Virtual networking (VNET)

Workload location

File and block storage
Audit log source

Kubernetes audit logs
Audited operations

CRUD operations on the project network policy

Log type: KRM API management plane audit logs.

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity user

For example,

"user": {  "uid": "6e805ff0-3f8c-4073-b4e1-6a0582ff1263",  "username": "system:serviceaccount:gpc-system:fleet-admin-controller",  "extra": {  "authentication.kubernetes.io/pod-uid": [  "45ce2b16-3584-448e-8caf-49cb299dfb55"  ],  "authentication.kubernetes.io/pod-name": [  "fleet-admin-controller-5b5d848876-764mt"  ]  },  "groups": [  "system:serviceaccounts",  "system:serviceaccounts:gpc-system",  "system:authenticated"  ] }

Target

(Fields and values that call the API)

 requestURI

"requestURI": "/apis/networking.gdc.goog/v1alpha1/namespaces/platform-obs/projectnetworkpolicies"

Action

(Fields containing the performed operation)

 verb

For example,

"verb": "patch"
Event timestamp requestReceivedTimestamp

For example,

"requestReceivedTimestamp": "2022-12-09T04:21:55.497089Z"
Source of action sourceIPs

For example,

"sourceIPs": [  "10.253.164.215" ]

Outcome stage

For example,

"stage": "ResponseComplete"
Other fields Not applicable Not applicable

Example log

{  "auditID": "ff8266f6-685f-4239-9ab8-c55083d575e0",  "responseStatus": {  "code": 200,  "metadata": {}  },  "level": "Metadata",  "requestURI": "/apis/networking.gdc.goog/v1alpha1/namespaces/platform-obs/projectnetworkpolicies/base-policy-allow-intra-project-traffic/status",  "user": {  "uid": "6e805ff0-3f8c-4073-b4e1-6a0582ff1263",  "username": "system:serviceaccount:gpc-system:fleet-admin-controller",  "extra": {  "authentication.kubernetes.io/pod-uid": [  "45ce2b16-3584-448e-8caf-49cb299dfb55"  ],  "authentication.kubernetes.io/pod-name": [  "fleet-admin-controller-5b5d848876-764mt"  ]  },  "groups": [  "system:serviceaccounts",  "system:serviceaccounts:gpc-system",  "system:authenticated"  ]  },  "_gdch_cluster": "org-1-admin",  "objectRef": {  "resource": "projectnetworkpolicies",  "apiGroup": "networking.gdc.goog",  "name": "base-policy-allow-intra-project-traffic",  "apiVersion": "v1alpha1",  "namespace": "platform-obs",  "subresource": "status"  },  "verb": "patch",  "kind": "Event",  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-4267r",  "stage": "ResponseComplete",  "apiVersion": "audit.k8s.io/v1",  "requestReceivedTimestamp": "2022-12-09T04:21:55.497089Z",  "sourceIPs": [  "10.253.164.215"  ],  "userAgent": "fleet-admin-cm/v0.0.0 (linux/amd64) kubernetes/$Format",  "stageTimestamp": "2022-12-09T04:21:55.505045Z",  "annotations": {  "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"fleet-admin-controller\" of ClusterRole \"fleet-admin-controller\" to ServiceAccount \"fleet-admin-controller/gpc-system\"",  "authorization.k8s.io/decision": "allow"  },  "_gdch_service_name": "apiserver" }

CRUD operations on the load balancer

Log type: KRM API management plane audit logs.

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity user

For example,

"user": {  "groups": [  "system:masters",  "system:authenticated"  ],  "username": "kubernetes-admin" }

Target

(Fields and values that call the API)

 objectRef.resource 

"objectRef": {  "resource": "services" }

Action

(Fields containing the performed operation)

 verb

For example,

"verb": "get"
Event timestamp requestReceivedTimestamp

For example,

"requestReceivedTimestamp": "2022-12-09T04:29:53.577417Z"
Source of action sourceIPs

For example,

"sourceIPs": [  "10.200.0.5" ]

Outcome stage

For example,

"stage": "ResponseComplete"
Other fields Not applicable Not applicable

Example log

{  "apiVersion": "audit.k8s.io/v1",  "level": "Metadata",  "_gdch_cluster": "org-1-admin",  "auditID": "113e562b-0576-4b97-bc5f-168a60428f6d",  "user": {  "groups": [  "system:masters",  "system:authenticated"  ],  "username": "kubernetes-admin"  },  "stageTimestamp": "2022-12-09T04:29:53.579903Z",  "sourceIPs": [  "10.200.0.5"  ],  "responseStatus": {  "code": 200,  "metadata": {}  },  "annotations": {  "authorization.k8s.io/decision": "allow",  "authorization.k8s.io/reason": ""  },  "stage": "ResponseComplete",  "requestURI": "/api/v1/namespaces/harbor-system/services/harbor-harbor-harbor-core",  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-8kc9n",  "verb": "get",  "objectRef": {  "apiVersion": "v1",  "apiGroup": "UNKNOWN",  "resource": "services",  "namespace": "harbor-system",  "name": "harbor-harbor-harbor-core"  },  "userAgent": "root-admin-cm/v0.0.0 (linux/amd64) kubernetes/$Format",  "kind": "Event",  "requestReceivedTimestamp": "2022-12-09T04:29:53.577417Z",  "_gdch_service_name": "apiserver" }