OPA Gatekeeper (OPA)

All operations through the Kubernetes API

Log schema: KRM API

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity user 

"user": {
  "groups": [
    "system:authenticated"
  ],
  "username": "fop-platform-admin@example.com"
},
"annotations": {
  "authorization.k8s.io/decision": "allow",
  "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"project-creator-binding\" of ClusterRole \"project-creator\" to Group \"system:authenticated\""
}

Target

(Fields and values that call the API)

 objectRef 

"objectRef": {
  "apiVersion": "v1",
  "name": "app1-project",
  "resource": "projects",
  "namespace": "gpc-system",
  "apiGroup": "resourcemanager.gdc.goog"
}

Action

(Fields containing the performed operation)

 verb 

"verb": "create"
Event timestamp requestReceivedTimestamp 

"requestReceivedTimestamp": "2022-12-09T23:51:56.997825Z"
Source of action sourceIPs 

"sourceIPs": [
  "10.200.0.2"
]
Outcome responseStatus 

"responseStatus": {
  "code": 403,
  "status": "Failure",
  "metadata": {},
  "message": "admission webhook \"validation.gatekeeper.sh\" denied the request: [restrictprojectaccess] username  with groups <[\"system:authenticated\"]> is not allowed for this resource ",
  "reason": "[restrictprojectaccess] username  with groups <[\"system:authenticated\"]> is not allowed for this resource "
}
Other fields responseStatus_message 

"responseStatus": {
  "code": 403,
  "status": "Failure",
  "metadata": {},
  "message": "admission webhook \"validation.gatekeeper.sh\" denied the request: [restrictprojectaccess] username  with groups <[\"system:authenticated\"]> is not allowed for this resource ",
  "reason": "[restrictprojectaccess] username  with groups <[\"system:authenticated\"]> is not allowed for this resource "
}

Example log KRM API

{
  "sourceIPs": [
    "10.200.0.2"
  ],
  "_gdch_cluster": "root-admin",
  "objectRef": {
    "apiVersion": "v1",
    "name": "app1-project",
    "resource": "projects",
    "namespace": "gpc-system",
    "apiGroup": "resourcemanager.gdc.goog"
  },
  "kind": "Event",
  "level": "Metadata",
  "apiVersion": "audit.k8s.io/v1",
  "auditID": "3611358c-f8b0-4780-9268-950eccc5881a",
  "stage": "ResponseComplete",
  "requestURI": "/apis/resourcemanager.gdc.goog/v1/namespaces/gpc-system/projects?fieldManager=kubectl-client-side-apply&fieldValidation=Strict",
  "verb": "create",
  "requestReceivedTimestamp": "2022-12-09T23:51:56.997825Z",
  "responseStatus": {
    "code": 403,
    "status": "Failure",
    "metadata": {},
    "message": "admission webhook \"validation.gatekeeper.sh\" denied the request: [restrictprojectaccess] username <fop-platform-admin@example.com> with groups <[\"system:authenticated\"]> is not allowed for this resource <Project/app1-project>",
    "reason": "[restrictprojectaccess] username <fop-platform-admin@example.com> with groups <[\"system:authenticated\"]> is not allowed for this resource <Project/app1-project>"
  },
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-b9kk4",
  "stageTimestamp": "2022-12-09T23:51:57.015134Z",
  "userAgent": "kubectl/v1.25.4 (linux/amd64) kubernetes/872a965",
  "user": {
    "groups": [
      "system:authenticated"
    ],
    "username": "fop-platform-admin@example.com"
  },
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"project-creator-binding\" of ClusterRole \"project-creator\" to Group \"system:authenticated\""
  },
  "_gdch_service_name": "apiserver"
}

Start an audit process

Log schema: Gatekeeper

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity Not applicable

Target

(Fields and values that call the API)

 process 

\"process\":\"audit\"

Action

(Fields containing the performed operation)

 event_type 

\"event_type\":\"audit_started\"
Event timestamp audit_id 

\"audit_id\":\"2022-12-13T23:07:11Z\"
Source of action pod_name 

"pod_name": "gatekeeper-audit-b7 65495d8-tb4kc"
Outcome msg 

\"msg\":\"auditing constraints and violations\"
Other fields Not applicable

Finish an audit process

Log schema: Gatekeeper

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity Not applicable

Target

(Fields and values that call the API)

 process 

\"process\":\"audit\"

Action

(Fields containing the performed operation)

 event_type 

\"event_type\":\"audit_finished\"
Event timestamp audit_id 

\"audit_id\":\"2022-12-13T23:05:32Z\"
Source of action pod_name 

"pod_name": "gatekeeper-audit-b765495d8-tb4k c"
Outcome msg 

\"msg\":\"auditing is complete\"
Other fields Not applicable

Audit violation

Log schema:Gatekeeper

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity details 

\"details\":{\"missing_labels\":[\"gatekeeper\"]}

Target

(Fields and values that call the API)

 process 

\"process\":\"audit\"

Action

(Fields containing the performed operation)

 event_type 

\"event_type\":\"violation_audited\"
Event timestamp audit_id 

\"audit_id\":\"2022-12-13T23:07:11Z\"
Source of action pod_name 

"pod_name": "gatekeeper-audit-b765495d8-tb4kc"
Outcome msg 

\"msg\":\"you must provide labels: {\\\"gatekeeper\\\"}\"
Other fields Not applicable

Audit constraint

Log schema: Gatekeeper

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity constraint_name 

\"constraint_name\":\"ns-must-have-gk\"

Target

(Fields and values that call the API)

 process 

\"process\":\"audit\"

Action

(Fields containing the performed operation)

 event_type 

\"event_type\":\"constraint_audited\"
Event timestamp audit_id 

\"audit_id\":\"2022-12-13T23:07:11Z\"
Source of action pod_name 

"pod_name": "gatekeeper-audit-b 765495d8-tb4kc"
Outcome msg 

\"msg\":\"audit results for constraint\"
Other fields Not applicable

Example log Gatekeeper

{
  "stream":"stderr",
  "logtag":"F",
  "log":"{
    \"level\":\"info\",
    \"ts\":1670972934.0394588,
    \"logger\":\"controller\",
    \"msg\":\"audit results for constraint\",
    \"process\":\"audit\",
    \"audit_id\":\"2022-12-13T23:07:11Z\",
    \"event_type\":\"constraint_audited\",
    \"constraint_group\":\"constraints.gatekeeper.sh \",
    \"constraint_api_version\":\"v1\",
    \"constraint_kind\":\"K8sRequiredLabels\",
    \"constraint_name\":\"ns-must-have-gk\",
    \"constraint_namespace\":\"\",
    \"constraint_action\":\"deny\",
    \"constraint_status\":\"enforced\",
    \"constraint_violations\":\"64\"
    }",
  "kubernetes":{
    "pod_name": "gatekeeper-audit-b 765495d8-tb4kc",
    "namespace_name":"gatekeeper-system",
    "pod_id":"3c75b257-0917-4575-bb69-ab5eb6f5839d",
    "labels":{
      "app": "gatekeeper",
      "chart": "gatekeeper",
      "control-plane":"audit-controller",
      "gatekeeper.sh/operation":"audit",
      "gatekeeper.sh/system": "yes",
      "heritage" : "Helm",
      "pod-template-hash": "b765495d 8",
      "release":"gatekeeper"
      },
    "host": "gpc-adhoc-2801b240vm-worker-node2",
    "container_name": "manager",
    "docker_id":"33f7eb658cb7a17c50ce917dcc727628bc40ea7d160fb1a20d0d61ae4e51b473",
    "container_hash": "gcr.io/private-cloud-staging/gatekeeper@sha256:5d91735b2378723a74930cdff2298efeea6f6bebc8ea9dd0106bfdb067f5a07d", "container_image": "gcr.io/private-cloud-staging/gatekeeper: v3.7.0"
    },
  "_gdch_tenant_id":"infra-obs"
}