Domain Name System (DNS)

Workload location

Root and organization workloads
Audit log source

Kubernetes audit logs
Audited operations

Update a zone

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity user.username

For example,

"user":{  "username": "dns@example.com"  }

Target

(Fields and values that call the API)

 requestURI

"requestURI":"/api/v1/namespaces/dns-system/configmaps/gpc-coredns-external-zonefile"

Action

(Fields containing the performed operation)

 verb

"verb":"update"

Event timestamp ts

For example,

"ts":2022-11-11T22:02:02.074Z

Source of action sourceIPs

For example,

"sourceIPs":["10.142.5.147"]
Outcome responseStatus.code

For example,

"responseStatus":{  "code":200  }

Other fields
  • annotations
  • objectRef

For example,

"annotations":{  "authorization.k8s.io/decision":"allow"  }, "objectRef":{  "resourceVersion":"697063",  "uid":"aed2e6f7-ca03-4bcd-9c07-167ccd4da88e",  "apiVersion":"v1",  "resource":"configmaps",  "apiGroup":"UNKNOWN",  "namespace":"dns-system",  "name":"gpc-coredns-external-zonefile"  }

Example log

{  "_gdch_cluster":"root-admin",  "_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-7s769",  "_gdch_service_name":"apiserver",  "annotations":{  "authorization.k8s.io/decision":"allow",  "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"dns-core-controllers-rolebinding\" of ClusterRole \"dns-core-controllers-role\" to ServiceAccount \"dns-core-controller-sa/dns-system\"",  },  "apiVersion":"audit.k8s.io/v1",  "auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",  "kind":"Event",  "level":"Metadata",  "objectRef":{  "resourceVersion":"697063",  "uid":"aed2e6f7-ca03-4bcd-9c07-167ccd4da88e",  "apiVersion":"v1",  "resource":"configmaps",  "apiGroup":"UNKNOWN",  "namespace":"dns-system",  "name":"gpc-coredns-external-zonefile"  },  "requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",  "requestURI":"/api/v1/namespaces/dns-system/configmaps/gpc-coredns-external-zonefile",  "responseStatus":{  "metadata":{},  "code":200  },  "sourceIPs":["10.142.5.147"],  "stage":"ResponseComplete",  "stageTimestamp":"2022-11-11T22:02:02.045045Z",  "ts":2022-11-11T22:02:02.074Z,  "tsNs":1668204122074601081,  "user":{  "uid":"08f727c9-5e3d-403f-bf35-06ef53f9832c",  "groups":[  "system:serviceaccounts",  "system:serviceaccounts:dns-system",  "system:authenticated"  ],  "username": "system:serviceaccount:dns-system:dns-core-controller-sa",  "extra": {  "authentication.kubernetes.io/pod-name":["dns-core-controller-58c4646858-z8kmr"],  "authentication.kubernetes.io/pod-uid":["7cfc9b72-aacc-4e86-b43f-016498055230"]  }  },  "userAgent":"controller-manager/v0.0.0 (linux/amd64) kubernetes/$Format",  "verb":"update" }

Create or delete a DNSSEC key

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity user.username

For example,

"user":{  "username": "dns@example.com"  }

Target

(Fields and values that call the API)

 requestURI

"requestURI":"/api/v1/namespaces/dns-system/secrets/gpc-coredns-external-ksks"

Action

(Fields containing the performed operation)

 verb

"verb":"update"

Event timestamp ts

For example,

"ts":2022-11-11T22:02:02.074Z

Source of action sourceIPs

For example,

"sourceIPs":["10.142.5.147"]
Outcome responseStatus.code

For example,

"responseStatus":{  "code":200  }

Other fields
  • annotations
  • objectRef

For example,

"annotations":{  "authorization.k8s.io/decision":"allow"  }, "objectRef":{  "resource": "secrets",  "namespace":"dns-system",  "uid":"9a9c16ca-3601-4bc9-8683-629a61ea5234",  "apiVersion":"v1",  "resourceVersion":"825911",  "apiGroup":"UNKNOWN",  "name":"gpc-coredns-external-ksks"  }

Example log

{  "_gdch_cluster":"root-admin",  "_gdch_fluentbit_pod":"audit-logs-forwarder-t15kb",  "_gdch_service_name":"apiserver",  "annotations":{  "authorization.k8s.io/decision":"allow",  "authorization.k8s.io/reason":"RBAC: allowed by RoleBinding 'dns@example.com-dns-key-manager/dns-system' of Role 'dns-key-manager' to User 'dns@example.com'"  },  "apiVersion":"audit.k8s.io/v1",  "auditID":"87d3d836-b5a2-487a-8480-bc8078c5b248",  "kind":"Event",  "level":"Metadata",  "objectRef":{  "resource": "secrets",  "namespace":"dns-system",  "uid":"9a9c16ca-3601-4bc9-8683-629a61ea5234",  "apiVersion":"v1",  "resourceVersion":"825911",  "apiGroup":"UNKNOWN",  "name":"gpc-coredns-external-ksks"  },  "requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",  "requestURI":"/api/v1/namespaces/dns-system/secrets/gpc-coredns-external-ksks",  "responseStatus":{  "metadata":{},  "code":200  },  "sourceIPs":["10.142.5.147"],  "stage":"ResponseComplete",  "stageTimestamp":"2022-11-11T22:02:02.045045Z",  "ts":2022-11-11T22:02:02.074Z,  "tsNs":1668204122074601081,  "user":{  "groups":[  "system: authenticated"  ],  "username": "dns@example.com"  },  "userAgent":"gdcloud/v0.0.0 (linux/amd64) kubernetes/$Format",  "verb":"update" }

Change a DNSSEC key

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity user.username

For example,

"user":{  "username": "dns@example.com"  }

Target

(Fields and values that call the API)

 requestURI

"requestURI":"/api/v1/namespaces/dns-system/configmaps/gpc-coredns-external-corefile"

Action

(Fields containing the performed operation)

 verb

"verb":"update"

Event timestamp ts

For example,

"ts":2022-11-11T22:02:02.074Z

Source of action sourceIPs

For example,

"sourceIPs":["10.142.5.147"]
Outcome responseStatus.code

For example,

"responseStatus":{  "code":200  }

Other fields
  • annotations
  • objectRef

For example,

"annotations":{  "authorization.k8s.io/decision":"allow"  }, "objectRef":{  "resourceVersion":"758987",  "resource":"configmaps",  "apiGroup":"UNKNOWN",  "name":"gpc-coredns-external-corefile",  "apiVersion":"v1",  "namespace":"dns-system",  "uid":"d831c851-4fa3-4£30-92f6-c68cb36b0a80"  }

Example log

{  "_gdch_cluster":"root-admin",  "_gdch_fluentbit_pod":"audit-logs-forwarder-8z2rm",  "_gdch_service_name":"apiserver",  "annotations":{  "authorization.k8s.io/decision":"allow",  "authorization.k8s.io/reason":"RBAC: allowed by RoleBinding 'dns@example.com-dns-key-manager/dns-system' of Role 'dns-key-manager' to User 'dns@example.com'"  },  "apiVersion":"audit.k8s.io/v1",  "auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",  "kind":"Event",  "level":"Metadata",  "objectRef":{  "resourceVersion":"758987",  "resource":"configmaps",  "apiGroup":"UNKNOWN",  "name":"gpc-coredns-external- corefile",  "apiVersion":"v1",  "namespace":"dns-system",  "uid":"d831c851-4fa3-4£30-92f6-c68cb36b0a80"  },  "requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",  "requestURI":"/api/v1/namespaces/dns-system/configmaps/gpc-coredns-external-corefile",  "responseStatus":{  "metadata":{},  "code":200  },  "sourceIPs":["10.142.5.147"],  "stage":"ResponseComplete",  "stageTimestamp":"2022-11-11T22:02:02.045045Z",  "ts":2022-11-11T22:02:02.074Z,  "tsNs":1668204122074601081,  "user":{  "groups":[  "system: authenticated"  ],  "username": "dns@example.com"  },  "userAgent":"gdcloud/v0.0.0 (linux/amd64) kubernetes/$Format",  "verb":"update" }