3f-313456b88902"
      ]
    },
    "username": "system:serviceaccount:ods-fleet-system: fleet-controller-m anager",
    "uid": "66743ae3-eb0e-4608-9dea-2e6e33da24f1"
  },
  "stage": "ResponseComplete",
  "sourceIPs": [
    "10.253.165.17"
  ],
  "objectRef": {
    "apiGroup": "postgresql.dbadmin.gdc.goog",
    "apiVersion": "v1",
    "resource": "backups",
    "namespace": "obs-system",
    "resourceVersion": "3189223",
    "name": "backup1",
    "ui d": "3b5f6255-9a6d-4556-94b3-9956a5e6c8c2"
  },
  "_gdch_service_name": "apiserver"
}

BackupPlan

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User identity user.username

For example,

"user":{"username":"kubernetes-admin", "groups":["system:masters","system:authenticated"]}
  

Target

(Fields and values that call the API)

objectRef

For example,

"objectRef": {
    "name": "backupplan1",
    "apiGroup": "postgresql.dbadmin.gdc.goog",
    "apiVersion": "v1",
    "namespace": "obs-system",
    "resource": "backupplans"
  }

Action

(Fields containing the performed operation)

verb
  • "verb":"create"
  • "verb":"update"
  • "verb":"delete"
  • "verb":"list"
Event timestamp requestReceivedTimestamp

For example,

"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z"

Source of action sourceIPs

For example,

["10.200.0.7"]

Outcome responseStatus

For example,

"responseStatus":{
    "metadata":{},
    "code":200
}

Other fields annotations

For example,

  "annotations": {
    "authorization.k8s.io/reason": "",
    "authorization.k8s.io/deci sion": "allow"
  }
    

Example log

{
  "apiVersion": "audit.k8s.io/v1",
  "stageTimestamp": "2022-12-03T00:13:15.939390Z",
  "requestURI": "/apis/postgresql.dbadmin.gdc.goog/v1/namespaces/obs-system/backupplans?fieldManager-kubectl -client-side-apply&fieldValidation=Strict",
  "kind": "Event",
  "level": "Metadata",
  "auditID": "5841cc4f-74d0-44e3-b8 2b-a84fadaf492b",
  "responseStatus": {
    "metadata": {},
    "code": 201
  },
  "stage": "ResponseComplete",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-9x9pd",
  "userAgent": "kubectl/v1.24.2 (linux/amd64) kubernetes/f66044f",
  "verb": "create",
  "annotations": {
    "authorization.k8s.io/reason": "",
    "authorization.k8s.io/deci sion": "allow"
  },
  "user": {
    "groups": [
      "system:masters",
      "system: authenticated"
    ],
    "username": "kubernetes-admin"
  },
  "_gdch_cluster": "org-1-admin",
  "objectRef": {
    "name": "backupplan1",
    "apiGroup": "postgresql.dbadmin.gdc.goog",
    "apiVersion": "v1",
    "namespace": "obs-system",
    "resource": "backupplans"
  },
  "sourceIPs": [
    "10.200.0.7"
  ],
  "requestReceivedTimestamp": "2022-12-03T00:13:15.921957Z",
  "_gdch_service_name": "apiserver"
}

Import

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User identity user.username

For example,

"user":{"groups":["system: masters", "system: authenticated"], "username": "kubernetes-admin"}
  

Target

(Fields and values that call the API)

objectRef

For example,

  "objectRef": {
    "resource": "imports",
    "apiVersion": "v1",
    "apiGroup": "postgresql.dbadmin.gdc.goog",
    "name": "import-1",
    "namespace": "obs-system"
  },

Action

(Fields containing the performed operation)

verb
  • "verb":"create"
  • "verb":"delete"
  • "verb":"list"
Event timestamp requestReceivedTimestamp

For example,

"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z"

Source of action sourceIPs

For example,

["10.200.0.7"]

Outcome responseStatus

For example,

"responseStatus":{
    "metadata":{},
    "code":201
}

Other fields annotations

For example,

"annotations": {
  "mutation.webhook.admission.k8s.io/round_@_index_26": "{\"configuration\":\"mutating-webhook-configuration\", \"webhook\":\"import.postgresql.dbadmin.gdc.goog\",\"mutated\":true}",
  "authorization.k8s.io/decision": "allow",
  "authorization.k8s.io/reason": ""
}
    

Example log

{
  "verb": "create",
  "apiVersion": "audit.k8s.io/v1",
  "requestReceived Timestamp": "2022-12-03T02:22:14.605452Z",
  "requestURI": "/apis/postgresql.dbadmin.gdc.goog/v1/namespaces/obs-system/imports?fieldManager-kubectl -client-side-apply&fieldValidation=Strict",
  "stageTimestamp": "2022-12-03T 02:22:14.637697Z",
  "_gdch_cluster": "org-1-admin",
  "annotations": {
    "mutation.webhook.admission.k8s.io/round_@_index_26": "{\"configuration\":\"mutating-webhook-configuration\", \"webhook\":\"mimport.postgresql.dbadmin.gdc.goog\",\"mutated\":true}",
    "authorization.k8s.io/decision": "allow",
    "a uthorization.k8s.io/reason": ""
  },
  "kind": "Event",
  "level": "Metadata",
  "auditID": "d04e1c23-13fa-4d18-bec7-31d652531151",
  "stage": "ResponseComplete",
  "responseStatus": {
    "metadata": {},
    "code": 201
  },
  "objectRef": {
    "resource": "imports",
    "apiVersion": "v1",
    "apiGroup": "postgresql.dbadmin.gdc.goo g",
    "name": "import-1",
    "namespace": "obs-system"
  },
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-9x9pd",
  "sourceIPs": [
    "10.200.0.7"
  ],
  "user": {
    "groups": [
      "system: masters",
      "system: authenticated"
    ],
    "username": "kubernetes-admin"
  },
  "userAgent": "kubectl/v1.24.2 (linux/amd64) kubernetes/f66044 f",
  "_gdch_service_name": "apiserver"
}

Export

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User identity user.username

For example,

"user":{"groups":["system: masters", "system: authenticated"], "username": "kubernetes-admin"}
  

Target

(Fields and values that call the API)

objectRef

For example,

"objectRef": {
    "apiVersio n": "v1",
    "apiGroup": "postgresql.dbadmin.gdc.goog",
    "namespace": "obs-system",
    "resource": "exports",
    "name": "export1"
}

Action

(Fields containing the performed operation)

verb
  • "verb":"create"
  • "verb":"update"
  • "verb":"delete"
  • "verb":"list"
Event timestamp requestReceivedTimestamp

For example,

"requestReceivedTimestamp":"2022-12-03T07:41:29.462690Z"

Source of action sourceIPs

For example,

["10.200.0.7"]

Outcome responseStatus

For example,

"responseStatus":{
    "metadata":{},
    "code":201
}

Other fields annotations

For example,

"annotations": {
    "authorization.k8s.io/reason": "",
    "mutation.webhook.admission.k8s.io/round_0_index_25": "{\"configuration\":\"mutating-webhook-configuratio n\",\"webhook\":\"mexport.postgresql.dbadmin.gdc.goog\",\"mutated\":true}",
    "authorization.k8s.io/decision": "allow"
}
    

Example log

{
  "apiVersion": "audit.k8s.io/v1",
  "userAgent": "kubectl/v1.24.2 (linux/amd64) kubernetes/f66044f",
  "requestURI": "/apis/postgresql.dbadmin.gdc.goog/v1/namespaces/obs-system/exports?fieldManager=kubectl-client-side-apply&fieldValidation=Strict",
  "stageTimestamp": "2022-12-03T07:41:29.532729Z",
  "kind": "Event",
  "level": "Metadata",
  "_gdch_cluster": "org-1-admin",
  "stage": "ResponseComplete",
  "_gdc h_fluentbit_pod": "anthos-audit-logs-forwarder-9x9pd",
  "verb": "create",
  "requestReceivedTimestamp": "2022-12-03T07:41:29.462690Z",
  "responseStatus": {
    "code": 201,
    "metadata": {}
  },
  "objectRef": {
    "apiVersio n": "v1",
    "apiGroup": "postgresql.dbadmin.gdc.goog",
    "namespace": "obs-system",
    "resource": "exports",
    "name": "export1"
  },
  "user": {
    "groups": [
      "system:masters",
      "system: authenticated"
    ],
    "username": "kube rnetes-admin"
  },
  "sourceIPs": [
    "10.200.0.7"
  ],
  "annotations": {
    "authorization.k8s.io/reason": "",
    "mutation.webhook.admission.k8s.io/round_0_index_25": "{\"configuration\":\"mutating-webhook-configuratio n\",\"webhook\":\"mexport.postgresql.dbadmin.gdc.goog\",\"mutated\":true}",
    "authorization.k8s.io/decision": "allow"
  },
  "auditID": "2537d860-affd-420d-adec-13a270c1dcb2",
  "_gdch_service_name": "apiserver"
}

Restore

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User identity user.username

For example,

"user": {
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:ods- fleet-system",
      "system: authenticated"
    ],
    "extra": {
      "authentication.kubernetes.io/pod-name": [
        "fleet-controller-manager-659bc596c4-v6z11"
      ],
      "authentication.kubernetes.io/pod-uid": [
        "6000181a-2050-497e-be3f-313456b88902"
      ]
    },
    "username": "system:serviceaccount:ods-fleet-system: fleet-controller-manager",
    "uid": "6 6743ae3-eb0e-4608-9dea-2e6e33da24f1"
  }
  

Target

(Fields and values that call the API)

objectRef

For example,

"objectRef": {
    "apiGroup": "postgresql.dbadmin.gdc.goog",
    "name": "restore1",
    "subresource": "status",
    "uid": "9408379e-7c72-4052-b279-369f6457408a",
    "namespace": "obs-system",
    "apiVersion": "v1",
    "resource": "restores",
    "resourceVersion": "326530"
}

Action

(Fields containing the performed operation)

verb
  • "verb":"create"
  • "verb":"update"
  • "verb":"delete"
  • "verb":"list"
Event timestamp requestReceivedTimestamp

For example,

"requestReceivedTimestamp":"2022-12-03T02:33:06.498531Z"

Source of action sourceIPs

For example,

["18.253.165.17"]

Outcome responseStatus

For example,

"responseStatus":{
    "metadata":{},
    "code":200
}

Other fields annotations

For example,

"annotations": {
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"fleet-manager-rolebinding\" of Cluster Role \"fleet-manager-role\" to Service Account \"fleet-controller-manager/ods-fleet-system\"",
    "authorization.k8s.io/decision": "allow"
  }
    

Example log

{
  "_gdch_cluster": "org-1-admin",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-q2pvd",
  "level": "Metadata",
  "requestURI": "/apis/postgresql.dbadmin.gdc.goog/v1/namespaces/obs-system/restores/restore1/status",
  "kind": "Event",
  "user": {
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:ods- fleet-system",
      "system: authenticated"
    ],
    "extra": {
      "authentication.kubernetes.io/pod-name": [
        "fleet-controller-manager-659bc596c4-v6z11"
      ],
      "authentication.kubernetes.io/pod-uid": [
        "6000181a-2050-497e-be3f-313456b88902"
      ]
    },
    "username": "system:serviceaccount:ods-fleet-system: fleet-controller-manager",
    "uid": "6 6743ae3-eb0e-4608-9dea-2e6e33da24f1"
  },
  "annotations": {
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"fleet-manager-rolebinding\" of Cluster Role \"fleet-manager-role\" to Service Account \"fleet-controller-manager/ods-fleet-system\"",
    "authorization.k8s.io/decision": "allow"
  },
  "apiv ersion": "audit.k8s.io/v1",
  "responseStatus": {
    "code": 200,
    "metadata": {}
  },
  "stageTimestamp": "2022-12-03T02:33:06.504990Z",
  "verb": "update",
  "userAgent": "manager/v0.0.0 (linux/amd64) kubernetes/$Format",
  "auditID": "8cd077e4-776f-4179-933c-7e44951a59cf",
  "sourceIPs": [
    "18.253.165.17"
  ],
  "stage": "ResponseComplete",
  "requestReceivedTimestamp": "2022-12-03T02:33:06.498531Z",
  "objectRef": {
    "apiGroup": "postgresql.dbadmin.gdc.goog",
    "name": "restore1",
    "subresource": "status",
    "uid": "9408379e-7c72-4052-b279-369f6457408a",
    "namespace": "obs-system",
    "apiVersion": "v1",
    "resource": "restores",
    "resourceVersion": "326530"
  }
}```