Kubernetes cluster (KUB)

Workload location	Root only workloads
Audit log source	Kubernetes audit logs
Audited operations	NodePoolClaim data changes AddressPoolClaim data changes SubnetClaim data changes CIDRClaim data changes Cluster data changes NodePool data changes

NodePoolClaim data changes (CRUD operations)

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`user.username`	For example, "user":{ "username":"system:serviceaccount:kube-system: anthos-cluster-operator-1.13.2" }
Target (Fields and values that call the API)	`requestURI`	`"requestURI":"/apis/baremetal.cluster.gke.io/v1/ namespaces/org-1/nodepoolclaims/admin-control-plane-node-pool/ status"`
Action (Fields containing the performed operation)	`verb`	`"verb":"update"`
Event timestamp	`requestReceivedTimestamp`	For example, `"requestReceivedTimestamp":"2022-11-18T23:15:22.882546Z"`
Source of action	`sourceIPs`	For example, `"sourceIPs":["10.253.128.74"]`
Outcome	`stage`	For example, `"stage":"ResponseComplete"`
Other fields	`kind` `objectRef`	For example, "kind": "Event", "objectRef": { "resource": "nodepoolclaims", "namespace": "org-1", "subresource": "status", "name": "admin-control-plane-node-pool", "apiVersion": "v1", "apiGroup": "baremetal.cluster.gke.io", "resourceVersion": "878163", "uid": "b2e1bec0-0f7c-4a57-869b-3fcb969ba7e2" }

Example log

{  "responseStatus": {  "metadata": {},  "code": 200  },  "_gdch_cluster": "root-admin",  "sourceIPs": [  "10.253.128.74"  ],  "annotations": {  "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \  "operator-rolebinding-1.13.2\  "of ClusterRole \"anthos-baremetal-operator-1.13.2\"   to ServiceAccount \"anthos-cluster-operator-1.13.2/kube-system\"",  "authorization.k8s.io/decision": "allow"  },  "requestReceivedTimestamp": "2022-11-23T23:19:42.690064Z",  "stageTimestamp": "2022-11-23T23:19:42.695372Z",  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-4hlmv",  "apiVersion": "audit.k8s.io/v1",  "level": "Metadata",  "user": {  "extra": {  "authentication.kubernetes.io/pod-name": [  "anthos-cluster-operator-1.13.2-bc6b7467d-22z88"  ],  "authentication.kubernetes.io/pod-uid": [  "004e1b37-6d4d-4959-b77d-0e69dce5ef4a"  ]  },  "groups": [  "system:serviceaccounts",  "system:serviceaccounts:kube-system",  "system:authenticated"  ],  "username": "system:serviceaccount:kube-system:anthos-cluster-operator-1.13.2",  "uid": "4ebfd4f7-f371-4c40-9f88-ea0709a7039e"  },  "stage": "ResponseComplete",  "requestURI": "/apis/baremetal.cluster.gke.io/v1/namespaces/org-1/  nodepoolclaims/admin-control-plane-node-pool/status",  "kind": "Event",  "objectRef": {  "resource": "nodepoolclaims",  "namespace": "org-1",  "subresource": "status",  "name": "admin-control-plane-node-pool",  "apiVersion": "v1",  "apiGroup": "baremetal.cluster.gke.io",  "resourceVersion": "878163",  "uid": "b2e1bec0-0f7c-4a57-869b-3fcb969ba7e2"  },  "verb": "update",  "userAgent": "operator/v0.0.0 (linux/amd64) kubernetes/$Format",  "auditID": "0539ea3a-b858-4a43-b516-812fc7e80dbd",  "_gdch_service_name": "apiserver" }

AddressPoolClaim data changes (CRUD operations)

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`user.username`	For example, "user":{ "username":"system:serviceaccount: gpc-system:root-admin-controller-sa" }
Target (Fields and values that call the API)	`requestURI`	`"requestURI":"/apis/system.private.gdc.goog/VERSION/ namespaces/org-1/addresspoolclaims/admin-control-plane-node-pool? fieldManager=Organization&force=true"`
Action (Fields containing the performed operation)	`verb`	`"verb":"patch"`
Event timestamp	`requestReceivedTimestamp`	For example, `"requestReceivedTimestamp":"2022-11-23T23:24:13.087516Z"`
Source of action	`sourceIPs`	For example, `"sourceIPs":["10.128.3.197"]`
Outcome	`stage`	For example, `"stage":"ResponseComplete"`
Other fields	`kind` `objectRef`	For example, "objectRef": { "namespace": "org-1", "name": "admin-control-plane-node-pool", "apiGroup": "system.private.gdc.goog", "apiVersion": "VERSION", "resource": "addresspoolclaims" }

Example log

{  "_gdch_cluster": "root-admin",  "requestReceivedTimestamp": "2022-11-23T23:24:13.087516Z",  "userAgent": "root-admin-cm/v0.0.0 (linux/amd64) kubernetes/$Format",  "kind": "Event",  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-4hlmv",  "apiVersion": "audit.k8s.io/v1",  "level": "Metadata",  "auditID": "3e46bf8d-fc26-4b43-85fe-34f1f55a0398",  "requestURI": "/apis/system.private.gdc.goog/VERSION/namespaces/org-1/  addresspoolclaims/admin-control-plane-node-pool?  fieldManager=Organization&force=true",  "stage": "ResponseComplete",  "user": {  "groups": [  "system:serviceaccounts",  "system:serviceaccounts:gpc-system",  "system:authenticated"  ],  "extra": {  "authentication.kubernetes.io/pod-name": [  "root-admin-controller-55b54bc95c-wjnwm"  ],  "authentication.kubernetes.io/pod-uid": [  "915f7dcd-e8cb-4a1a-9c53-4b8e2751cf03"  ]  },  "username": "system:serviceaccount:gpc-system:root-admin-controller-sa",  "uid": "1ddfb03e-0dd5-42df-b8cb-c53a504d9026"  },  "verb": "patch",  "responseStatus": {  "metadata": {},  "code": 200  },  "objectRef": {  "namespace": "org-1",  "name": "admin-control-plane-node-pool",  "apiGroup": "system.private.gdc.goog",  "apiVersion": "VERSION",  "resource": "addresspoolclaims"  },  "sourceIPs": [  "10.128.3.197"  ],  "annotations": {  "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \  "root-admin-rootadmin-controllers-rolebinding\" of ClusterRole \  "root-admin-rootadmin-controllers-role\" to ServiceAccount \"root-admin-controller-sa/  gpc-system\"",  "authorization.k8s.io/decision": "allow"  },  "stageTimestamp": "2022-11-23T23:24:13.100163Z",  "_gdch_service_name": "apiserver" }

SubnetClaim data changes (CRUD operations)

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`user.username`	For example, "user":{ "username":"system:serviceaccount: gatekeeper-system:gatekeeper-admin" }
Target (Fields and values that call the API)	`requestURI`	`"requestURI":"/apis/system.private.gdc.goog/ VERSION/subnetclaims?limit=500"`
Action (Fields containing the performed operation)	`verb`	`"verb":"list"`
Event timestamp	`requestReceivedTimestamp`	For example, `"requestReceivedTimestamp":"2022-11-23T23:25:32.726387Z"`
Source of action	`sourceIPs`	For example, `"sourceIPs":["10.253.129.191"]`
Outcome	`stage`	For example, `"stage":"ResponseComplete"`
Other fields	`kind` `objectRef`	For example, "objectRef": { "resource": "subnetclaims", apiVersion": "VERSION", "apiGroup": "system.private.gdc.goog" }

Example log

{  "_gdch_cluster": "root-admin",  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-gc5d7",  "stageTimestamp": "2022-11-23T23:25:32.733616Z",  "responseStatus": {  "code": 200,  "metadata": {}  },  "objectRef": {  "resource": "subnetclaims",  "apiVersion": "VERSION",  "apiGroup": "system.private.gdc.goog"  },  "auditID": "b611ebea-4c30-4962-9283-c5dcc95c6e13",  "verb": "list",  "kind": "Event",  "annotations": {  "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"gatekeeper-manager-rolebinding\  " of ClusterRole \"gatekeeper-manager-role\" to ServiceAccount \  "gatekeeper-admin/gatekeeper-system\"",  "authorization.k8s.io/decision": "allow"  },  "user": {  "extra": {  "authentication.kubernetes.io/pod-name": [  "gatekeeper-audit-b765495d8-4znjd"  ],  "authentication.kubernetes.io/pod-uid": [  "9e515f53-15bf-4570-9c57-2f53e0b69a5d"  ]  },  "uid": "d5dc180d-1bca-4d84-885d-a871e0b6d5a2",  "groups": [  "system:serviceaccounts",  "system:serviceaccounts:gatekeeper-system",  "system:authenticated"  ],  "username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin"  },  "stage": "ResponseComplete",  "userAgent": "gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",  "requestURI": "/apis/system.private.gdc.goog/VERSION/subnetclaims?limit=500",  "requestReceivedTimestamp": "2022-11-23T23:25:32.726387Z",  "sourceIPs": [  "10.253.129.191"  ],  "level": "Metadata",  "apiVersion": "audit.k8s.io/v1",  "_gdch_service_name": "apiserver" }

CIDRClaim data changes (CRUD operations)

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`user.username`	For example, "user":{ "username":"system:serviceaccount: gatekeeper-system:gatekeeper-admin" }
Target (Fields and values that call the API)	`requestURI`	`"requestURI":"/apis/baremetal.cluster.gke.io/ VERSION/addonconfigurations?limit=500"`
Action (Fields containing the performed operation)	`verb`	`"verb":"list"`
Event timestamp	`requestReceivedTimestamp`	For example, `"requestReceivedTimestamp":"2022-11-23T23:29:31.952355Z"`
Source of action	`sourceIPs`	For example, `"sourceIPs":["10.253.129.191"]`
Outcome	`stage`	For example, `"stage":"ResponseComplete"`
Other fields	`kind` `objectRef`	For example, "objectRef": { "apiGroup": "dr.private.gdc.goog", "resource": "cidrclaimallocations", "apiVersion": "VERSION" }

Example log

{  "_gdch_cluster": "root-admin",  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-gc5d7",  "objectRef": {  "apiGroup": "dr.private.gdc.goog",  "resource": "cidrclaimallocations",  "apiVersion": "VERSION"  },  "responseStatus": {  "metadata": {},  "code": 200  },  "annotations": {  "authorization.k8s.io/decision": "allow",  "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"gatekeeper-manager-rolebinding\" of ClusterRole \"gatekeeper-manager-role\" to ServiceAccount \"gatekeeper-admin/gatekeeper-system\""  },  "stageTimestamp": "2022-11-23T23:26:28.165121Z",  "kind": "Event",  "level": "Metadata",  "auditID": "a21c62ab-6f86-4898-a719-0970e89a031c",  "user": {  "groups": [  "system:serviceaccounts",  "system:serviceaccounts:gatekeeper-system",  "system:authenticated"  ],  "extra": {  "authentication.kubernetes.io/pod-name": [  "gatekeeper-audit-b765495d8-4znjd"  ],  "authentication.kubernetes.io/pod-uid": [  "9e515f53-15bf-4570-9c57-2f53e0b69a5d"  ]  },  "username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin",  "uid": "d5dc180d-1bca-4d84-885d-a871e0b6d5a2"  },  "stage": "ResponseComplete",  "apiVersion": "audit.k8s.io/v1",  "requestURI": "/apis/dr.private.gdc.goog/VERSION/cidrclaimallocations?limit=500",  "requestReceivedTimestamp": "2022-11-23T23:26:28.159646Z",  "verb": "list",  "sourceIPs": [  "10.253.129.191"  ],  "userAgent": "gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",  "_gdch_service_name": "apiserver" }

Cluster data changes (CRUD operations)

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`user.username`	For example, "user":{ "username":"system:serviceaccount: gatekeeper-system:gatekeeper-admin" }
Target (Fields and values that call the API)	`requestURI`	`"requestURI":"/apis/baremetal.cluster.gke.io/ VERSION/addonconfigurations?limit=500"`
Action (Fields containing the performed operation)	`verb`	`"verb":"list"`
Event timestamp	`requestReceivedTimestamp`	For example, `"requestReceivedTimestamp":"2022-11-23T23:29:31.952355Z"`
Source of action	`sourceIPs`	For example, `"sourceIPs":["10.253.129.191"]`
Outcome	`stage`	For example, `"stage":"ResponseComplete"`
Other fields	`kind` `objectRef`	For example, "objectRef": { "apiGroup": "baremetal.cluster.gke.io", "resource": "addonconfigurations", "apiVersion": "VERSION" }

Example log

{  "sourceIPs": [  "10.253.129.191"  ],  "stageTimestamp": "2022-11-23T23:29:31.952355Z",  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-gc5d7",  "_gdch_cluster": "root-admin",  "userAgent": "gatekeeper/v3.7.0 (linux/amd64) 3ba8e93/2021-11-15T20:59:44Z",  "stage": "RequestReceived",  "auditID": "3f05e001-38f0-431e-8cc2-61d00d992b6d",  "kind": "Event",  "level": "Metadata",  "apiVersion": "audit.k8s.io/v1",  "requestURI": "/apis/baremetal.cluster.gke.io/VERSION/addonconfigurations?limit=500",  "requestReceivedTimestamp": "2022-11-23T23:29:31.952355Z",  "verb": "list",  "user": {  "extra": {  "authentication.kubernetes.io/pod-name": [  "gatekeeper-audit-b765495d8-4znjd"  ],  "authentication.kubernetes.io/pod-uid": [  "9e515f53-15bf-4570-9c57-2f53e0b69a5d"  ]  },  "uid": "d5dc180d-1bca-4d84-885d-a871e0b6d5a2",  "groups": [  "system:serviceaccounts",  "system:serviceaccounts:gatekeeper-system",  "system:authenticated"  ],  "username": "system:serviceaccount:gatekeeper-system:gatekeeper-admin"  },  "objectRef": {  "apiGroup": "baremetal.cluster.gke.io",  "resource": "addonconfigurations",  "apiVersion": "VERSION"  },  "_gdch_service_name": "apiserver" }

NodePool data changes (CRUD operations)

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`user.username`	For example, "user":{ "username":"system:serviceaccount: kube-system:lifecycle-controllers-manager" }
Target (Fields and values that call the API)	`requestURI`	`"requestURI":"/apis/baremetal.cluster.gke.io/v1/nodepools"`
Action (Fields containing the performed operation)	`verb`	`"verb":"list"`
Event timestamp	`requestReceivedTimestamp`	For example, `"requestReceivedTimestamp":"2022-11-23T23:29:31.952355Z"`
Source of action	`sourceIPs`	For example, `"sourceIPs":["2022-11-23T23:28:41.742117Z"]`
Outcome	`stage`	For example, `"stage":"ResponseComplete"`
Other fields	`kind` `objectRef`	For example, "objectRef": { "apiGroup": "baremetal.cluster.gke.io", "resource": "nodepools", "apiVersion": "v1" }

Example log

{  "requestURI": "/apis/baremetal.cluster.gke.io/v1/nodepools",  "_gdch_cluster": "root-admin",  "sourceIPs": [  "10.253.130.147"  ],  "stageTimestamp": "2022-11-23T23:28:41.746854Z",  "responseStatus": {  "metadata": {},  "code": 200  },  "annotations": {  "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \  "lifecycl-controllers-manager-rolebinding\"   of ClusterRole \"lifecycle-controllers-manager\  " to ServiceAccount \"lifecycle-controllers-manager/kube-system\"",  "authorization.k8s.io/decision": "allow"  },  "requestReceivedTimestamp": "2022-11-23T23:28:41.742117Z",  "userAgent": "manager/v0.0.0 (linux/amd64) kubernetes/$Format",  "kind": "Event",  "auditID": "c916fab1-a10b-4df8-b680-71ccb5d339ac",  "user": {  "extra": {  "authentication.kubernetes.io/pod-uid": [  "0b1e3b51-8bdb-4527-8a34-1ae7577cf0aa"  ],  "authentication.kubernetes.io/pod-name": [  "lifecycle-controllers-manager-7495f9dd99-bfvdg"  ]  },  "groups": [  "system:serviceaccounts",  "system:serviceaccounts:kube-system",  "system:authenticated"  ],  "username": "system:serviceaccount:kube-system:lifecycle-controllers-manager",  "uid": "c84957dc-f483-41c4-b0e1-1a2c9cb93dda"  },  "stage": "ResponseComplete",  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-4hlmv",  "verb": "list",  "apiVersion": "audit.k8s.io/v1",  "level": "Metadata",  "objectRef": {  "apiGroup": "baremetal.cluster.gke.io",  "resource": "nodepools",  "apiVersion": "v1"  },  "_gdch_service_name": "apiserver" }

Kubernetes cluster (KUB) Stay organized with collections Save and categorize content based on your preferences.

NodePoolClaim data changes (CRUD operations)

AddressPoolClaim data changes (CRUD operations)

SubnetClaim data changes (CRUD operations)

CIDRClaim data changes (CRUD operations)

Cluster data changes (CRUD operations)

NodePool data changes (CRUD operations)

Kubernetes cluster (KUB)