Managed Kubernetes Service (MKS)

CRUD operations

CRUD operations include:

  • NodePoolClaim data
  • AddressPoolClaim data
  • SubnetClaim data
  • CIDRClaim data
  • Cluster data
  • NodePool data
  • MKS Cluster data

The following table contains an example for NodePoolClaim data (CRUD operations):

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity user

User performing the action:

user.username: system:serviceaccount:kube-system:anthos-cluster-operator-1.13.2

Full object snippet:

"user":{  "username": "system:serviceaccount:kube-system:anthos-cluster-operator-1.13.2",  "uid": "4ebfd4f7-f371-4c40-9f88-ea0709a7039e",  "groups": [  "system:serviceaccounts",  "system:serviceaccounts:kube-system",  "system:authenticated"  ],  "extra": {  "authentication.kubernetes.io/pod-name": [  "anthos-cluster-operator-1.13.2-bc6b7467d-22z88"  ],  "authentication.kubernetes.io/pod-uid": [  "004e1b37-6d4d-4959-b77d-0e69dce5ef4a"  ]  } }

Target

(KRM object being acted upon)

 objectRef / requestURI

Specific object reference:

"objectRef": {  "resource": "nodepoolclaims",  "namespace": "org-1",  "name": "admin-control-plane-node-pool",  "apiGroup": "baremetal.cluster.gke.io",  "apiVersion": "v1",  "subresource": "status" }

Request URI:

/apis/baremetal.cluster.gke.io/v1/namespaces/org-1/nodepoolclaims/admin-control-plane-node-pool/status

Action

(The CRUD operation performed)

 verb

Operation performed: update

(Other possible values: get, create, apply, patch, delete, list, watch)
Event timestamp requestReceivedTimestamp

2022-11-23T23:19:42.690064Z
Source of action _gdch_cluster, sourceIPs

Cluster: root-admin

Source IP address: ["10.253.128.74"]
Outcome responseStatus, stage

Stage: ResponseComplete

Response Status:

"responseStatus": {  "metadata": {},  "code": 200 }

(Code 200 indicates success)
Other useful fields auditID, annotations, Search Filter

Audit ID: 0539ea3a-b858-4a43-b516-812fc7e80dbd

Annotations include authorization details.

Search Filter: {service_name="apiserver"} |= `"resource":"nodepoolclaims"`

Example log

{  "responseStatus": {  "metadata": {},  "code": 200  },  "_gdch_cluster": "root-admin",  "sourceIPs": [  "10.253.128.74"  ],  "annotations": {  "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"operator-rolebinding-1.13.2\" of ClusterRole \"anthos-baremetal-operator-1.13.2\" to ServiceAccount \"anthos-cluster-operator-1.13.2/kube-system\"",  "authorization.k8s.io/decision": "allow"  },  "requestReceivedTimestamp": "2022-11-23T23:19:42.690064Z",  "stageTimestamp": "2022-11-23T23:19:42.695372Z",  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-4hlmv",  "apiVersion": "audit.k8s.io/v1",  "level": "Metadata",  "user": {  "extra": {  "authentication.kubernetes.io/pod-name": [  "anthos-cluster-operator-1.13.2-bc6b7467d-22z88"  ],  "authentication.kubernetes.io/pod-uid": [  "004e1b37-6d4d-4959-b77d-0e69dce5ef4a"  ]  },  "groups": [  "system:serviceaccounts",  "system:serviceaccounts:kube-system",  "system:authenticated"  ],  "username": "system:serviceaccount:kube-system:anthos-cluster-operator-1.13.2",  "uid": "4ebfd4f7-f371-4c40-9f88-ea0709a7039e"  },  "stage": "ResponseComplete",  "requestURI": "/apis/baremetal.cluster.gke.io/v1/namespaces/org-1/nodepoolclaims/admin-control-plane-node-pool/status",  "kind": "Event",  "objectRef": {  "resource": "nodepoolclaims",  "namespace": "org-1",  "subresource": "status",  "name": "admin-control-plane-node-pool",  "apiVersion": "v1",  "apiGroup": "baremetal.cluster.gke.io",  "resourceVersion": "878163",  "uid": "b2e1bec0-0f7c-4a57-869b-3fcb969ba7e2"  },  "verb": "update",  "userAgent": "operator/v0.0.0 (linux/amd64) kubernetes/$Format",  "auditID": "0539ea3a-b858-4a43-b516-812fc7e80dbd",  "_gdch_service_name": "apiserver" }