Kubernetes collects and records audit logs. Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster.
JSON representation
{
"kind": string,
"apiVersion": string,
"level": string,
"auditID": string,
"stage": string,
"requestURI": string,
"verb": string,
"user": {
object
},
"sourceIPs": [
string array
],
"userAgent": string,
"objectRef": {
object
},
"requestReceivedTimestamp": string,
"stageTimestamp": string,
"hostname": string
}
Fields | |
---|---|
kind |
The Kubernetes object type that is automatically generated in response to changes with other resources. For example, |
apiVersion |
The version of the API group that contains the referred object. For example, |
level |
The audit level at which the event occurred. For example, |
auditID |
The unique audit identification value, generated for each request. For example, |
stage |
The stage of the request handling when the event instance was generated. For example, |
requestURI |
The request URI that the client sends to a server. For example, |
verb |
The Kubernetes verb associated with the request. For non-resource requests, this value is the lower-cased HTTP method.
|
user |
Information about username and groups of the authenticated user. For example, { "username": "kubernetes-admin", "groups": [ "system:masters", "system:authenticated" ] } |
sourceIPs |
Array of IPs from where the request originated and all the intermediate proxies. The source IPs are presented in the following ordered list:
All but the last IP can be arbitrarily set by the client. For example, |
userAgent |
The user agent string that the client reports. For example, |
objectRef |
Information about the object reference that the request targets. For example, { "resource": "fleets", "namespace": "gpc-system", "name": "root", "apiGroup": "fleet.gpc.gke.io", "apiVersion": "v1" } |
requestReceivedTimestamp |
The time when the request reached the Kubernetes apiserver. For example, |
stageTimestamp |
The time when the request reached the current audit stage. For example, |
hostname |
The name of the audit log host. For example, |