| Workload location |
Root only workloads |
| Audit log source | |
| Audited operations |
NodePoolClaim data changes (CRUD operations)
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user.username |
For example,
"user":{
"username":"system:serviceaccount:kube-system:
anthos-cluster-operator-1.13.2"
}
|
|
Target (Fields and values that call the API) |
requestURI |
|
|
Action (Fields containing the performed operation) |
verb |
|
| Event timestamp |
requestReceivedTimestamp
|
For example,
|
| Source of action | sourceIPs |
For example,
|
| Outcome | stage |
For example,
|
| Other fields |
|
For example,
"kind": "Event",
"objectRef": {
"resource": "nodepoolclaims",
"namespace": "org-1",
"subresource": "status",
"name": "admin-control-plane-node-pool",
"apiVersion": "v1",
"apiGroup": "baremetal.cluster.gke.io",
"resourceVersion": "878163",
"uid": "b2e1bec0-0f7c-4a57-869b-3fcb969ba7e2"
}
|
Example log
{
"responseStatus": {
"metadata": {},
"code": 200
},
"_gdch_cluster": "root-admin",
"sourceIPs": [
"10.253.128.74"
],
"annotations": {
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \
"operator-rolebinding-1.13.2\
"of ClusterRole \"anthos-baremetal-operator-1.13.2\"
to ServiceAccount \"anthos-cluster-operator-1.13.2/kube-system\"",
"authorization.k8s.io/decision": "allow"
},
"requestReceivedTimestamp": "2022-11-23T23:19:42.690064Z",
"stageTimestamp": "2022-11-23T23:19:42.695372Z",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-4hlmv",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"user": {
"extra": {
"authentication.kubernetes.io/pod-name": [
"anthos-cluster-operator-1.13.2-bc6b7467d-22z88"
],
"authentication.kubernetes.io/pod-uid": [
"004e1b37-6d4d-4959-b77d-0e69dce5ef4a"
]
},
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:kube-system",
"system:authenticated"
],
"username": "system:serviceaccount:kube-system:anthos-cluster-operator-1.13.2",
"uid": "4ebfd4f7-f371-4c40-9f88-ea0709a7039e"
},
"stage": "ResponseComplete",
"requestURI": "/apis/baremetal.cluster.gke.io/v1/namespaces/org-1/
nodepoolclaims/admin-control-plane-node-pool/status",
"kind": "Event",
"objectRef": {
"resource": "nodepoolclaims",
"namespace": "org-1",
"subresource": "status",
"name": "admin-control-plane-node-pool",
"apiVersion": "v1",
"apiGroup": "baremetal.cluster.gke.io",
"resourceVersion": "878163",
"uid": "b2e1bec0-0f7c-4a57-869b-3fcb969ba7e2"
},
"verb": "update",
"userAgent": "operator/v0.0.0 (linux/amd64) kubernetes/$Format",
"auditID": "0539ea3a-b858-4a43-b516-812fc7e80dbd",
"_gdch_service_name": "apiserver"
}
AddressPoolClaim data changes (CRUD operations)
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user.username |
For example,
"user":{
"username":"system:serviceaccount:
gpc-system:root-admin-controller-sa"
}
|
|
Target (Fields and values that call the API) |
requestURI |
|
|
Action (Fields containing the performed operation) |
verb |
|
| Event timestamp |
requestReceivedTimestamp
|
For example,
|
| Source of action | sourceIPs |
For example,
|
| Outcome | stage |
For example,
|
| Other fields |
|
For example,
"objectRef": {
"namespace": "org-1",
"name": "admin-control-plane-node-pool",
"apiGroup": "system.private.gdc.goog",
"apiVersion": "VERSION",
"resource": "addresspoolclaims"
}
|
Example log
{
"_gdch_cluster": "root-admin",
"requestReceivedTimestamp": "2022-11-23T23:24:13.087516Z",
"userAgent": "root-admin-cm/v0.0.0 (linux/amd64) kubernetes/$Format",
"kind": "Event",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-4hlmv",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"auditID": "3e46bf8d-fc26-4b43-85fe-34f1f55a0398",
"requestURI": "/apis/system.private.gdc.goog/VERSION/namespaces/org-1/
addresspoolclaims/admin-control-plane-node-pool?
fieldManager=Organization&force=true",
"stage": "ResponseComplete",
"user": {
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:gpc-system",
"system:authenticated"
],
"extra": {
"authentication.kubernetes.io/pod-name": [
"root-admin-controller-55b54bc95c-wjnwm"
],
"authentication.kubernetes.io/pod-uid": [
"915f7dcd-e8cb-4a1a-9c53-4b8e2751cf03"
]
},
"username": "system:serviceaccount:gpc-system:root-admin-controller-sa",
"uid": "1ddfb03e-0dd5-42df-b8cb-c53a504d9026"
},
"verb": "patch",
"responseStatus": {
"metadata": {},
"code": 200
},
"objectRef": {
"namespace": "org-1",
"name": "admin-control-plane-node-pool",
"apiGroup": "system.private.gdc.goog",
"apiVersion": "VERSION",
"resource": "addresspoolclaims"
},
"sourceIPs": [
"10.128.3.197"
],
"annotations": {
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \
"root-admin-rootadmin-controllers-rolebinding\" of ClusterRole \
"root-admin-rootadmin-controllers-role\" to ServiceAccount \"root-admin-controller-sa/
gpc-system\"",
"authorization.k8s.io/decision": "allow"
},
"stageTimestamp": "2022-11-23T23:24:13.100163Z",
"_gdch_service_name": "apiserver"
}
SubnetClaim data changes (CRUD operations)
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user.username |
For example,
"user":{
"username":"system:serviceaccount:
gatekeeper-system:gatekeeper-admin"
}
|
|
Target (Fields and values that call the API) |
requestURI |
|
|
Action (Fields containing the performed operation) |
verb |
|
| Event timestamp |
requestReceivedTimestamp
|
For example,
|
| Source of action | sourceIPs |
For example,
|
| Outcome | stage |
For example,
|
| Other fields |
|
For example,
"objectRef": {
"resource": "subnetclaims",
apiVersion": "VERSION",
"apiGroup": "system.private.gdc.goog"
}
|
Example log
{
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-gc5d7",
"stageTimestamp": "2022-11-23T23:25:32.733616Z",
"responseStatus": {
"code": 200,
"metadata": {}
},
"objectRef": {
"resource": "subnetclaims",
"apiVersion": "VERSION",
"apiGroup": "system.private.gdc.goog"
},
"auditID": "b611ebea-4c30-4962-9283-c5dcc95c6e13",
"verb": "list",
"kind": "Event",
"annotations": {
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"gatekeeper-manager-rolebinding\
" of ClusterRole \"gatekeeper-manager-role\" to ServiceAccount \
"gatekeeper-admin/gatekeeper-system\"",
"authorization.k8s.io/decision": "allow"
},
"user": {
"extra": {
"authentication.kubernetes.io/pod-name": [
"gatekeeper-audit-b765495d8-4znjd"
],
"authentication.kubernetes.io/pod-uid": [
"9e515f53-15bf-4570-9c57-2f53e0b69a5d"
]
},
"uid": "d5dc180d-1bca-4d84-885d-a871e0b6d5a2",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:gatekeeper-system",
"system:authenticated"
],
"username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin"
},
"stage": "ResponseComplete",
"userAgent": "gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",
"requestURI": "/apis/system.private.gdc.goog/VERSION/subnetclaims?limit=500",
"requestReceivedTimestamp": "2022-11-23T23:25:32.726387Z",
"sourceIPs": [
"10.253.129.191"
],
"level": "Metadata",
"apiVersion": "audit.k8s.io/v1",
"_gdch_service_name": "apiserver"
}
CIDRClaim data changes (CRUD operations)
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user.username |
For example,
"user":{
"username":"system:serviceaccount:
gatekeeper-system:gatekeeper-admin"
}
|
|
Target (Fields and values that call the API) |
requestURI |
|
|
Action (Fields containing the performed operation) |
verb |
|
| Event timestamp |
requestReceivedTimestamp
|
For example,
|
| Source of action | sourceIPs |
For example,
|
| Outcome | stage |
For example,
|
| Other fields |
|
For example,
"objectRef": {
"apiGroup": "dr.private.gdc.goog",
"resource": "cidrclaimallocations",
"apiVersion": "VERSION"
}
|
Example log
{
"_gdch_cluster": "root-admin",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-gc5d7",
"objectRef": {
"apiGroup": "dr.private.gdc.goog",
"resource": "cidrclaimallocations",
"apiVersion": "VERSION"
},
"responseStatus": {
"metadata": {},
"code": 200
},
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"gatekeeper-manager-rolebinding\" of ClusterRole \"gatekeeper-manager-role\" to ServiceAccount \"gatekeeper-admin/gatekeeper-system\""
},
"stageTimestamp": "2022-11-23T23:26:28.165121Z",
"kind": "Event",
"level": "Metadata",
"auditID": "a21c62ab-6f86-4898-a719-0970e89a031c",
"user": {
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:gatekeeper-system",
"system:authenticated"
],
"extra": {
"authentication.kubernetes.io/pod-name": [
"gatekeeper-audit-b765495d8-4znjd"
],
"authentication.kubernetes.io/pod-uid": [
"9e515f53-15bf-4570-9c57-2f53e0b69a5d"
]
},
"username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin",
"uid": "d5dc180d-1bca-4d84-885d-a871e0b6d5a2"
},
"stage": "ResponseComplete",
"apiVersion": "audit.k8s.io/v1",
"requestURI": "/apis/dr.private.gdc.goog/VERSION/cidrclaimallocations?limit=500",
"requestReceivedTimestamp": "2022-11-23T23:26:28.159646Z",
"verb": "list",
"sourceIPs": [
"10.253.129.191"
],
"userAgent": "gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",
"_gdch_service_name": "apiserver"
}
Cluster data changes (CRUD operations)
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user.username |
For example,
"user":{
"username":"system:serviceaccount:
gatekeeper-system:gatekeeper-admin"
}
|
|
Target (Fields and values that call the API) |
requestURI |
|
|
Action (Fields containing the performed operation) |
verb |
|
| Event timestamp |
requestReceivedTimestamp
|
For example,
|
| Source of action | sourceIPs |
For example,
|
| Outcome | stage |
For example,
|
| Other fields |
|
For example,
"objectRef": {
"apiGroup": "baremetal.cluster.gke.io",
"resource": "addonconfigurations",
"apiVersion": "VERSION"
}
|
Example log
{
"sourceIPs": [
"10.253.129.191"
],
"stageTimestamp": "2022-11-23T23:29:31.952355Z",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-gc5d7",
"_gdch_cluster": "root-admin",
"userAgent": "gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",
"stage": "RequestReceived",
"auditID": "3f05e001-38f0-431e-8cc2-61d00d992b6d",
"kind": "Event",
"level": "Metadata",
"apiVersion": "audit.k8s.io/v1",
"requestURI": "/apis/baremetal.cluster.gke.io/VERSION/addonconfigurations?limit=500",
"requestReceivedTimestamp": "2022-11-23T23:29:31.952355Z",
"verb": "list",
"user": {
"extra": {
"authentication.kubernetes.io/pod-name": [
"gatekeeper-audit-b765495d8-4znjd"
],
"authentication.kubernetes.io/pod-uid": [
"9e515f53-15bf-4570-9c57-2f53e0b69a5d"
]
},
"uid": "d5dc180d-1bca-4d84-885d-a871e0b6d5a2",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:gatekeeper-system",
"system:authenticated"
],
"username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin"
},
"objectRef": {
"apiGroup": "baremetal.cluster.gke.io",
"resource": "addonconfigurations",
"apiVersion": "VERSION"
},
"_gdch_service_name": "apiserver"
}
NodePool data changes (CRUD operations)
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user.username |
For example,
"user":{
"username":"system:serviceaccount:
kube-system:lifecycle-controllers-manager"
}
|
|
Target (Fields and values that call the API) |
requestURI |
|
|
Action (Fields containing the performed operation) |
verb |
|
| Event timestamp |
requestReceivedTimestamp
|
For example,
|
| Source of action | sourceIPs |
For example,
|
| Outcome | stage |
For example,
|
| Other fields |
|
For example,
"objectRef": {
"apiGroup": "baremetal.cluster.gke.io",
"resource": "nodepools",
"apiVersion": "v1"
}
|
Example log
{
"requestURI": "/apis/baremetal.cluster.gke.io/v1/nodepools",
"_gdch_cluster": "root-admin",
"sourceIPs": [
"10.253.130.147"
],
"stageTimestamp": "2022-11-23T23:28:41.746854Z",
"responseStatus": {
"metadata": {},
"code": 200
},
"annotations": {
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \
"lifecycl-controllers-manager-rolebinding\"
of ClusterRole \"lifecycle-controllers-manager\
" to ServiceAccount \"lifecycle-controllers-manager/kube-system\"",
"authorization.k8s.io/decision": "allow"
},
"requestReceivedTimestamp": "2022-11-23T23:28:41.742117Z",
"userAgent": "manager/v0.0.0 (linux/amd64) kubernetes/$Format",
"kind": "Event",
"auditID": "c916fab1-a10b-4df8-b680-71ccb5d339ac",
"user": {
"extra": {
"authentication.kubernetes.io/pod-uid": [
"0b1e3b51-8bdb-4527-8a34-1ae7577cf0aa"
],
"authentication.kubernetes.io/pod-name": [
"lifecycle-controllers-manager-7495f9dd99-bfvdg"
]
},
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:kube-system",
"system:authenticated"
],
"username": "system:serviceaccount:kube-system:lifecycle-controllers-manager",
"uid": "c84957dc-f483-41c4-b0e1-1a2c9cb93dda"
},
"stage": "ResponseComplete",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-4hlmv",
"verb": "list",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"objectRef": {
"apiGroup": "baremetal.cluster.gke.io",
"resource": "nodepools",
"apiVersion": "v1"
},
"_gdch_service_name": "apiserver"
}