User cluster (KUB)

Workload location	Root only workloads
Audit log source	Kubernetes audit logs
Audited operations	NodePoolClaim data changes AddressPoolClaim data changes SubnetClaim data changes CIDRClaim data changes Cluster data changes NodePool data changes

NodePoolClaim data changes (CRUD operations)

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`user.username`	For example, "user":{ "username":"system:serviceaccount:kube-system: anthos-cluster-operator-1.13.2" }
Target (Fields and values that call the API)	`requestURI`	`"requestURI":"/apis/baremetal.cluster.gke.io/v1/ namespaces/org-1/nodepoolclaims/admin-control-plane-node-pool/ status"`
Action (Fields containing the performed operation)	`verb`	`"verb":"update"`
Event timestamp	`requestReceivedTimestamp`	For example, `"requestReceivedTimestamp":"2022-11-18T23:15:22.882546Z"`
Source of action	`sourceIPs`	For example, `"sourceIPs":["10.253.128.74"]`
Outcome	`stage`	For example, `"stage":"ResponseComplete"`
Other fields	`kind` `objectRef`	For example, "kind": "Event", "objectRef": { "resource": "nodepoolclaims", "namespace": "org-1", "subresource": "status", "name": "admin-control-plane-node-pool", "apiVersion": "v1", "apiGroup": "baremetal.cluster.gke.io", "resourceVersion": "878163", "uid": "b2e1bec0-0f7c-4a57-869b-3fcb969ba7e2" }

Example log

{
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "_gdch_cluster": "root-admin",
  "sourceIPs": [
    "10.253.128.74"
  ],
  "annotations": {
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \
    "operator-rolebinding-1.13.2\
    "of ClusterRole \"anthos-baremetal-operator-1.13.2\" 
    to ServiceAccount \"anthos-cluster-operator-1.13.2/kube-system\"",
    "authorization.k8s.io/decision": "allow"
  },
  "requestReceivedTimestamp": "2022-11-23T23:19:42.690064Z",
  "stageTimestamp": "2022-11-23T23:19:42.695372Z",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-4hlmv",
  "apiVersion": "audit.k8s.io/v1",
  "level": "Metadata",
  "user": {
    "extra": {
      "authentication.kubernetes.io/pod-name": [
        "anthos-cluster-operator-1.13.2-bc6b7467d-22z88"
      ],
      "authentication.kubernetes.io/pod-uid": [
        "004e1b37-6d4d-4959-b77d-0e69dce5ef4a"
      ]
    },
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:kube-system",
      "system:authenticated"
    ],
    "username": "system:serviceaccount:kube-system:anthos-cluster-operator-1.13.2",
    "uid": "4ebfd4f7-f371-4c40-9f88-ea0709a7039e"
  },
  "stage": "ResponseComplete",
  "requestURI": "/apis/baremetal.cluster.gke.io/v1/namespaces/org-1/
                 nodepoolclaims/admin-control-plane-node-pool/status",
  "kind": "Event",
  "objectRef": {
    "resource": "nodepoolclaims",
    "namespace": "org-1",
    "subresource": "status",
    "name": "admin-control-plane-node-pool",
    "apiVersion": "v1",
    "apiGroup": "baremetal.cluster.gke.io",
    "resourceVersion": "878163",
    "uid": "b2e1bec0-0f7c-4a57-869b-3fcb969ba7e2"
  },
  "verb": "update",
  "userAgent": "operator/v0.0.0 (linux/amd64) kubernetes/$Format",
  "auditID": "0539ea3a-b858-4a43-b516-812fc7e80dbd",
  "_gdch_service_name": "apiserver"
}

AddressPoolClaim data changes (CRUD operations)

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`user.username`	For example, "user":{ "username":"system:serviceaccount: gpc-system:root-admin-controller-sa" }
Target (Fields and values that call the API)	`requestURI`	`"requestURI":"/apis/system.private.gdc.goog/VERSION/ namespaces/org-1/addresspoolclaims/admin-control-plane-node-pool? fieldManager=Organization&force=true"`
Action (Fields containing the performed operation)	`verb`	`"verb":"patch"`
Event timestamp	`requestReceivedTimestamp`	For example, `"requestReceivedTimestamp":"2022-11-23T23:24:13.087516Z"`
Source of action	`sourceIPs`	For example, `"sourceIPs":["10.128.3.197"]`
Outcome	`stage`	For example, `"stage":"ResponseComplete"`
Other fields	`kind` `objectRef`	For example, "objectRef": { "namespace": "org-1", "name": "admin-control-plane-node-pool", "apiGroup": "system.private.gdc.goog", "apiVersion": "VERSION", "resource": "addresspoolclaims" }

Example log

{
  "_gdch_cluster": "root-admin",
  "requestReceivedTimestamp": "2022-11-23T23:24:13.087516Z",
  "userAgent": "root-admin-cm/v0.0.0 (linux/amd64) kubernetes/$Format",
  "kind": "Event",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-4hlmv",
  "apiVersion": "audit.k8s.io/v1",
  "level": "Metadata",
  "auditID": "3e46bf8d-fc26-4b43-85fe-34f1f55a0398",
  "requestURI": "/apis/system.private.gdc.goog/VERSION/namespaces/org-1/
    addresspoolclaims/admin-control-plane-node-pool?
    fieldManager=Organization&force=true",
  "stage": "ResponseComplete",
  "user": {
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:gpc-system",
      "system:authenticated"
    ],
    "extra": {
      "authentication.kubernetes.io/pod-name": [
        "root-admin-controller-55b54bc95c-wjnwm"
      ],
      "authentication.kubernetes.io/pod-uid": [
        "915f7dcd-e8cb-4a1a-9c53-4b8e2751cf03"
      ]
    },
    "username": "system:serviceaccount:gpc-system:root-admin-controller-sa",
    "uid": "1ddfb03e-0dd5-42df-b8cb-c53a504d9026"
  },
  "verb": "patch",
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "objectRef": {
    "namespace": "org-1",
    "name": "admin-control-plane-node-pool",
    "apiGroup": "system.private.gdc.goog",
    "apiVersion": "VERSION",
    "resource": "addresspoolclaims"
  },
  "sourceIPs": [
    "10.128.3.197"
  ],
  "annotations": {
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \
    "root-admin-rootadmin-controllers-rolebinding\" of ClusterRole \
    "root-admin-rootadmin-controllers-role\" to ServiceAccount \"root-admin-controller-sa/
    gpc-system\"",
    "authorization.k8s.io/decision": "allow"
  },
  "stageTimestamp": "2022-11-23T23:24:13.100163Z",
  "_gdch_service_name": "apiserver"
}

SubnetClaim data changes (CRUD operations)

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`user.username`	For example, "user":{ "username":"system:serviceaccount: gatekeeper-system:gatekeeper-admin" }
Target (Fields and values that call the API)	`requestURI`	`"requestURI":"/apis/system.private.gdc.goog/ VERSION/subnetclaims?limit=500"`
Action (Fields containing the performed operation)	`verb`	`"verb":"list"`
Event timestamp	`requestReceivedTimestamp`	For example, `"requestReceivedTimestamp":"2022-11-23T23:25:32.726387Z"`
Source of action	`sourceIPs`	For example, `"sourceIPs":["10.253.129.191"]`
Outcome	`stage`	For example, `"stage":"ResponseComplete"`
Other fields	`kind` `objectRef`	For example, "objectRef": { "resource": "subnetclaims", apiVersion": "VERSION", "apiGroup": "system.private.gdc.goog" }

Example log

{
  "_gdch_cluster": "root-admin",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-gc5d7",
  "stageTimestamp": "2022-11-23T23:25:32.733616Z",
  "responseStatus": {
    "code": 200,
    "metadata": {}
  },
  "objectRef": {
    "resource": "subnetclaims",
    "apiVersion": "VERSION",
    "apiGroup": "system.private.gdc.goog"
  },
  "auditID": "b611ebea-4c30-4962-9283-c5dcc95c6e13",
  "verb": "list",
  "kind": "Event",
  "annotations": {
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"gatekeeper-manager-rolebinding\
                                   " of ClusterRole \"gatekeeper-manager-role\" to ServiceAccount \
                                   "gatekeeper-admin/gatekeeper-system\"",
    "authorization.k8s.io/decision": "allow"
  },
  "user": {
    "extra": {
      "authentication.kubernetes.io/pod-name": [
        "gatekeeper-audit-b765495d8-4znjd"
      ],
      "authentication.kubernetes.io/pod-uid": [
        "9e515f53-15bf-4570-9c57-2f53e0b69a5d"
      ]
    },
    "uid": "d5dc180d-1bca-4d84-885d-a871e0b6d5a2",
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:gatekeeper-system",
      "system:authenticated"
    ],
    "username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin"
  },
  "stage": "ResponseComplete",
  "userAgent": "gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",
  "requestURI": "/apis/system.private.gdc.goog/VERSION/subnetclaims?limit=500",
  "requestReceivedTimestamp": "2022-11-23T23:25:32.726387Z",
  "sourceIPs": [
    "10.253.129.191"
  ],
  "level": "Metadata",
  "apiVersion": "audit.k8s.io/v1",
  "_gdch_service_name": "apiserver"
}

CIDRClaim data changes (CRUD operations)

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`user.username`	For example, "user":{ "username":"system:serviceaccount: gatekeeper-system:gatekeeper-admin" }
Target (Fields and values that call the API)	`requestURI`	`"requestURI":"/apis/baremetal.cluster.gke.io/ VERSION/addonconfigurations?limit=500"`
Action (Fields containing the performed operation)	`verb`	`"verb":"list"`
Event timestamp	`requestReceivedTimestamp`	For example, `"requestReceivedTimestamp":"2022-11-23T23:29:31.952355Z"`
Source of action	`sourceIPs`	For example, `"sourceIPs":["10.253.129.191"]`
Outcome	`stage`	For example, `"stage":"ResponseComplete"`
Other fields	`kind` `objectRef`	For example, "objectRef": { "apiGroup": "dr.private.gdc.goog", "resource": "cidrclaimallocations", "apiVersion": "VERSION" }

Example log

{
  "_gdch_cluster": "root-admin",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-gc5d7",
  "objectRef": {
    "apiGroup": "dr.private.gdc.goog",
    "resource": "cidrclaimallocations",
    "apiVersion": "VERSION"
  },
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"gatekeeper-manager-rolebinding\" of ClusterRole \"gatekeeper-manager-role\" to ServiceAccount \"gatekeeper-admin/gatekeeper-system\""
  },
  "stageTimestamp": "2022-11-23T23:26:28.165121Z",
  "kind": "Event",
  "level": "Metadata",
  "auditID": "a21c62ab-6f86-4898-a719-0970e89a031c",
  "user": {
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:gatekeeper-system",
      "system:authenticated"
    ],
    "extra": {
      "authentication.kubernetes.io/pod-name": [
        "gatekeeper-audit-b765495d8-4znjd"
      ],
      "authentication.kubernetes.io/pod-uid": [
        "9e515f53-15bf-4570-9c57-2f53e0b69a5d"
      ]
    },
    "username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin",
    "uid": "d5dc180d-1bca-4d84-885d-a871e0b6d5a2"
  },
  "stage": "ResponseComplete",
  "apiVersion": "audit.k8s.io/v1",
  "requestURI": "/apis/dr.private.gdc.goog/VERSION/cidrclaimallocations?limit=500",
  "requestReceivedTimestamp": "2022-11-23T23:26:28.159646Z",
  "verb": "list",
  "sourceIPs": [
    "10.253.129.191"
  ],
  "userAgent": "gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",
  "_gdch_service_name": "apiserver"
}

Cluster data changes (CRUD operations)

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`user.username`	For example, "user":{ "username":"system:serviceaccount: gatekeeper-system:gatekeeper-admin" }
Target (Fields and values that call the API)	`requestURI`	`"requestURI":"/apis/baremetal.cluster.gke.io/ VERSION/addonconfigurations?limit=500"`
Action (Fields containing the performed operation)	`verb`	`"verb":"list"`
Event timestamp	`requestReceivedTimestamp`	For example, `"requestReceivedTimestamp":"2022-11-23T23:29:31.952355Z"`
Source of action	`sourceIPs`	For example, `"sourceIPs":["10.253.129.191"]`
Outcome	`stage`	For example, `"stage":"ResponseComplete"`
Other fields	`kind` `objectRef`	For example, "objectRef": { "apiGroup": "baremetal.cluster.gke.io", "resource": "addonconfigurations", "apiVersion": "VERSION" }

Example log

{
  "sourceIPs": [
    "10.253.129.191"
  ],
  "stageTimestamp": "2022-11-23T23:29:31.952355Z",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-gc5d7",
  "_gdch_cluster": "root-admin",
  "userAgent": "gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",
  "stage": "RequestReceived",
  "auditID": "3f05e001-38f0-431e-8cc2-61d00d992b6d",
  "kind": "Event",
  "level": "Metadata",
  "apiVersion": "audit.k8s.io/v1",
  "requestURI": "/apis/baremetal.cluster.gke.io/VERSION/addonconfigurations?limit=500",
  "requestReceivedTimestamp": "2022-11-23T23:29:31.952355Z",
  "verb": "list",
  "user": {
    "extra": {
      "authentication.kubernetes.io/pod-name": [
        "gatekeeper-audit-b765495d8-4znjd"
      ],
      "authentication.kubernetes.io/pod-uid": [
        "9e515f53-15bf-4570-9c57-2f53e0b69a5d"
      ]
    },
    "uid": "d5dc180d-1bca-4d84-885d-a871e0b6d5a2",
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:gatekeeper-system",
      "system:authenticated"
    ],
    "username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin"
  },
  "objectRef": {
    "apiGroup": "baremetal.cluster.gke.io",
    "resource": "addonconfigurations",
    "apiVersion": "VERSION"
  },
  "_gdch_service_name": "apiserver"
}

NodePool data changes (CRUD operations)

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`user.username`	For example, "user":{ "username":"system:serviceaccount: kube-system:lifecycle-controllers-manager" }
Target (Fields and values that call the API)	`requestURI`	`"requestURI":"/apis/baremetal.cluster.gke.io/v1/nodepools"`
Action (Fields containing the performed operation)	`verb`	`"verb":"list"`
Event timestamp	`requestReceivedTimestamp`	For example, `"requestReceivedTimestamp":"2022-11-23T23:29:31.952355Z"`
Source of action	`sourceIPs`	For example, `"sourceIPs":["2022-11-23T23:28:41.742117Z"]`
Outcome	`stage`	For example, `"stage":"ResponseComplete"`
Other fields	`kind` `objectRef`	For example, "objectRef": { "apiGroup": "baremetal.cluster.gke.io", "resource": "nodepools", "apiVersion": "v1" }

Example log

{
  "requestURI": "/apis/baremetal.cluster.gke.io/v1/nodepools",
  "_gdch_cluster": "root-admin",
  "sourceIPs": [
    "10.253.130.147"
  ],
  "stageTimestamp": "2022-11-23T23:28:41.746854Z",
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "annotations": {
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \
                                  "lifecycl-controllers-manager-rolebinding\" 
                                  of ClusterRole \"lifecycle-controllers-manager\
                                  " to ServiceAccount \"lifecycle-controllers-manager/kube-system\"",
    "authorization.k8s.io/decision": "allow"
  },
  "requestReceivedTimestamp": "2022-11-23T23:28:41.742117Z",
  "userAgent": "manager/v0.0.0 (linux/amd64) kubernetes/$Format",
  "kind": "Event",
  "auditID": "c916fab1-a10b-4df8-b680-71ccb5d339ac",
  "user": {
    "extra": {
      "authentication.kubernetes.io/pod-uid": [
        "0b1e3b51-8bdb-4527-8a34-1ae7577cf0aa"
      ],
      "authentication.kubernetes.io/pod-name": [
        "lifecycle-controllers-manager-7495f9dd99-bfvdg"
      ]
    },
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:kube-system",
      "system:authenticated"
    ],
    "username": "system:serviceaccount:kube-system:lifecycle-controllers-manager",
    "uid": "c84957dc-f483-41c4-b0e1-1a2c9cb93dda"
  },
  "stage": "ResponseComplete",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-4hlmv",
  "verb": "list",
  "apiVersion": "audit.k8s.io/v1",
  "level": "Metadata",
  "objectRef": {
    "apiGroup": "baremetal.cluster.gke.io",
    "resource": "nodepools",
    "apiVersion": "v1"
  },
  "_gdch_service_name": "apiserver"
}