Kubernetes audit logs

Kubernetes collects and records audit logs. Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster.

JSON representation

{
  "kind": string,
  "apiVersion": string,
  "level": string,
  "auditID": string,
  "stage": string,
  "requestURI": string,
  "verb": string,
  "user": {
    object
  },
  "sourceIPs": [
    string array
  ],
  "userAgent": string,
  "objectRef": {
    object
  },
  "requestReceivedTimestamp": string,
  "stageTimestamp": string,
  "hostname": string
}
Fields
kind

string

The Kubernetes object type that is automatically generated in response to changes with other resources. For example, "Event"

apiVersion

string

The version of the API group that contains the referred object. For example, "audit.k8s.io/v1"

level

string

The audit level at which the event occurred. For example, "Metadata"

auditID

string

The unique audit identification value, generated for each request. For example, "c5f48f91-d4da-4659-97eb-56bdbcd0817c"

stage

string

The stage of the request handling when the event instance was generated. For example, "RequestReceived"

requestURI

string

The request URI that the client sends to a server. For example, "/apis/fleet.gpc.gke.io/v1/namespaces/gpc-system/fleets/root?fieldManager=kubectl-edit"

verb

string

The Kubernetes verb associated with the request. For non-resource requests, this value is the lower-cased HTTP method.

  • "verb": "create"
  • "verb": "delete"
  • "verb": "get"
  • "verb": "list"
  • "verb": "patch"
  • "verb": "update"
  • "verb": "watch"

user

object

Information about username and groups of the authenticated user. For example,

{
  "username": "kubernetes-admin",
  "groups": [
    "system:masters",
    "system:authenticated"
  ]
}

sourceIPs

string array

Array of IPs from where the request originated and all the intermediate proxies. The source IPs are presented in the following ordered list:

  1. X-Forwarded-For request header IPs
  2. X-Real-IP header, if not present in the X-Forwarded-For list
  3. The remote address for the connection, if it doesn't match the last IP in the list up to here

All but the last IP can be arbitrarily set by the client. For example, ["10.200.0.3"]

userAgent

string

The user agent string that the client reports. For example, "kubectl/v1.19.4 (linux/amd64) kubernetes/d360454"

objectRef

object

Information about the object reference that the request targets. For example,

{
  "resource": "fleets",
  "namespace": "gpc-system",
  "name": "root",
  "apiGroup": "fleet.gpc.gke.io",
  "apiVersion": "v1"
}

requestReceivedTimestamp

string

The time when the request reached the Kubernetes apiserver. For example, "2022-05-05T05:38:57.155218Z"

stageTimestamp

string

The time when the request reached the current audit stage. For example, "2022-05-05T05:38:57.155218Z"

hostname

string

The name of the audit log host. For example, "audit-logs-forwarder-2k4d9"