Workload location |
Organization only workloads |
Audit log source | |
Audited operations |
|
DBClusters
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User identity | user.username |
For example, "user":{"username":"kubernetes-admin"} |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef":{ "name":"emuv2", "namespace":"obs-system", "resource":"dbclusters", "apiGroup":"postgresql.dbadmin.gdc.goog", "apiVersion":"v1" } |
Action (Fields containing the performed operation) |
verb |
|
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | sourceIPs |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":201 } |
Other fields | annotations |
For example, "annotations":{ "mutation.webhook.admission.k8s.io/round_0_index_24": "{\"configuration\":\"mutating-webhook-configurati on\",\"webhook\":\"mdbcluster.postgresql.dbadmin.gdc.goog\",\"mutated\":true}", "authorization.k8s.io/decision": "allow", "authorization.k8s.io/reason":""} |
Example log
{
"userAgent": "kubectl/v1.24.2 (linux/amd64) kubernetes/f66044f",
"apiVersion": "audit.k8s.io/v1",
"stageTimestamp": "2022-12-02T23:55:23.818903Z",
"_gdch_cluster": "org-1-admin",
"level": "Metadata",
"auditID": "9365cb9f-9403-446a-a88a-f91b88284acf",
"verb": "create",
"stage": "ResponseComplete",
"requestURI": "/a pis/postgresql.dbadmin.gdc.goog/v1/namespaces/obs-system/dbclusters?fieldManager-kubectl -client-side-apply&fieldValidation=Strict",
"responseStatus": {
"metadata": {},
"code": 201
},
"annotations": {
"mutation.webhook.admission.k8s.io/round_0_index_24": "{\"configuration\":\"mutating-webhook-configurati on\",\"webhook\":\"mdbcluster.postgresql.dbadmin.gdc.goog\",\"mutated\":true}",
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
},
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-t21dm",
"objectRef": {
"name": "emuv2",
"namespace": "obs-system",
"resource": "dbclusters",
"apiGrou p": "postgresql.dbadmin.gdc.goog",
"apiVersion": "v1"
},
"sourceIPs": [
"10.200.0.7"
],
"kind": "Event",
"user": {
"username": "kubernetes-admin",
"groups": [
"system:masters",
"system:authenticated"
]
},
"requestReceivedTimestamp": "2022-12-02T23:55:23.739779Z",
"_gdch_service_name": "apiserver"
}
Backup
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User identity | user.username |
For example, "user":{"username":"system:serviceaccount:ods-fleet-system: fleet-controller-manager"} |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef": { "apiGroup": "postgresql.dbadmin.gdc.goog", "apiVersion": "v1", "resource": "backups", "namespace": "obs-system", "resourceVersion": "3189223", "name": "backup1", "uid": "3b5f6255-9a6d-4556-94b3-9956a5e6c8c2" } |
Action (Fields containing the performed operation) |
verb |
|
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | sourceIPs |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":200 } |
Other fields | annotations |
For example, "annotations":{ "authorization.k8s.io/reason": "RBAC: allowed by Cluster RoleBinding \"fleet -manager-rolebinding\" of Cluster Role \"fleet-manager-role\" to ServiceAccount \"fleet-controller-manager/ods-fleet-system\"", "authorization.k8s.io/decision": "allow" } |
Example log
{
"responseStatus": {
"metadata": {},
"code": 200
},
"_gdch_cluster": "org-1-admin",
"userAgent": "manager/v0.0.0 (linux/amd64) kubernetes/$Format",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-q2pvd",
"annotations": {
"authorization.k8s.io/reason": "RBAC: allowed by Cluster RoleBinding \"fleet -manager-rolebinding\" of Cluster Role \"fleet-manager-role\" to ServiceAccount \"fleet-controller-manager/ods-fleet-system\"",
"authorization.k8s.io/decision": "allow"
},
"requestURI": "/apis/postgresql.dbadmin.gdc.goog/v1/namespaces/obs-system/backups/backup1",
"kind": "Event",
"leve 1": "Metadata",
"verb": "update",
"apiVersion": "audit.k8s.io/v1",
"requestReceived Timestamp": "2022-12-03T02:10:57.714186Z",
"stageTimestamp": "2022-12-03T02:10:57.801287Z",
"auditID": "9b2721c8-db96-491b-90ce-4771979dceb3",
"user": {
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:ods -fleet-system",
"system: authenticated"
],
"extra": {
"authentication.kubernetes.io/pod-name": [
"fleet-controller-manager-659bc596c4-v6zll"
],
"authentication.kubernetes.io/pod-uid": [
"6000181a-2050-497e-be3f-313456b88902"
]
},
"username": "system:serviceaccount:ods-fleet-system: fleet-controller-m anager",
"uid": "66743ae3-eb0e-4608-9dea-2e6e33da24f1"
},
"stage": "ResponseComplete",
"sourceIPs": [
"10.253.165.17"
],
"objectRef": {
"apiGroup": "postgresql.dbadmin.gdc.goog",
"apiVersion": "v1",
"resource": "backups",
"namespace": "obs-system",
"resourceVersion": "3189223",
"name": "backup1",
"ui d": "3b5f6255-9a6d-4556-94b3-9956a5e6c8c2"
},
"_gdch_service_name": "apiserver"
}
BackupPlan
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User identity | user.username |
For example, "user":{"username":"kubernetes-admin", "groups":["system:masters","system:authenticated"]} |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef": { "name": "backupplan1", "apiGroup": "postgresql.dbadmin.gdc.goog", "apiVersion": "v1", "namespace": "obs-system", "resource": "backupplans" } |
Action (Fields containing the performed operation) |
verb |
|
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | sourceIPs |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":200 } |
Other fields | annotations |
For example, "annotations": { "authorization.k8s.io/reason": "", "authorization.k8s.io/deci sion": "allow" } |
Example log
{
"apiVersion": "audit.k8s.io/v1",
"stageTimestamp": "2022-12-03T00:13:15.939390Z",
"requestURI": "/apis/postgresql.dbadmin.gdc.goog/v1/namespaces/obs-system/backupplans?fieldManager-kubectl -client-side-apply&fieldValidation=Strict",
"kind": "Event",
"level": "Metadata",
"auditID": "5841cc4f-74d0-44e3-b8 2b-a84fadaf492b",
"responseStatus": {
"metadata": {},
"code": 201
},
"stage": "ResponseComplete",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-9x9pd",
"userAgent": "kubectl/v1.24.2 (linux/amd64) kubernetes/f66044f",
"verb": "create",
"annotations": {
"authorization.k8s.io/reason": "",
"authorization.k8s.io/deci sion": "allow"
},
"user": {
"groups": [
"system:masters",
"system: authenticated"
],
"username": "kubernetes-admin"
},
"_gdch_cluster": "org-1-admin",
"objectRef": {
"name": "backupplan1",
"apiGroup": "postgresql.dbadmin.gdc.goog",
"apiVersion": "v1",
"namespace": "obs-system",
"resource": "backupplans"
},
"sourceIPs": [
"10.200.0.7"
],
"requestReceivedTimestamp": "2022-12-03T00:13:15.921957Z",
"_gdch_service_name": "apiserver"
}
Import
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User identity | user.username |
For example, "user":{"groups":["system: masters", "system: authenticated"], "username": "kubernetes-admin"} |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef": { "resource": "imports", "apiVersion": "v1", "apiGroup": "postgresql.dbadmin.gdc.goog", "name": "import-1", "namespace": "obs-system" }, |
Action (Fields containing the performed operation) |
verb |
|
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | sourceIPs |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":201 } |
Other fields | annotations |
For example, "annotations": { "mutation.webhook.admission.k8s.io/round_@_index_26": "{\"configuration\":\"mutating-webhook-configuration\", \"webhook\":\"import.postgresql.dbadmin.gdc.goog\",\"mutated\":true}", "authorization.k8s.io/decision": "allow", "authorization.k8s.io/reason": "" } |
Example log
{
"verb": "create",
"apiVersion": "audit.k8s.io/v1",
"requestReceived Timestamp": "2022-12-03T02:22:14.605452Z",
"requestURI": "/apis/postgresql.dbadmin.gdc.goog/v1/namespaces/obs-system/imports?fieldManager-kubectl -client-side-apply&fieldValidation=Strict",
"stageTimestamp": "2022-12-03T 02:22:14.637697Z",
"_gdch_cluster": "org-1-admin",
"annotations": {
"mutation.webhook.admission.k8s.io/round_@_index_26": "{\"configuration\":\"mutating-webhook-configuration\", \"webhook\":\"mimport.postgresql.dbadmin.gdc.goog\",\"mutated\":true}",
"authorization.k8s.io/decision": "allow",
"a uthorization.k8s.io/reason": ""
},
"kind": "Event",
"level": "Metadata",
"auditID": "d04e1c23-13fa-4d18-bec7-31d652531151",
"stage": "ResponseComplete",
"responseStatus": {
"metadata": {},
"code": 201
},
"objectRef": {
"resource": "imports",
"apiVersion": "v1",
"apiGroup": "postgresql.dbadmin.gdc.goo g",
"name": "import-1",
"namespace": "obs-system"
},
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-9x9pd",
"sourceIPs": [
"10.200.0.7"
],
"user": {
"groups": [
"system: masters",
"system: authenticated"
],
"username": "kubernetes-admin"
},
"userAgent": "kubectl/v1.24.2 (linux/amd64) kubernetes/f66044 f",
"_gdch_service_name": "apiserver"
}
Export
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User identity | user.username |
For example, "user":{"groups":["system: masters", "system: authenticated"], "username": "kubernetes-admin"} |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef": { "apiVersio n": "v1", "apiGroup": "postgresql.dbadmin.gdc.goog", "namespace": "obs-system", "resource": "exports", "name": "export1" } |
Action (Fields containing the performed operation) |
verb |
|
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | sourceIPs |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":201 } |
Other fields | annotations |
For example, "annotations": { "authorization.k8s.io/reason": "", "mutation.webhook.admission.k8s.io/round_0_index_25": "{\"configuration\":\"mutating-webhook-configuratio n\",\"webhook\":\"mexport.postgresql.dbadmin.gdc.goog\",\"mutated\":true}", "authorization.k8s.io/decision": "allow" } |
Example log
{
"apiVersion": "audit.k8s.io/v1",
"userAgent": "kubectl/v1.24.2 (linux/amd64) kubernetes/f66044f",
"requestURI": "/apis/postgresql.dbadmin.gdc.goog/v1/namespaces/obs-system/exports?fieldManager=kubectl-client-side-apply&fieldValidation=Strict",
"stageTimestamp": "2022-12-03T07:41:29.532729Z",
"kind": "Event",
"level": "Metadata",
"_gdch_cluster": "org-1-admin",
"stage": "ResponseComplete",
"_gdc h_fluentbit_pod": "anthos-audit-logs-forwarder-9x9pd",
"verb": "create",
"requestReceivedTimestamp": "2022-12-03T07:41:29.462690Z",
"responseStatus": {
"code": 201,
"metadata": {}
},
"objectRef": {
"apiVersio n": "v1",
"apiGroup": "postgresql.dbadmin.gdc.goog",
"namespace": "obs-system",
"resource": "exports",
"name": "export1"
},
"user": {
"groups": [
"system:masters",
"system: authenticated"
],
"username": "kube rnetes-admin"
},
"sourceIPs": [
"10.200.0.7"
],
"annotations": {
"authorization.k8s.io/reason": "",
"mutation.webhook.admission.k8s.io/round_0_index_25": "{\"configuration\":\"mutating-webhook-configuratio n\",\"webhook\":\"mexport.postgresql.dbadmin.gdc.goog\",\"mutated\":true}",
"authorization.k8s.io/decision": "allow"
},
"auditID": "2537d860-affd-420d-adec-13a270c1dcb2",
"_gdch_service_name": "apiserver"
}
Restore
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User identity | user.username |
For example, "user": { "groups": [ "system:serviceaccounts", "system:serviceaccounts:ods- fleet-system", "system: authenticated" ], "extra": { "authentication.kubernetes.io/pod-name": [ "fleet-controller-manager-659bc596c4-v6z11" ], "authentication.kubernetes.io/pod-uid": [ "6000181a-2050-497e-be3f-313456b88902" ] }, "username": "system:serviceaccount:ods-fleet-system: fleet-controller-manager", "uid": "6 6743ae3-eb0e-4608-9dea-2e6e33da24f1" } |
Target (Fields and values that call the API) |
objectRef |
For example, "objectRef": { "apiGroup": "postgresql.dbadmin.gdc.goog", "name": "restore1", "subresource": "status", "uid": "9408379e-7c72-4052-b279-369f6457408a", "namespace": "obs-system", "apiVersion": "v1", "resource": "restores", "resourceVersion": "326530" } |
Action (Fields containing the performed operation) |
verb |
|
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | sourceIPs |
For example,
|
Outcome | responseStatus |
For example, "responseStatus":{ "metadata":{}, "code":200 } |
Other fields | annotations |
For example, "annotations": { "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"fleet-manager-rolebinding\" of Cluster Role \"fleet-manager-role\" to Service Account \"fleet-controller-manager/ods-fleet-system\"", "authorization.k8s.io/decision": "allow" } |
Example log
{
"_gdch_cluster": "org-1-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-q2pvd",
"level": "Metadata",
"requestURI": "/apis/postgresql.dbadmin.gdc.goog/v1/namespaces/obs-system/restores/restore1/status",
"kind": "Event",
"user": {
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:ods- fleet-system",
"system: authenticated"
],
"extra": {
"authentication.kubernetes.io/pod-name": [
"fleet-controller-manager-659bc596c4-v6z11"
],
"authentication.kubernetes.io/pod-uid": [
"6000181a-2050-497e-be3f-313456b88902"
]
},
"username": "system:serviceaccount:ods-fleet-system: fleet-controller-manager",
"uid": "6 6743ae3-eb0e-4608-9dea-2e6e33da24f1"
},
"annotations": {
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"fleet-manager-rolebinding\" of Cluster Role \"fleet-manager-role\" to Service Account \"fleet-controller-manager/ods-fleet-system\"",
"authorization.k8s.io/decision": "allow"
},
"apiv ersion": "audit.k8s.io/v1",
"responseStatus": {
"code": 200,
"metadata": {}
},
"stageTimestamp": "2022-12-03T02:33:06.504990Z",
"verb": "update",
"userAgent": "manager/v0.0.0 (linux/amd64) kubernetes/$Format",
"auditID": "8cd077e4-776f-4179-933c-7e44951a59cf",
"sourceIPs": [
"18.253.165.17"
],
"stage": "ResponseComplete",
"requestReceivedTimestamp": "2022-12-03T02:33:06.498531Z",
"objectRef": {
"apiGroup": "postgresql.dbadmin.gdc.goog",
"name": "restore1",
"subresource": "status",
"uid": "9408379e-7c72-4052-b279-369f6457408a",
"namespace": "obs-system",
"apiVersion": "v1",
"resource": "restores",
"resourceVersion": "326530"
}
}```