From 7b61c5b64b6002422772dc0b29391d42a9170d61 Mon Sep 17 00:00:00 2001 From: Hanna Tamoudi Date: Wed, 21 Aug 2024 18:01:25 +0200 Subject: [PATCH 1/7] add missing fields gcp audit logs --- packages/gcp/changelog.yml | 5 + .../audit/_dev/test/pipeline/test-audit.log | 12 +- .../pipeline/test-audit.log-expected.json | 461 +++++++++++++++++- .../pipeline/test-sdh-3695.log-expected.json | 5 + .../elasticsearch/ingest_pipeline/default.yml | 55 +++ .../gcp/data_stream/audit/fields/fields.yml | 37 ++ packages/gcp/docs/README.md | 9 + packages/gcp/docs/audit.md | 9 + ...-d88364c0-73a1-11ea-a345-f985c61fe654.json | 2 +- packages/gcp/manifest.yml | 2 +- 10 files changed, 582 insertions(+), 15 deletions(-) diff --git a/packages/gcp/changelog.yml b/packages/gcp/changelog.yml index 2b64c23529b..f65b554ef38 100644 --- a/packages/gcp/changelog.yml +++ b/packages/gcp/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.38.0" + changes: + - description: Add `policy_violation_info`, `metadata` and `related` fields to audit logs. + type: enhancement + link: https://github.com/elastic/integrations/pull/9931 - version: "2.37.1" changes: - description: Improve GCP Billing documentation. diff --git a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log index b77d1b2f1f3..3bdf7260aef 100644 --- a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log +++ b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log @@ -11,8 +11,12 @@ {"insertId":"03adfb9f-71a3-4f41-9701-29b5542f4d22","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\""},"logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access","operation":{"first":true,"id":"03adfb9f-71a3-4f41-9701-29b5542f4d22","last":true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"system:serviceaccount:kube-system:generic-garbage-collector"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.get","resource":"api/v1"}],"methodName":"io.k8s.get","requestMetadata":{"callerIp":"::1","callerSuppliedUserAgent":"kube-controller-manager/v1.19.8 (linux/amd64) kubernetes/4f6f69f/system:serviceaccount:kube-system:generic-garbage-collector"},"resourceName":"api/v1","serviceName":"k8s.io","status":{}},"receiveTimestamp":"2021-04-29T08:23:19.71757101Z","resource":{"labels":{"cluster_name":"analysis-cluster","location":"us-central1-a","project_id":"elastic-siem"},"type":"k8s_cluster"},"timestamp":"2021-04-29T08:23:18.899153Z"} {"insertId":"03adfb9f-71a3-4f41-9701-29b5542f4d23","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx","principalSubject":"sub","serviceAccountKeyName":"//xxx@xxx"},"authorizationInfo":[{"granted":true,"permission":"iam.serviceAccounts.list","resource":"projects/project","resourceAttributes":{}}],"methodName":"google.iam.admin.v1.ListServiceAccounts","request":{"@type":"type.googleapis.com/google.iam.admin.v1.ListServiceAccountsRequest","name":"projects/project","page_token":"cg:FFFFFF"},"requestMetadata":{"callerIp":"gce-internal-ip","callerSuppliedUserAgent":"google-api-go-client/0.5,gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-02-21T13:57:39.178418578Z"}},"resourceName":"projects/project","serviceName":"iam.googleapis.com","status":{}},"receiveTimestamp":"2022-02-21T13:57:39.341344991Z","resource":{"labels":{"location":"global","method":"google.iam.admin.v1.ListServiceAccounts","project_id":"project","service":"iam.googleapis.com","version":"v1"},"type":"api"},"severity":"INFO","timestamp":"2022-02-21T13:57:39.174555198Z"} {"insertId":"03adfb9f-71a3-4f41-9701-29b5542f4d24","labels":{"authentication.k8s.io/legacy-token":"system:serviceaccount:kube-system:metrics-server","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"metrics-server:system:auth-delegator\" of ClusterRole \"system:auth-delegator\" to ServiceAccount \"metrics-server/kube-system\"","k8s.io/deprecated":"true","k8s.io/removed-release":"1.22"},"logName":"projects/project","operation":{"first":true,"id":"924fbbf6-1982-4173-9355-3fca0ab7b0ee","last":true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.authorization.v1beta1.subjectaccessreviews.create","resource":"authorization.k8s.io/v1beta1/subjectaccessreviews"}],"methodName":"io.k8s.authorization.v1beta1.subjectaccessreviews.create","request":{"@type":"authorization.k8s.io/v1beta1.SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","kind":"SubjectAccessReview","metadata":{"creationTimestamp":null},"spec":{"group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"nonResourceAttributes":{"path":"/apis/metrics.k8s.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller"},"status":{"allowed":false}},"requestMetadata":{"callerIp":"67.43.156.13","callerSuppliedUserAgent":"metrics-server/v0.0.0 (linux/amd64) kubernetes/$Format"},"resourceName":"authorization.k8s.io/v1beta1/subjectaccessreviews","response":{"@type":"authorization.k8s.io/v1beta1.SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","kind":"SubjectAccessReview","metadata":{"creationTimestamp":null,"managedFields":[{"apiVersion":"authorization.k8s.io/v1beta1","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{"f:group":{},"f:nonResourceAttributes":{".":{},"f:path":{},"f:verb":{}},"f:user":{}}},"manager":"metrics-server","operation":"Update","time":"2022-02-21T14:00:40Z"}]},"spec":{"group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"nonResourceAttributes":{"path":"/apis/metrics.k8s.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller"},"status":{"allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\""}},"serviceName":"k8s.io","status":{}},"receiveTimestamp":"2022-02-21T14:00:42.030209174Z","resource":{"labels":{"cluster_name":"elastic","location":"europe-west1","project_id":"project"},"type":"k8s_cluster"},"timestamp":"2022-02-21T14:00:40.802327Z"} -{"insertId": "e5132c86-462b-41b3-9b6a-47966addbb0b","labels": {"authorization.k8s.io/decision": "allow","authorization.k8s.io/reason": ""},"logName": "projects/iammai-340819/logs/cloudaudit.googleapis.com%2Factivity","operation": {"first": true,"id": "e5132c86-462b-41b3-9b6a-47966addbb0b","last": true,"producer": "k8s.io"},"protoPayload": {"@type": "type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo": {"principalEmail": "system:addon-manager"},"authorizationInfo": [ { "granted": true, "permission": "io.k8s.apps.v1.deployments.patch", "resource": "apps/v1/namespaces/kube-system/deployments/konnectivity-agent" } ], "methodName": "io.k8s.apps.v1.deployments.patch", "request": { "@type": "k8s.io/Patch", "spec": { "strategy": { "$retainKeys": [ "type" ] }, "template": { "spec": { "$setElementOrder/volumes": [ { "name": "konnectivity-agent-token" } ], "volumes": [ { "$retainKeys": [ "name", "projected" ], "name": "konnectivity-agent-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "system:konnectivity-server", "path": "konnectivity-agent-token" } } ] } } ] } } } }, "requestMetadata": { "callerIp": "10.142.0.152", "callerSuppliedUserAgent": "kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19" }, "resourceName": "apps/v1/namespaces/kube-system/deployments/konnectivity-agent", "response": { "@type": "apps.k8s.io/v1.Deployment", "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "annotations": { "components.gke.io/layer": "addon", "deployment.kubernetes.io/revision": "1", "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"metadata\":{\"annotations\":{\"components.gke.io/layer\":\"addon\"},\"labels\":{\"addonmanager.kubernetes.io/mode\":\"Reconcile\",\"k8s-app\":\"konnectivity-agent\"},\"name\":\"konnectivity-agent\",\"namespace\":\"kube-system\"},\"spec\":{\"selector\":{\"matchLabels\":{\"k8s-app\":\"konnectivity-agent\"}},\"strategy\":{\"type\":\"RollingUpdate\"},\"template\":{\"metadata\":{\"annotations\":{\"cluster-autoscaler.kubernetes.io/safe-to-evict\":\"true\",\"components.gke.io/component-name\":\"konnectivitynetworkproxy-combined\",\"components.gke.io/component-version\":\"1.3.3\"},\"labels\":{\"k8s-app\":\"konnectivity-agent\"}},\"spec\":{\"containers\":[{\"args\":[\"--logtostderr=true\",\"--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt\",\"--proxy-server-host=34.75.195.103\",\"--proxy-server-port=8132\",\"--health-server-port=8093\",\"--admin-server-port=8094\",\"--sync-interval=5s\",\"--probe-interval=5s\",\"--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token\",\"--v=3\"],\"command\":[\"/proxy-agent\"],\"env\":[{\"name\":\"POD_NAME\",\"valueFrom\":{\"fieldRef\":{\"fieldPath\":\"metadata.name\"}}},{\"name\":\"POD_NAMESPACE\",\"valueFrom\":{\"fieldRef\":{\"fieldPath\":\"metadata.namespace\"}}}],\"image\":\"gke.gcr.io/proxy-agent:v0.0.24-gke.0\",\"livenessProbe\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":8093},\"initialDelaySeconds\":15,\"timeoutSeconds\":15},\"name\":\"konnectivity-agent\",\"ports\":[{\"containerPort\":8093,\"name\":\"metrics\",\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"memory\":\"125Mi\"},\"requests\":{\"cpu\":\"10m\",\"memory\":\"30Mi\"}},\"securityContext\":{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"all\"]}},\"volumeMounts\":[{\"mountPath\":\"/var/run/secrets/tokens\",\"name\":\"konnectivity-agent-token\"}]}],\"nodeSelector\":{\"beta.kubernetes.io/os\":\"linux\"},\"priorityClassName\":\"system-cluster-critical\",\"securityContext\":{\"fsGroup\":1000,\"runAsGroup\":1000,\"runAsUser\":1000},\"serviceAccountName\":\"konnectivity-agent\",\"tolerations\":[{\"key\":\"CriticalAddonsOnly\",\"operator\":\"Exists\"},{\"effect\":\"NoSchedule\",\"key\":\"sandbox.gke.io/runtime\",\"operator\":\"Equal\",\"value\":\"gvisor\"},{\"key\":\"components.gke.io/gke-managed-components\",\"operator\":\"Exists\"}],\"topologySpreadConstraints\":[{\"labelSelector\":{\"matchLabels\":{\"k8s-app\":\"konnectivity-agent\"}},\"maxSkew\":1,\"topologyKey\":\"topology.kubernetes.io/zone\",\"whenUnsatisfiable\":\"ScheduleAnyway\"},{\"labelSelector\":{\"matchLabels\":{\"k8s-app\":\"konnectivity-agent\"}},\"maxSkew\":1,\"topologyKey\":\"kubernetes.io/hostname\",\"whenUnsatisfiable\":\"ScheduleAnyway\"}],\"volumes\":[{\"name\":\"konnectivity-agent-token\",\"projected\":{\"sources\":[{\"serviceAccountToken\":{\"audience\":\"system:konnectivity-server\",\"path\":\"konnectivity-agent-token\"}}]}}]}}}}" }, "creationTimestamp": "2022-03-16T21:29:13Z", "generation": 2, "labels": { "addonmanager.kubernetes.io/mode": "Reconcile", "k8s-app": "konnectivity-agent" }, "managedFields": [ { "apiVersion": "apps/v1", "fieldsType": "FieldsV1", "fieldsV1": { "f:metadata": { "f:annotations": { ".": {}, "f:components.gke.io/layer": {}, "f:kubectl.kubernetes.io/last-applied-configuration": {} }, "f:labels": { ".": {}, "f:addonmanager.kubernetes.io/mode": {}, "f:k8s-app": {} } }, "f:spec": { "f:progressDeadlineSeconds": {}, "f:replicas": {}, "f:revisionHistoryLimit": {}, "f:selector": {}, "f:strategy": { "f:rollingUpdate": { ".": {}, "f:maxSurge": {}, "f:maxUnavailable": {} }, "f:type": {} }, "f:template": { "f:metadata": { "f:annotations": { ".": {}, "f:cluster-autoscaler.kubernetes.io/safe-to-evict": {}, "f:components.gke.io/component-name": {}, "f:components.gke.io/component-version": {} }, "f:labels": { ".": {}, "f:k8s-app": {} } }, "f:spec": { "f:containers": { "k:{\"name\":\"konnectivity-agent\"}": { ".": {}, "f:args": {}, "f:command": {}, "f:env": { ".": {}, "k:{\"name\":\"POD_NAME\"}": { ".": {}, "f:name": {}, "f:valueFrom": { ".": {}, "f:fieldRef": { ".": {}, "f:apiVersion": {}, "f:fieldPath": {} } } }, "k:{\"name\":\"POD_NAMESPACE\"}": { ".": {}, "f:name": {}, "f:valueFrom": { ".": {}, "f:fieldRef": { ".": {}, "f:apiVersion": {}, "f:fieldPath": {} } } } }, "f:image": {}, "f:imagePullPolicy": {}, "f:livenessProbe": { ".": {}, "f:failureThreshold": {}, "f:httpGet": { ".": {}, "f:path": {}, "f:port": {}, "f:scheme": {} }, "f:initialDelaySeconds": {}, "f:periodSeconds": {}, "f:successThreshold": {}, "f:timeoutSeconds": {} }, "f:name": {}, "f:ports": { ".": {}, "k:{\"containerPort\":8093,\"protocol\":\"TCP\"}": { ".": {}, "f:containerPort": {}, "f:name": {}, "f:protocol": {} } }, "f:resources": { ".": {}, "f:limits": { ".": {}, "f:memory": {} }, "f:requests": { ".": {}, "f:cpu": {}, "f:memory": {} } }, "f:securityContext": { ".": {}, "f:allowPrivilegeEscalation": {}, "f:capabilities": { ".": {}, "f:drop": {} } }, "f:terminationMessagePath": {}, "f:terminationMessagePolicy": {}, "f:volumeMounts": { ".": {}, "k:{\"mountPath\":\"/var/run/secrets/tokens\"}": { ".": {}, "f:mountPath": {}, "f:name": {} } } } }, "f:dnsPolicy": {}, "f:nodeSelector": { ".": {}, "f:beta.kubernetes.io/os": {} }, "f:priorityClassName": {}, "f:restartPolicy": {}, "f:schedulerName": {}, "f:securityContext": { ".": {}, "f:fsGroup": {}, "f:runAsGroup": {}, "f:runAsUser": {} }, "f:serviceAccount": {}, "f:serviceAccountName": {}, "f:terminationGracePeriodSeconds": {}, "f:tolerations": {}, "f:topologySpreadConstraints": { ".": {}, "k:{\"topologyKey\":\"kubernetes.io/hostname\",\"whenUnsatisfiable\":\"ScheduleAnyway\"}": { ".": {}, "f:labelSelector": {}, "f:maxSkew": {}, "f:topologyKey": {}, "f:whenUnsatisfiable": {} }, "k:{\"topologyKey\":\"topology.kubernetes.io/zone\",\"whenUnsatisfiable\":\"ScheduleAnyway\"}": { ".": {}, "f:labelSelector": {}, "f:maxSkew": {}, "f:topologyKey": {}, "f:whenUnsatisfiable": {} } }, "f:volumes": { ".": {}, "k:{\"name\":\"konnectivity-agent-token\"}": { ".": {}, "f:name": {}, "f:projected": { ".": {}, "f:defaultMode": {}, "f:sources": {} } } } } } } }, "manager": "kubectl-client-side-apply", "operation": "Update", "time": "2022-03-16T21:29:13Z" }, { "apiVersion": "apps/v1", "fieldsType": "FieldsV1", "fieldsV1": { "f:metadata": { "f:annotations": { "f:deployment.kubernetes.io/revision": {} } }, "f:status": { "f:availableReplicas": {}, "f:conditions": { ".": {}, "k:{\"type\":\"Available\"}": { ".": {}, "f:lastTransitionTime": {}, "f:lastUpdateTime": {}, "f:message": {}, "f:reason": {}, "f:status": {}, "f:type": {} }, "k:{\"type\":\"Progressing\"}": { ".": {}, "f:lastTransitionTime": {}, "f:lastUpdateTime": {}, "f:message": {}, "f:reason": {}, "f:status": {}, "f:type": {} } }, "f:observedGeneration": {}, "f:readyReplicas": {}, "f:replicas": {}, "f:updatedReplicas": {} } }, "manager": "kube-controller-manager", "operation": "Update", "time": "2022-03-17T08:55:52Z" } ], "name": "konnectivity-agent", "namespace": "kube-system", "resourceVersion": "280105", "uid": "d3b49e97-7bac-435e-bfc6-19a25fe494fe" }, "spec": { "progressDeadlineSeconds": 600, "replicas": 6, "revisionHistoryLimit": 10, "selector": { "matchLabels": { "k8s-app": "konnectivity-agent" } }, "strategy": { "rollingUpdate": { "maxSurge": "25%", "maxUnavailable": "25%" }, "type": "RollingUpdate" }, "template": { "metadata": { "annotations": { "cluster-autoscaler.kubernetes.io/safe-to-evict": "true", "components.gke.io/component-name": "konnectivitynetworkproxy-combined", "components.gke.io/component-version": "1.3.3" }, "creationTimestamp": null, "labels": { "k8s-app": "konnectivity-agent" } }, "spec": { "containers": [ { "args": [ "--logtostderr=true", "--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt", "--proxy-server-host=34.75.195.103", "--proxy-server-port=8132", "--health-server-port=8093", "--admin-server-port=8094", "--sync-interval=5s", "--probe-interval=5s", "--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token", "--v=3" ], "command": [ "/proxy-agent" ], "env": [ { "name": "POD_NAME", "valueFrom": { "fieldRef": { "apiVersion": "v1", "fieldPath": "metadata.name" } } }, { "name": "POD_NAMESPACE", "valueFrom": { "fieldRef": { "apiVersion": "v1", "fieldPath": "metadata.namespace" } } } ], "image": "gke.gcr.io/proxy-agent:v0.0.24-gke.0", "imagePullPolicy": "IfNotPresent", "livenessProbe": { "failureThreshold": 3, "httpGet": { "path": "/healthz", "port": 8093, "scheme": "HTTP" }, "initialDelaySeconds": 15, "periodSeconds": 10, "successThreshold": 1, "timeoutSeconds": 15 }, "name": "konnectivity-agent", "ports": [ { "containerPort": 8093, "name": "metrics", "protocol": "TCP" } ], "resources": { "limits": { "memory": "125Mi" }, "requests": { "cpu": "10m", "memory": "30Mi" } }, "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "all" ] } }, "terminationMessagePath": "/dev/termination-log", "terminationMessagePolicy": "File", "volumeMounts": [ { "mountPath": "/var/run/secrets/tokens", "name": "konnectivity-agent-token" } ] } ], "dnsPolicy": "ClusterFirst", "nodeSelector": { "beta.kubernetes.io/os": "linux" }, "priorityClassName": "system-cluster-critical", "restartPolicy": "Always", "schedulerName": "default-scheduler", "securityContext": { "fsGroup": 1000, "runAsGroup": 1000, "runAsUser": 1000 }, "serviceAccount": "konnectivity-agent", "serviceAccountName": "konnectivity-agent", "terminationGracePeriodSeconds": 30, "tolerations": [ { "key": "CriticalAddonsOnly", "operator": "Exists" }, { "effect": "NoSchedule", "key": "sandbox.gke.io/runtime", "operator": "Equal", "value": "gvisor" }, { "key": "components.gke.io/gke-managed-components", "operator": "Exists" } ], "topologySpreadConstraints": [ { "labelSelector": { "matchLabels": { "k8s-app": "konnectivity-agent" } }, "maxSkew": 1, "topologyKey": "topology.kubernetes.io/zone", "whenUnsatisfiable": "ScheduleAnyway" }, { "labelSelector": { "matchLabels": { "k8s-app": "konnectivity-agent" } }, "maxSkew": 1, "topologyKey": "kubernetes.io/hostname", "whenUnsatisfiable": "ScheduleAnyway" } ], "volumes": [ { "name": "konnectivity-agent-token", "projected": { "defaultMode": 420, "sources": [ { "serviceAccountToken": { "audience": "system:konnectivity-server", "expirationSeconds": 3600, "path": "konnectivity-agent-token" } } ] } } ] } } }, "status": { "availableReplicas": 6, "conditions": [ { "lastTransitionTime": "2022-03-17T08:55:41Z", "lastUpdateTime": "2022-03-17T08:55:41Z", "message": "ReplicaSet \"konnectivity-agent-56c9b8cf8\" has successfully progressed.", "reason": "NewReplicaSetAvailable", "status": "True", "type": "Progressing" }, { "lastTransitionTime": "2022-03-17T08:55:52Z", "lastUpdateTime": "2022-03-17T08:55:52Z", "message": "Deployment has minimum availability.", "reason": "MinimumReplicasAvailable", "status": "True", "type": "Available" } ], "observedGeneration": 2, "readyReplicas": 6, "replicas": 6, "updatedReplicas": 6 } }, "serviceName": "k8s.io", "status": {} }, "receiveTimestamp": "2022-03-21T19:46:38.090036928Z", "resource": { "labels": { "cluster_name": "iammai-340819-gke-cluster", "location": "us-east1", "project_id": "iammai-340819" }, "type": "k8s_cluster" }, "timestamp": "2022-03-21T19:46:36.090498Z" } -{"insertId":"15ciwwfd47gm","logName":"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"service-150691754250@container-engine-robot.iam.gserviceaccount.com","principalSubject":"serviceAccount:service-150691754250@container-engine-robot.iam.gserviceaccount.com"},"authorizationInfo":[{"granted":true,"permission":"container.clusters.get","resourceAttributes":{}}],"methodName":"google.container.v1.ClusterManager.GetCluster","policyViolationInfo":{"orgPolicyViolationInfo":{}},"request":{"@type":"type.googleapis.com/google.container.v1alpha1.GetClusterRequest","name":"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-06-01T11:15:10.836131149Z"}},"resourceLocation":{"currentLocations":["us-central1-a"]},"resourceName":"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co","serviceName":"container.googleapis.com"},"receiveTimestamp":"2022-06-01T11:15:11.07151757Z","resource":{"labels":{"cluster_name":"demo-elastic-co","location":"us-central1-a","project_id":"elastic-product"},"type":"gke_cluster"},"severity":"INFO","timestamp":"2022-06-01T11:15:10.842495409Z","logging.googleapis.com/timestamp":"2022-06-01T11:15:10.842495409Z"} -{"insertId":"4pyr6eegiuw1","logName":"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx-compute@developer.gserviceaccount.com","serviceAccountDelegationInfo":[{}]},"authorizationInfo":[{"granted":true,"permission":"storage.objects.get","resource":"projects/_/buckets/dataflow-staging-us-central1-xxx/objects/staging/xxx.jar","resourceAttributes":{}}],"methodName":"storage.objects.get","requestMetadata":{"callerSuppliedUserAgent":"BigstoreFile BigstoreIO (cr/xxx) ","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-06-01T11:19:08.205760711Z"}},"resourceLocation":{"currentLocations":["us-central1"]},"resourceName":"projects/_/buckets/dataflow-staging-us-central1-xxx/objects/staging/jfxrt-xxx.jar","serviceName":"storage.googleapis.com","status":{}},"receiveTimestamp":"2022-06-01T11:19:08.699785539Z","resource":{"labels":{"bucket_name":"dataflow-staging-us-central1-150691754250","location":"us-central1","project_id":"elastic-product"},"type":"gcs_bucket"},"severity":"INFO","timestamp":"2022-06-01T11:19:08.199407722Z","logging.googleapis.com/timestamp":"2022-06-01T11:19:08.199407722Z"} -{"insertId":"15ciwwfd47gf","logName":"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"service-150691754250@container-engine-robot.iam.gserviceaccount.com","principalSubject":"serviceAccount:service-150691754250@container-engine-robot.iam.gserviceaccount.com"},"authorizationInfo":[{"granted":true,"permission":"container.clusters.get","resourceAttributes":{}}],"methodName":"google.container.v1.ClusterManager.GetCluster","policyViolationInfo":{"orgPolicyViolationInfo":{}},"request":{"@type":"type.googleapis.com/google.container.v1alpha1.GetClusterRequest","name":"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co","policy":"scalar-policy"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-06-01T11:15:10.836131149Z"}},"resourceLocation":{"currentLocations":["us-central1-a"]},"resourceName":"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co","serviceName":"container.googleapis.com"},"receiveTimestamp":"2022-06-01T11:15:11.07151757Z","resource":{"labels":{"cluster_name":"demo-elastic-co","location":"us-central1-a","project_id":"elastic-product"},"type":"gke_cluster"},"severity":"INFO","timestamp":"2022-06-01T11:15:10.842495409Z","logging.googleapis.com/timestamp":"2022-06-01T11:15:10.842495409Z"} +{"insertId":"e5132c86-462b-41b3-9b6a-47966addbb0b","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""},"logName":"projects/iammai-340819/logs/cloudaudit.googleapis.com%2Factivity","operation":{"first": true,"id":"e5132c86-462b-41b3-9b6a-47966addbb0b","last": true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"system:addon-manager"},"authorizationInfo":[{"granted": true,"permission":"io.k8s.apps.v1.deployments.patch","resource":"apps/v1/namespaces/kube-system/deployments/konnectivity-agent"}],"methodName":"io.k8s.apps.v1.deployments.patch","request":{"@type":"k8s.io/Patch","spec":{"strategy":{"$retainKeys":["type"]},"template":{"spec":{"$setElementOrder/volumes":[{"name":"konnectivity-agent-token"}],"volumes":[{"$retainKeys":["name","projected"],"name":"konnectivity-agent-token","projected":{"sources":[{"serviceAccountToken":{"audience":"system:konnectivity-server","path":"konnectivity-agent-token"}}]}}]}}}},"requestMetadata":{"callerIp":"10.142.0.152","callerSuppliedUserAgent":"kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19"},"resourceName":"apps/v1/namespaces/kube-system/deployments/konnectivity-agent","response":{"@type":"apps.k8s.io/v1.Deployment","apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"components.gke.io/layer":"addon","deployment.kubernetes.io/revision":"1","kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"metadata\":{\"annotations\":{\"components.gke.io/layer\":\"addon\"},\"labels\":{\"addonmanager.kubernetes.io/mode\":\"Reconcile\",\"k8s-app\":\"konnectivity-agent\"},\"name\":\"konnectivity-agent\",\"namespace\":\"kube-system\"},\"spec\":{\"selector\":{\"matchLabels\":{\"k8s-app\":\"konnectivity-agent\"}},\"strategy\":{\"type\":\"RollingUpdate\"},\"template\":{\"metadata\":{\"annotations\":{\"cluster-autoscaler.kubernetes.io/safe-to-evict\":\"true\",\"components.gke.io/component-name\":\"konnectivitynetworkproxy-combined\",\"components.gke.io/component-version\":\"1.3.3\"},\"labels\":{\"k8s-app\":\"konnectivity-agent\"}},\"spec\":{\"containers\":[{\"args\":[\"--logtostderr=true\",\"--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt\",\"--proxy-server-host=34.75.195.103\",\"--proxy-server-port=8132\",\"--health-server-port=8093\",\"--admin-server-port=8094\",\"--sync-interval=5s\",\"--probe-interval=5s\",\"--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token\",\"--v=3\"],\"command\":[\"/proxy-agent\"],\"env\":[{\"name\":\"POD_NAME\",\"valueFrom\":{\"fieldRef\":{\"fieldPath\":\"metadata.name\"}}},{\"name\":\"POD_NAMESPACE\",\"valueFrom\":{\"fieldRef\":{\"fieldPath\":\"metadata.namespace\"}}}],\"image\":\"gke.gcr.io/proxy-agent:v0.0.24-gke.0\",\"livenessProbe\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":8093},\"initialDelaySeconds\":15,\"timeoutSeconds\":15},\"name\":\"konnectivity-agent\",\"ports\":[{\"containerPort\":8093,\"name\":\"metrics\",\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"memory\":\"125Mi\"},\"requests\":{\"cpu\":\"10m\",\"memory\":\"30Mi\"}},\"securityContext\":{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"all\"]}},\"volumeMounts\":[{\"mountPath\":\"/var/run/secrets/tokens\",\"name\":\"konnectivity-agent-token\"}]}],\"nodeSelector\":{\"beta.kubernetes.io/os\":\"linux\"},\"priorityClassName\":\"system-cluster-critical\",\"securityContext\":{\"fsGroup\":1000,\"runAsGroup\":1000,\"runAsUser\":1000},\"serviceAccountName\":\"konnectivity-agent\",\"tolerations\":[{\"key\":\"CriticalAddonsOnly\",\"operator\":\"Exists\"},{\"effect\":\"NoSchedule\",\"key\":\"sandbox.gke.io/runtime\",\"operator\":\"Equal\",\"value\":\"gvisor\"},{\"key\":\"components.gke.io/gke-managed-components\",\"operator\":\"Exists\"}],\"topologySpreadConstraints\":[{\"labelSelector\":{\"matchLabels\":{\"k8s-app\":\"konnectivity-agent\"}},\"maxSkew\":1,\"topologyKey\":\"topology.kubernetes.io/zone\",\"whenUnsatisfiable\":\"ScheduleAnyway\"},{\"labelSelector\":{\"matchLabels\":{\"k8s-app\":\"konnectivity-agent\"}},\"maxSkew\":1,\"topologyKey\":\"kubernetes.io/hostname\",\"whenUnsatisfiable\":\"ScheduleAnyway\"}],\"volumes\":[{\"name\":\"konnectivity-agent-token\",\"projected\":{\"sources\":[{\"serviceAccountToken\":{\"audience\":\"system:konnectivity-server\",\"path\":\"konnectivity-agent-token\"}}]}}]}}}}"},"creationTimestamp":"2022-03-16T21:29:13Z","generation": 2,"labels":{"addonmanager.kubernetes.io/mode":"Reconcile","k8s-app":"konnectivity-agent"},"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:components.gke.io/layer":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}},"f:labels":{".":{},"f:addonmanager.kubernetes.io/mode":{},"f:k8s-app":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:annotations":{".":{},"f:cluster-autoscaler.kubernetes.io/safe-to-evict":{},"f:components.gke.io/component-name":{},"f:components.gke.io/component-version":{}},"f:labels":{".":{},"f:k8s-app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"konnectivity-agent\"}":{".":{},"f:args":{},"f:command":{},"f:env":{".":{},"k:{\"name\":\"POD_NAME\"}":{".":{},"f:name":{},"f:valueFrom":{".":{},"f:fieldRef":{".":{},"f:apiVersion":{},"f:fieldPath":{}}}},"k:{\"name\":\"POD_NAMESPACE\"}":{".":{},"f:name":{},"f:valueFrom":{".":{},"f:fieldRef":{".":{},"f:apiVersion":{},"f:fieldPath":{}}}}},"f:image":{},"f:imagePullPolicy":{},"f:livenessProbe":{".":{},"f:failureThreshold":{},"f:httpGet":{".":{},"f:path":{},"f:port":{},"f:scheme":{}},"f:initialDelaySeconds":{},"f:periodSeconds":{},"f:successThreshold":{},"f:timeoutSeconds":{}},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8093,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:name":{},"f:protocol":{}}},"f:resources":{".":{},"f:limits":{".":{},"f:memory":{}},"f:requests":{".":{},"f:cpu":{},"f:memory":{}}},"f:securityContext":{".":{},"f:allowPrivilegeEscalation":{},"f:capabilities":{".":{},"f:drop":{}}},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{},"f:volumeMounts":{".":{},"k:{\"mountPath\":\"/var/run/secrets/tokens\"}":{".":{},"f:mountPath":{},"f:name":{}}}}},"f:dnsPolicy":{},"f:nodeSelector":{".":{},"f:beta.kubernetes.io/os":{}},"f:priorityClassName":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{".":{},"f:fsGroup":{},"f:runAsGroup":{},"f:runAsUser":{}},"f:serviceAccount":{},"f:serviceAccountName":{},"f:terminationGracePeriodSeconds":{},"f:tolerations":{},"f:topologySpreadConstraints":{".":{},"k:{\"topologyKey\":\"kubernetes.io/hostname\",\"whenUnsatisfiable\":\"ScheduleAnyway\"}":{".":{},"f:labelSelector":{},"f:maxSkew":{},"f:topologyKey":{},"f:whenUnsatisfiable":{}},"k:{\"topologyKey\":\"topology.kubernetes.io/zone\",\"whenUnsatisfiable\":\"ScheduleAnyway\"}":{".":{},"f:labelSelector":{},"f:maxSkew":{},"f:topologyKey":{},"f:whenUnsatisfiable":{}}},"f:volumes":{".":{},"k:{\"name\":\"konnectivity-agent-token\"}":{".":{},"f:name":{},"f:projected":{".":{},"f:defaultMode":{},"f:sources":{}}}}}}}},"manager":"kubectl-client-side-apply","operation":"Update","time":"2022-03-16T21:29:13Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2022-03-17T08:55:52Z"}],"name":"konnectivity-agent","namespace":"kube-system","resourceVersion":"280105","uid":"d3b49e97-7bac-435e-bfc6-19a25fe494fe"},"spec":{"progressDeadlineSeconds": 600,"replicas": 6,"revisionHistoryLimit": 10,"selector":{"matchLabels":{"k8s-app":"konnectivity-agent"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"annotations":{"cluster-autoscaler.kubernetes.io/safe-to-evict":"true","components.gke.io/component-name":"konnectivitynetworkproxy-combined","components.gke.io/component-version":"1.3.3"},"creationTimestamp": null,"labels":{"k8s-app":"konnectivity-agent"}},"spec":{"containers":[{"args":["--logtostderr=true","--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt","--proxy-server-host=34.75.195.103","--proxy-server-port=8132","--health-server-port=8093","--admin-server-port=8094","--sync-interval=5s","--probe-interval=5s","--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token","--v=3"],"command":["/proxy-agent"],"env":[{"name":"POD_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.name"}}},{"name":"POD_NAMESPACE","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}}],"image":"gke.gcr.io/proxy-agent:v0.0.24-gke.0","imagePullPolicy":"IfNotPresent","livenessProbe":{"failureThreshold": 3,"httpGet":{"path":"/healthz","port": 8093,"scheme":"HTTP"},"initialDelaySeconds": 15,"periodSeconds": 10,"successThreshold": 1,"timeoutSeconds": 15},"name":"konnectivity-agent","ports":[{"containerPort": 8093,"name":"metrics","protocol":"TCP"}],"resources":{"limits":{"memory":"125Mi"},"requests":{"cpu":"10m","memory":"30Mi"}},"securityContext":{"allowPrivilegeEscalation": false,"capabilities":{"drop":["all"]}},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/tokens","name":"konnectivity-agent-token"}]}],"dnsPolicy":"ClusterFirst","nodeSelector":{"beta.kubernetes.io/os":"linux"},"priorityClassName":"system-cluster-critical","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{"fsGroup": 1000,"runAsGroup": 1000,"runAsUser": 1000},"serviceAccount":"konnectivity-agent","serviceAccountName":"konnectivity-agent","terminationGracePeriodSeconds": 30,"tolerations":[{"key":"CriticalAddonsOnly","operator":"Exists"},{"effect":"NoSchedule","key":"sandbox.gke.io/runtime","operator":"Equal","value":"gvisor"},{"key":"components.gke.io/gke-managed-components","operator":"Exists"}],"topologySpreadConstraints":[{"labelSelector":{"matchLabels":{"k8s-app":"konnectivity-agent"}},"maxSkew": 1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"k8s-app":"konnectivity-agent"}},"maxSkew": 1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}],"volumes":[{"name":"konnectivity-agent-token","projected":{"defaultMode": 420,"sources":[{"serviceAccountToken":{"audience":"system:konnectivity-server","expirationSeconds": 3600,"path":"konnectivity-agent-token"}}]}}]}}},"status":{"availableReplicas": 6,"conditions":[{"lastTransitionTime":"2022-03-17T08:55:41Z","lastUpdateTime":"2022-03-17T08:55:41Z","message":"ReplicaSet \"konnectivity-agent-56c9b8cf8\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2022-03-17T08:55:52Z","lastUpdateTime":"2022-03-17T08:55:52Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration": 2,"readyReplicas": 6,"replicas": 6,"updatedReplicas": 6}},"serviceName":"k8s.io","status":{}},"receiveTimestamp":"2022-03-21T19:46:38.090036928Z","resource":{"labels":{"cluster_name":"iammai-340819-gke-cluster","location":"us-east1","project_id":"iammai-340819"},"type":"k8s_cluster"},"timestamp":"2022-03-21T19:46:36.090498Z"} +{"insertId":"15ciwwfd47gm","logName":"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"servoce-xxxx@developer.gserviceaccount.com","principalSubject":"serviceAccount:servoce-xxxx@developer.gserviceaccount.com"},"authorizationInfo":[{"granted":true,"permission":"container.clusters.get","resourceAttributes":{}}],"methodName":"google.container.v1.ClusterManager.GetCluster","policyViolationInfo":{"orgPolicyViolationInfo":{}},"request":{"@type":"type.googleapis.com/google.container.v1alpha1.GetClusterRequest","name":"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-06-01T11:15:10.836131149Z"}},"resourceLocation":{"currentLocations":["us-central1-a"]},"resourceName":"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co","serviceName":"container.googleapis.com"},"receiveTimestamp":"2022-06-01T11:15:11.07151757Z","resource":{"labels":{"cluster_name":"demo-elastic-co","location":"us-central1-a","project_id":"elastic-product"},"type":"gke_cluster"},"severity":"INFO","timestamp":"2022-06-01T11:15:10.842495409Z","logging.googleapis.com/timestamp":"2022-06-01T11:15:10.842495409Z"} +{"insertId":"4pyr6eegiuw1","logName":"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx-compute@developer.gserviceaccount.com","serviceAccountDelegationInfo":[{}]},"authorizationInfo":[{"granted":true,"permission":"storage.objects.get","resource":"projects/_/buckets/dataflow-staging-us-central1-xxx/objects/staging/xxx.jar","resourceAttributes":{}}],"methodName":"storage.objects.get","requestMetadata":{"callerSuppliedUserAgent":"BigstoreFile BigstoreIO (cr/xxx)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-06-01T11:19:08.205760711Z"}},"resourceLocation":{"currentLocations":["us-central1"]},"resourceName":"projects/_/buckets/dataflow-staging-us-central1-xxx/objects/staging/jfxrt-xxx.jar","serviceName":"storage.googleapis.com","status":{}},"receiveTimestamp":"2022-06-01T11:19:08.699785539Z","resource":{"labels":{"bucket_name":"dataflow-staging-us-central1-150691754250","location":"us-central1","project_id":"elastic-product"},"type":"gcs_bucket"},"severity":"INFO","timestamp":"2022-06-01T11:19:08.199407722Z","logging.googleapis.com/timestamp":"2022-06-01T11:19:08.199407722Z"} +{"insertId":"15ciwwfd47gf","logName":"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"servoce-xxxx@developer.gserviceaccount.com","principalSubject":"serviceAccount:servoce-xxxx@developer.gserviceaccount.com"},"authorizationInfo":[{"granted":true,"permission":"container.clusters.get","resourceAttributes":{}}],"methodName":"google.container.v1.ClusterManager.GetCluster","policyViolationInfo":{"orgPolicyViolationInfo":{}},"request":{"@type":"type.googleapis.com/google.container.v1alpha1.GetClusterRequest","name":"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co","policy":"scalar-policy"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-06-01T11:15:10.836131149Z"}},"resourceLocation":{"currentLocations":["us-central1-a"]},"resourceName":"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co","serviceName":"container.googleapis.com"},"receiveTimestamp":"2022-06-01T11:15:11.07151757Z","resource":{"labels":{"cluster_name":"demo-elastic-co","location":"us-central1-a","project_id":"elastic-product"},"type":"gke_cluster"},"severity":"INFO","timestamp":"2022-06-01T11:15:10.842495409Z","logging.googleapis.com/timestamp":"2022-06-01T11:15:10.842495409Z"} {"insertId":"03adfb9f-71a3-4f41-9701-29b5542f4d23","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx","principalSubject":"sub","serviceAccountKeyName":"//xxx@xxx"},"authorizationInfo":[{"granted":true,"permission":"iam.serviceAccounts.list","resource":"projects/project","resourceAttributes":{}}],"methodName":"google.iam.admin.v1.ListServiceAccounts","request":{"@type":"type.googleapis.com/google.iam.admin.v1.ListServiceAccountsRequest","name":"projects/project","page_token":"cg:FFFFFF"},"requestMetadata":{"callerIp":"private","callerSuppliedUserAgent":"google-api-go-client/0.5,gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-02-21T13:57:39.178418578Z"}},"resourceName":"projects/project","serviceName":"iam.googleapis.com","status":{}},"receiveTimestamp":"2022-02-21T13:57:39.341344991Z","resource":{"labels":{"location":"global","method":"google.iam.admin.v1.ListServiceAccounts","project_id":"project","service":"iam.googleapis.com","version":"v1"},"type":"api"},"severity":"INFO","timestamp":"2022-02-21T13:57:39.174555198Z"} +{"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","status":{"message":"InstancemigratedduringComputeEnginemaintenance."},"authenticationInfo":{"principalEmail":"system@google.com"},"serviceName":"compute.googleapis.com","methodName":"compute.instances.migrateOnHostMaintenance","resourceName":"projects/elastic-siem/zones/us-central1-c/instances/sep-perf-debian-11-155","request":{"@type":"type.googleapis.com/compute.instances.migrateOnHostMaintenance"}},"insertId":"-g2g374e10tyi","resource":{"type":"gce_instance","labels":{"instance_id":"5630355820693738547","zone":"us-central1-c","project_id":"elastic-siem"}},"timestamp":"2024-08-20T23:40:30.997109Z","severity":"INFO","labels":{"compute.googleapis.com/root_trigger_id":"b11f3ce7-7400-4ba4-9cee-eee4c65e38b4"},"logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fsystem_event","operation":{"id":"systemevent-1724197136000-62025edd06400-961ecb86-ebb8062e","producer":"compute.instances.migrateOnHostMaintenance","first":true,"last":true},"receiveTimestamp":"2024-08-20T23:40:31.703530860Z"} +{"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","status":{"code": 7,"message":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"VPC_SERVICE_CONTROLS","description":"ljv4RZNmza4g69MMoOXBtRrlNKRYTjjhgkadQiqlfhmDZhClaMVgjoWA"}]}]},"authenticationInfo":{},"requestMetadata":{"callerIp":"192.168.1.1","requestAttributes":{},"destinationAttributes":{}},"serviceName":"storage.googleapis.com","methodName":"google.storage.buckets.get","resourceName":"projects/elastic-siem","metadata":{"securityPolicyInfo":{"servicePerimeterName":"accessPolicies/30507210272/servicePerimeters/some_service","organizationId":"614830067722"},"vpcServiceControlsUniqueId":"ljv4RZNmza4g69MMoOXBtRrlNKRYTjjhgkadQiqlfhmDZhClaMVgjoWA","accessLevels":["accessPolicies/30507210272/accessLevels/thingy","accessPolicies/30507210272/accessLevels/test_us"],"@type":"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata","ingressViolations":[{"servicePerimeter":"accessPolicies/30507210272/servicePerimeters/some_service","targetResource":"projects/elastic-siem/locations/us-central1"}],"violationReason":"NO_MATCHING_ACCESS_LEVEL","resourceNames":["projects/elastic-siem/locations/us-central1"]}},"insertId":"d21cmyd7av9","resource":{"type":"audited_resource","labels":{"project_id":"elastic-siem","method":"google.storage.buckets.get","service":"storage.googleapis.com"}},"timestamp":"2021-09-13T03:10:14.801613786Z","severity":"ERROR","logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fpolicy","receiveTimestamp":"2021-09-13T03:10:15.410616031Z"} +{"insertId":"15ciwwfd47gf","logName":"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"servoce-xxxx@developer.gserviceaccount.com","principalSubject":"serviceAccount:servoce-xxxx@developer.gserviceaccount.com"},"authorizationInfo":[{"granted": true,"permission":"container.clusters.get","resourceAttributes":{}}],"methodName":"google.container.v1.ClusterManager.GetCluster","policyViolationInfo":{"orgPolicyViolationInfo":{"payload":{"key1":"value1","key2":"value2"},"resourceType":"compute.googleapis.com/Instance","resourceTags":{"instance_id":"INSTANCE_ID","zone":"us-central1-a"},"violationInfo":[{"constraint":"compute.vmExternalIpAccess","errorMessage":"This policy disallows the use of external IP addresses for VM instances.","checkedValue":"Value","policyType":"CUSTOM_CONSTRAINT"}]}},"request":{"@type":"type.googleapis.com/google.container.v1alpha1.GetClusterRequest","name":"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co","policy":"scalar-policy"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-06-01T11:15:10.836131149Z"}},"resourceLocation":{"currentLocations":["us-central1-a"]},"resourceName":"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co","serviceName":"container.googleapis.com"},"receiveTimestamp":"2022-06-01T11:15:11.07151757Z","resource":{"labels":{"cluster_name":"demo-elastic-co","location":"us-central1-a","project_id":"elastic-product"},"type":"gke_cluster"},"severity":"INFO","timestamp":"2022-06-01T11:15:10.842495409Z","logging.googleapis.com/timestamp":"2022-06-01T11:15:10.842495409Z"} +{"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","status":{},"serviceName":"container.googleapis.com","methodName":"google.container.v1.ClusterManager.SetLabels","resourceName":"projects/elastic-siem/zones/us-central1-c/clusters/endpoint-gke-cluster","metadata":{"operationType":"UPDATE_CLUSTER"},"resourceLocation":{"currentLocations":["us-central1-c"]},"policyViolationInfo":{"orgPolicyViolationInfo":{}}},"insertId":"17ah0cpe10gvp","resource":{"type":"gke_cluster","labels":{"location":"us-central1-c","cluster_name":"endpoint-gke-cluster","project_id":"elastic-siem"}},"timestamp":"2024-08-23T02:12:01.626546355Z","severity":"NOTICE","logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Factivity","operation":{"id":"operation-1724379121483-d43ef943-bcf8-46e9-9ff2-ba71cfbc26b2","producer":"container.googleapis.com","last": true},"receiveTimestamp":"2024-08-23T02:12:02.419428097Z"} \ No newline at end of file diff --git a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json index 1413c3ad0b9..d0129ba4c9d 100644 --- a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json +++ b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json @@ -53,6 +53,14 @@ "level": "INFO", "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" }, + "related": { + "ip": [ + "192.168.1.1" + ], + "user": [ + "xxx@xxx.xxx" + ] + }, "service": { "name": "cloudbilling.googleapis.com" }, @@ -125,6 +133,14 @@ "level": "INFO", "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" }, + "related": { + "ip": [ + "192.168.1.1" + ], + "user": [ + "xxx@xxx.xxx" + ] + }, "service": { "name": "compute.googleapis.com" }, @@ -222,6 +238,14 @@ "level": "INFO", "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" }, + "related": { + "ip": [ + "192.168.1.1" + ], + "user": [ + "xxx@xxx.xxx" + ] + }, "service": { "name": "compute.googleapis.com" }, @@ -306,6 +330,14 @@ "level": "INFO", "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" }, + "related": { + "ip": [ + "192.168.1.1" + ], + "user": [ + "xxx@xxx.xxx" + ] + }, "service": { "name": "compute.googleapis.com" }, @@ -437,6 +469,14 @@ }, "type": "kubernetes" }, + "related": { + "ip": [ + "10.11.12.13" + ], + "user": [ + "system:serviceaccount:cert-manager:cert-manager-webhook" + ] + }, "service": { "name": "k8s.io" }, @@ -552,6 +592,14 @@ "level": "NOTICE", "logger": "projects/foo/logs/cloudaudit.googleapis.com%2Factivity" }, + "related": { + "ip": [ + "67.43.156.13" + ], + "user": [ + "user@mycompany.com" + ] + }, "service": { "name": "compute.googleapis.com" }, @@ -635,6 +683,14 @@ "level": "NOTICE", "logger": "projects/foo/logs/cloudaudit.googleapis.com%2Factivity" }, + "related": { + "ip": [ + "67.43.156.13" + ], + "user": [ + "user@mycompany.com" + ] + }, "service": { "name": "compute.googleapis.com" }, @@ -730,6 +786,14 @@ }, "type": "kubernetes" }, + "related": { + "ip": [ + "192.168.1.1" + ], + "user": [ + "xxx@xxx.xxx" + ] + }, "service": { "name": "k8s.io" }, @@ -810,6 +874,14 @@ }, "type": "kubernetes" }, + "related": { + "ip": [ + "192.168.1.1" + ], + "user": [ + "xxx@xxx.xxx" + ] + }, "service": { "name": "k8s.io" }, @@ -887,6 +959,14 @@ }, "type": "kubernetes" }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "system:anonymous" + ] + }, "service": { "name": "k8s.io" }, @@ -962,6 +1042,14 @@ }, "type": "kubernetes" }, + "related": { + "ip": [ + "::1" + ], + "user": [ + "system:serviceaccount:kube-system:generic-garbage-collector" + ] + }, "service": { "name": "k8s.io" }, @@ -1040,6 +1128,11 @@ "level": "INFO", "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" }, + "related": { + "user": [ + "xxx@xxx.xxx" + ] + }, "service": { "name": "iam.googleapis.com" }, @@ -1172,6 +1265,14 @@ }, "type": "kubernetes" }, + "related": { + "ip": [ + "67.43.156.13" + ], + "user": [ + "xxx@xxx.xxx" + ] + }, "service": { "name": "k8s.io" }, @@ -1228,7 +1329,7 @@ ], "id": "e5132c86-462b-41b3-9b6a-47966addbb0b", "kind": "event", - "original": "{\"insertId\": \"e5132c86-462b-41b3-9b6a-47966addbb0b\",\"labels\": {\"authorization.k8s.io/decision\": \"allow\",\"authorization.k8s.io/reason\": \"\"},\"logName\": \"projects/iammai-340819/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\": {\"first\": true,\"id\": \"e5132c86-462b-41b3-9b6a-47966addbb0b\",\"last\": true,\"producer\": \"k8s.io\"},\"protoPayload\": {\"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\": {\"principalEmail\": \"system:addon-manager\"},\"authorizationInfo\": [ { \"granted\": true, \"permission\": \"io.k8s.apps.v1.deployments.patch\", \"resource\": \"apps/v1/namespaces/kube-system/deployments/konnectivity-agent\" } ], \"methodName\": \"io.k8s.apps.v1.deployments.patch\", \"request\": { \"@type\": \"k8s.io/Patch\", \"spec\": { \"strategy\": { \"$retainKeys\": [ \"type\" ] }, \"template\": { \"spec\": { \"$setElementOrder/volumes\": [ { \"name\": \"konnectivity-agent-token\" } ], \"volumes\": [ { \"$retainKeys\": [ \"name\", \"projected\" ], \"name\": \"konnectivity-agent-token\", \"projected\": { \"sources\": [ { \"serviceAccountToken\": { \"audience\": \"system:konnectivity-server\", \"path\": \"konnectivity-agent-token\" } } ] } } ] } } } }, \"requestMetadata\": { \"callerIp\": \"10.142.0.152\", \"callerSuppliedUserAgent\": \"kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19\" }, \"resourceName\": \"apps/v1/namespaces/kube-system/deployments/konnectivity-agent\", \"response\": { \"@type\": \"apps.k8s.io/v1.Deployment\", \"apiVersion\": \"apps/v1\", \"kind\": \"Deployment\", \"metadata\": { \"annotations\": { \"components.gke.io/layer\": \"addon\", \"deployment.kubernetes.io/revision\": \"1\", \"kubectl.kubernetes.io/last-applied-configuration\": \"{\\\"apiVersion\\\":\\\"apps/v1\\\",\\\"kind\\\":\\\"Deployment\\\",\\\"metadata\\\":{\\\"annotations\\\":{\\\"components.gke.io/layer\\\":\\\"addon\\\"},\\\"labels\\\":{\\\"addonmanager.kubernetes.io/mode\\\":\\\"Reconcile\\\",\\\"k8s-app\\\":\\\"konnectivity-agent\\\"},\\\"name\\\":\\\"konnectivity-agent\\\",\\\"namespace\\\":\\\"kube-system\\\"},\\\"spec\\\":{\\\"selector\\\":{\\\"matchLabels\\\":{\\\"k8s-app\\\":\\\"konnectivity-agent\\\"}},\\\"strategy\\\":{\\\"type\\\":\\\"RollingUpdate\\\"},\\\"template\\\":{\\\"metadata\\\":{\\\"annotations\\\":{\\\"cluster-autoscaler.kubernetes.io/safe-to-evict\\\":\\\"true\\\",\\\"components.gke.io/component-name\\\":\\\"konnectivitynetworkproxy-combined\\\",\\\"components.gke.io/component-version\\\":\\\"1.3.3\\\"},\\\"labels\\\":{\\\"k8s-app\\\":\\\"konnectivity-agent\\\"}},\\\"spec\\\":{\\\"containers\\\":[{\\\"args\\\":[\\\"--logtostderr=true\\\",\\\"--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt\\\",\\\"--proxy-server-host=34.75.195.103\\\",\\\"--proxy-server-port=8132\\\",\\\"--health-server-port=8093\\\",\\\"--admin-server-port=8094\\\",\\\"--sync-interval=5s\\\",\\\"--probe-interval=5s\\\",\\\"--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token\\\",\\\"--v=3\\\"],\\\"command\\\":[\\\"/proxy-agent\\\"],\\\"env\\\":[{\\\"name\\\":\\\"POD_NAME\\\",\\\"valueFrom\\\":{\\\"fieldRef\\\":{\\\"fieldPath\\\":\\\"metadata.name\\\"}}},{\\\"name\\\":\\\"POD_NAMESPACE\\\",\\\"valueFrom\\\":{\\\"fieldRef\\\":{\\\"fieldPath\\\":\\\"metadata.namespace\\\"}}}],\\\"image\\\":\\\"gke.gcr.io/proxy-agent:v0.0.24-gke.0\\\",\\\"livenessProbe\\\":{\\\"httpGet\\\":{\\\"path\\\":\\\"/healthz\\\",\\\"port\\\":8093},\\\"initialDelaySeconds\\\":15,\\\"timeoutSeconds\\\":15},\\\"name\\\":\\\"konnectivity-agent\\\",\\\"ports\\\":[{\\\"containerPort\\\":8093,\\\"name\\\":\\\"metrics\\\",\\\"protocol\\\":\\\"TCP\\\"}],\\\"resources\\\":{\\\"limits\\\":{\\\"memory\\\":\\\"125Mi\\\"},\\\"requests\\\":{\\\"cpu\\\":\\\"10m\\\",\\\"memory\\\":\\\"30Mi\\\"}},\\\"securityContext\\\":{\\\"allowPrivilegeEscalation\\\":false,\\\"capabilities\\\":{\\\"drop\\\":[\\\"all\\\"]}},\\\"volumeMounts\\\":[{\\\"mountPath\\\":\\\"/var/run/secrets/tokens\\\",\\\"name\\\":\\\"konnectivity-agent-token\\\"}]}],\\\"nodeSelector\\\":{\\\"beta.kubernetes.io/os\\\":\\\"linux\\\"},\\\"priorityClassName\\\":\\\"system-cluster-critical\\\",\\\"securityContext\\\":{\\\"fsGroup\\\":1000,\\\"runAsGroup\\\":1000,\\\"runAsUser\\\":1000},\\\"serviceAccountName\\\":\\\"konnectivity-agent\\\",\\\"tolerations\\\":[{\\\"key\\\":\\\"CriticalAddonsOnly\\\",\\\"operator\\\":\\\"Exists\\\"},{\\\"effect\\\":\\\"NoSchedule\\\",\\\"key\\\":\\\"sandbox.gke.io/runtime\\\",\\\"operator\\\":\\\"Equal\\\",\\\"value\\\":\\\"gvisor\\\"},{\\\"key\\\":\\\"components.gke.io/gke-managed-components\\\",\\\"operator\\\":\\\"Exists\\\"}],\\\"topologySpreadConstraints\\\":[{\\\"labelSelector\\\":{\\\"matchLabels\\\":{\\\"k8s-app\\\":\\\"konnectivity-agent\\\"}},\\\"maxSkew\\\":1,\\\"topologyKey\\\":\\\"topology.kubernetes.io/zone\\\",\\\"whenUnsatisfiable\\\":\\\"ScheduleAnyway\\\"},{\\\"labelSelector\\\":{\\\"matchLabels\\\":{\\\"k8s-app\\\":\\\"konnectivity-agent\\\"}},\\\"maxSkew\\\":1,\\\"topologyKey\\\":\\\"kubernetes.io/hostname\\\",\\\"whenUnsatisfiable\\\":\\\"ScheduleAnyway\\\"}],\\\"volumes\\\":[{\\\"name\\\":\\\"konnectivity-agent-token\\\",\\\"projected\\\":{\\\"sources\\\":[{\\\"serviceAccountToken\\\":{\\\"audience\\\":\\\"system:konnectivity-server\\\",\\\"path\\\":\\\"konnectivity-agent-token\\\"}}]}}]}}}}\" }, \"creationTimestamp\": \"2022-03-16T21:29:13Z\", \"generation\": 2, \"labels\": { \"addonmanager.kubernetes.io/mode\": \"Reconcile\", \"k8s-app\": \"konnectivity-agent\" }, \"managedFields\": [ { \"apiVersion\": \"apps/v1\", \"fieldsType\": \"FieldsV1\", \"fieldsV1\": { \"f:metadata\": { \"f:annotations\": { \".\": {}, \"f:components.gke.io/layer\": {}, \"f:kubectl.kubernetes.io/last-applied-configuration\": {} }, \"f:labels\": { \".\": {}, \"f:addonmanager.kubernetes.io/mode\": {}, \"f:k8s-app\": {} } }, \"f:spec\": { \"f:progressDeadlineSeconds\": {}, \"f:replicas\": {}, \"f:revisionHistoryLimit\": {}, \"f:selector\": {}, \"f:strategy\": { \"f:rollingUpdate\": { \".\": {}, \"f:maxSurge\": {}, \"f:maxUnavailable\": {} }, \"f:type\": {} }, \"f:template\": { \"f:metadata\": { \"f:annotations\": { \".\": {}, \"f:cluster-autoscaler.kubernetes.io/safe-to-evict\": {}, \"f:components.gke.io/component-name\": {}, \"f:components.gke.io/component-version\": {} }, \"f:labels\": { \".\": {}, \"f:k8s-app\": {} } }, \"f:spec\": { \"f:containers\": { \"k:{\\\"name\\\":\\\"konnectivity-agent\\\"}\": { \".\": {}, \"f:args\": {}, \"f:command\": {}, \"f:env\": { \".\": {}, \"k:{\\\"name\\\":\\\"POD_NAME\\\"}\": { \".\": {}, \"f:name\": {}, \"f:valueFrom\": { \".\": {}, \"f:fieldRef\": { \".\": {}, \"f:apiVersion\": {}, \"f:fieldPath\": {} } } }, \"k:{\\\"name\\\":\\\"POD_NAMESPACE\\\"}\": { \".\": {}, \"f:name\": {}, \"f:valueFrom\": { \".\": {}, \"f:fieldRef\": { \".\": {}, \"f:apiVersion\": {}, \"f:fieldPath\": {} } } } }, \"f:image\": {}, \"f:imagePullPolicy\": {}, \"f:livenessProbe\": { \".\": {}, \"f:failureThreshold\": {}, \"f:httpGet\": { \".\": {}, \"f:path\": {}, \"f:port\": {}, \"f:scheme\": {} }, \"f:initialDelaySeconds\": {}, \"f:periodSeconds\": {}, \"f:successThreshold\": {}, \"f:timeoutSeconds\": {} }, \"f:name\": {}, \"f:ports\": { \".\": {}, \"k:{\\\"containerPort\\\":8093,\\\"protocol\\\":\\\"TCP\\\"}\": { \".\": {}, \"f:containerPort\": {}, \"f:name\": {}, \"f:protocol\": {} } }, \"f:resources\": { \".\": {}, \"f:limits\": { \".\": {}, \"f:memory\": {} }, \"f:requests\": { \".\": {}, \"f:cpu\": {}, \"f:memory\": {} } }, \"f:securityContext\": { \".\": {}, \"f:allowPrivilegeEscalation\": {}, \"f:capabilities\": { \".\": {}, \"f:drop\": {} } }, \"f:terminationMessagePath\": {}, \"f:terminationMessagePolicy\": {}, \"f:volumeMounts\": { \".\": {}, \"k:{\\\"mountPath\\\":\\\"/var/run/secrets/tokens\\\"}\": { \".\": {}, \"f:mountPath\": {}, \"f:name\": {} } } } }, \"f:dnsPolicy\": {}, \"f:nodeSelector\": { \".\": {}, \"f:beta.kubernetes.io/os\": {} }, \"f:priorityClassName\": {}, \"f:restartPolicy\": {}, \"f:schedulerName\": {}, \"f:securityContext\": { \".\": {}, \"f:fsGroup\": {}, \"f:runAsGroup\": {}, \"f:runAsUser\": {} }, \"f:serviceAccount\": {}, \"f:serviceAccountName\": {}, \"f:terminationGracePeriodSeconds\": {}, \"f:tolerations\": {}, \"f:topologySpreadConstraints\": { \".\": {}, \"k:{\\\"topologyKey\\\":\\\"kubernetes.io/hostname\\\",\\\"whenUnsatisfiable\\\":\\\"ScheduleAnyway\\\"}\": { \".\": {}, \"f:labelSelector\": {}, \"f:maxSkew\": {}, \"f:topologyKey\": {}, \"f:whenUnsatisfiable\": {} }, \"k:{\\\"topologyKey\\\":\\\"topology.kubernetes.io/zone\\\",\\\"whenUnsatisfiable\\\":\\\"ScheduleAnyway\\\"}\": { \".\": {}, \"f:labelSelector\": {}, \"f:maxSkew\": {}, \"f:topologyKey\": {}, \"f:whenUnsatisfiable\": {} } }, \"f:volumes\": { \".\": {}, \"k:{\\\"name\\\":\\\"konnectivity-agent-token\\\"}\": { \".\": {}, \"f:name\": {}, \"f:projected\": { \".\": {}, \"f:defaultMode\": {}, \"f:sources\": {} } } } } } } }, \"manager\": \"kubectl-client-side-apply\", \"operation\": \"Update\", \"time\": \"2022-03-16T21:29:13Z\" }, { \"apiVersion\": \"apps/v1\", \"fieldsType\": \"FieldsV1\", \"fieldsV1\": { \"f:metadata\": { \"f:annotations\": { \"f:deployment.kubernetes.io/revision\": {} } }, \"f:status\": { \"f:availableReplicas\": {}, \"f:conditions\": { \".\": {}, \"k:{\\\"type\\\":\\\"Available\\\"}\": { \".\": {}, \"f:lastTransitionTime\": {}, \"f:lastUpdateTime\": {}, \"f:message\": {}, \"f:reason\": {}, \"f:status\": {}, \"f:type\": {} }, \"k:{\\\"type\\\":\\\"Progressing\\\"}\": { \".\": {}, \"f:lastTransitionTime\": {}, \"f:lastUpdateTime\": {}, \"f:message\": {}, \"f:reason\": {}, \"f:status\": {}, \"f:type\": {} } }, \"f:observedGeneration\": {}, \"f:readyReplicas\": {}, \"f:replicas\": {}, \"f:updatedReplicas\": {} } }, \"manager\": \"kube-controller-manager\", \"operation\": \"Update\", \"time\": \"2022-03-17T08:55:52Z\" } ], \"name\": \"konnectivity-agent\", \"namespace\": \"kube-system\", \"resourceVersion\": \"280105\", \"uid\": \"d3b49e97-7bac-435e-bfc6-19a25fe494fe\" }, \"spec\": { \"progressDeadlineSeconds\": 600, \"replicas\": 6, \"revisionHistoryLimit\": 10, \"selector\": { \"matchLabels\": { \"k8s-app\": \"konnectivity-agent\" } }, \"strategy\": { \"rollingUpdate\": { \"maxSurge\": \"25%\", \"maxUnavailable\": \"25%\" }, \"type\": \"RollingUpdate\" }, \"template\": { \"metadata\": { \"annotations\": { \"cluster-autoscaler.kubernetes.io/safe-to-evict\": \"true\", \"components.gke.io/component-name\": \"konnectivitynetworkproxy-combined\", \"components.gke.io/component-version\": \"1.3.3\" }, \"creationTimestamp\": null, \"labels\": { \"k8s-app\": \"konnectivity-agent\" } }, \"spec\": { \"containers\": [ { \"args\": [ \"--logtostderr=true\", \"--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt\", \"--proxy-server-host=34.75.195.103\", \"--proxy-server-port=8132\", \"--health-server-port=8093\", \"--admin-server-port=8094\", \"--sync-interval=5s\", \"--probe-interval=5s\", \"--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token\", \"--v=3\" ], \"command\": [ \"/proxy-agent\" ], \"env\": [ { \"name\": \"POD_NAME\", \"valueFrom\": { \"fieldRef\": { \"apiVersion\": \"v1\", \"fieldPath\": \"metadata.name\" } } }, { \"name\": \"POD_NAMESPACE\", \"valueFrom\": { \"fieldRef\": { \"apiVersion\": \"v1\", \"fieldPath\": \"metadata.namespace\" } } } ], \"image\": \"gke.gcr.io/proxy-agent:v0.0.24-gke.0\", \"imagePullPolicy\": \"IfNotPresent\", \"livenessProbe\": { \"failureThreshold\": 3, \"httpGet\": { \"path\": \"/healthz\", \"port\": 8093, \"scheme\": \"HTTP\" }, \"initialDelaySeconds\": 15, \"periodSeconds\": 10, \"successThreshold\": 1, \"timeoutSeconds\": 15 }, \"name\": \"konnectivity-agent\", \"ports\": [ { \"containerPort\": 8093, \"name\": \"metrics\", \"protocol\": \"TCP\" } ], \"resources\": { \"limits\": { \"memory\": \"125Mi\" }, \"requests\": { \"cpu\": \"10m\", \"memory\": \"30Mi\" } }, \"securityContext\": { \"allowPrivilegeEscalation\": false, \"capabilities\": { \"drop\": [ \"all\" ] } }, \"terminationMessagePath\": \"/dev/termination-log\", \"terminationMessagePolicy\": \"File\", \"volumeMounts\": [ { \"mountPath\": \"/var/run/secrets/tokens\", \"name\": \"konnectivity-agent-token\" } ] } ], \"dnsPolicy\": \"ClusterFirst\", \"nodeSelector\": { \"beta.kubernetes.io/os\": \"linux\" }, \"priorityClassName\": \"system-cluster-critical\", \"restartPolicy\": \"Always\", \"schedulerName\": \"default-scheduler\", \"securityContext\": { \"fsGroup\": 1000, \"runAsGroup\": 1000, \"runAsUser\": 1000 }, \"serviceAccount\": \"konnectivity-agent\", \"serviceAccountName\": \"konnectivity-agent\", \"terminationGracePeriodSeconds\": 30, \"tolerations\": [ { \"key\": \"CriticalAddonsOnly\", \"operator\": \"Exists\" }, { \"effect\": \"NoSchedule\", \"key\": \"sandbox.gke.io/runtime\", \"operator\": \"Equal\", \"value\": \"gvisor\" }, { \"key\": \"components.gke.io/gke-managed-components\", \"operator\": \"Exists\" } ], \"topologySpreadConstraints\": [ { \"labelSelector\": { \"matchLabels\": { \"k8s-app\": \"konnectivity-agent\" } }, \"maxSkew\": 1, \"topologyKey\": \"topology.kubernetes.io/zone\", \"whenUnsatisfiable\": \"ScheduleAnyway\" }, { \"labelSelector\": { \"matchLabels\": { \"k8s-app\": \"konnectivity-agent\" } }, \"maxSkew\": 1, \"topologyKey\": \"kubernetes.io/hostname\", \"whenUnsatisfiable\": \"ScheduleAnyway\" } ], \"volumes\": [ { \"name\": \"konnectivity-agent-token\", \"projected\": { \"defaultMode\": 420, \"sources\": [ { \"serviceAccountToken\": { \"audience\": \"system:konnectivity-server\", \"expirationSeconds\": 3600, \"path\": \"konnectivity-agent-token\" } } ] } } ] } } }, \"status\": { \"availableReplicas\": 6, \"conditions\": [ { \"lastTransitionTime\": \"2022-03-17T08:55:41Z\", \"lastUpdateTime\": \"2022-03-17T08:55:41Z\", \"message\": \"ReplicaSet \\\"konnectivity-agent-56c9b8cf8\\\" has successfully progressed.\", \"reason\": \"NewReplicaSetAvailable\", \"status\": \"True\", \"type\": \"Progressing\" }, { \"lastTransitionTime\": \"2022-03-17T08:55:52Z\", \"lastUpdateTime\": \"2022-03-17T08:55:52Z\", \"message\": \"Deployment has minimum availability.\", \"reason\": \"MinimumReplicasAvailable\", \"status\": \"True\", \"type\": \"Available\" } ], \"observedGeneration\": 2, \"readyReplicas\": 6, \"replicas\": 6, \"updatedReplicas\": 6 } }, \"serviceName\": \"k8s.io\", \"status\": {} }, \"receiveTimestamp\": \"2022-03-21T19:46:38.090036928Z\", \"resource\": { \"labels\": { \"cluster_name\": \"iammai-340819-gke-cluster\", \"location\": \"us-east1\", \"project_id\": \"iammai-340819\" }, \"type\": \"k8s_cluster\" }, \"timestamp\": \"2022-03-21T19:46:36.090498Z\" }", + "original": "{\"insertId\":\"e5132c86-462b-41b3-9b6a-47966addbb0b\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"\"},\"logName\":\"projects/iammai-340819/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"first\": true,\"id\":\"e5132c86-462b-41b3-9b6a-47966addbb0b\",\"last\": true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"system:addon-manager\"},\"authorizationInfo\":[{\"granted\": true,\"permission\":\"io.k8s.apps.v1.deployments.patch\",\"resource\":\"apps/v1/namespaces/kube-system/deployments/konnectivity-agent\"}],\"methodName\":\"io.k8s.apps.v1.deployments.patch\",\"request\":{\"@type\":\"k8s.io/Patch\",\"spec\":{\"strategy\":{\"$retainKeys\":[\"type\"]},\"template\":{\"spec\":{\"$setElementOrder/volumes\":[{\"name\":\"konnectivity-agent-token\"}],\"volumes\":[{\"$retainKeys\":[\"name\",\"projected\"],\"name\":\"konnectivity-agent-token\",\"projected\":{\"sources\":[{\"serviceAccountToken\":{\"audience\":\"system:konnectivity-server\",\"path\":\"konnectivity-agent-token\"}}]}}]}}}},\"requestMetadata\":{\"callerIp\":\"10.142.0.152\",\"callerSuppliedUserAgent\":\"kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19\"},\"resourceName\":\"apps/v1/namespaces/kube-system/deployments/konnectivity-agent\",\"response\":{\"@type\":\"apps.k8s.io/v1.Deployment\",\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"metadata\":{\"annotations\":{\"components.gke.io/layer\":\"addon\",\"deployment.kubernetes.io/revision\":\"1\",\"kubectl.kubernetes.io/last-applied-configuration\":\"{\\\"apiVersion\\\":\\\"apps/v1\\\",\\\"kind\\\":\\\"Deployment\\\",\\\"metadata\\\":{\\\"annotations\\\":{\\\"components.gke.io/layer\\\":\\\"addon\\\"},\\\"labels\\\":{\\\"addonmanager.kubernetes.io/mode\\\":\\\"Reconcile\\\",\\\"k8s-app\\\":\\\"konnectivity-agent\\\"},\\\"name\\\":\\\"konnectivity-agent\\\",\\\"namespace\\\":\\\"kube-system\\\"},\\\"spec\\\":{\\\"selector\\\":{\\\"matchLabels\\\":{\\\"k8s-app\\\":\\\"konnectivity-agent\\\"}},\\\"strategy\\\":{\\\"type\\\":\\\"RollingUpdate\\\"},\\\"template\\\":{\\\"metadata\\\":{\\\"annotations\\\":{\\\"cluster-autoscaler.kubernetes.io/safe-to-evict\\\":\\\"true\\\",\\\"components.gke.io/component-name\\\":\\\"konnectivitynetworkproxy-combined\\\",\\\"components.gke.io/component-version\\\":\\\"1.3.3\\\"},\\\"labels\\\":{\\\"k8s-app\\\":\\\"konnectivity-agent\\\"}},\\\"spec\\\":{\\\"containers\\\":[{\\\"args\\\":[\\\"--logtostderr=true\\\",\\\"--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt\\\",\\\"--proxy-server-host=34.75.195.103\\\",\\\"--proxy-server-port=8132\\\",\\\"--health-server-port=8093\\\",\\\"--admin-server-port=8094\\\",\\\"--sync-interval=5s\\\",\\\"--probe-interval=5s\\\",\\\"--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token\\\",\\\"--v=3\\\"],\\\"command\\\":[\\\"/proxy-agent\\\"],\\\"env\\\":[{\\\"name\\\":\\\"POD_NAME\\\",\\\"valueFrom\\\":{\\\"fieldRef\\\":{\\\"fieldPath\\\":\\\"metadata.name\\\"}}},{\\\"name\\\":\\\"POD_NAMESPACE\\\",\\\"valueFrom\\\":{\\\"fieldRef\\\":{\\\"fieldPath\\\":\\\"metadata.namespace\\\"}}}],\\\"image\\\":\\\"gke.gcr.io/proxy-agent:v0.0.24-gke.0\\\",\\\"livenessProbe\\\":{\\\"httpGet\\\":{\\\"path\\\":\\\"/healthz\\\",\\\"port\\\":8093},\\\"initialDelaySeconds\\\":15,\\\"timeoutSeconds\\\":15},\\\"name\\\":\\\"konnectivity-agent\\\",\\\"ports\\\":[{\\\"containerPort\\\":8093,\\\"name\\\":\\\"metrics\\\",\\\"protocol\\\":\\\"TCP\\\"}],\\\"resources\\\":{\\\"limits\\\":{\\\"memory\\\":\\\"125Mi\\\"},\\\"requests\\\":{\\\"cpu\\\":\\\"10m\\\",\\\"memory\\\":\\\"30Mi\\\"}},\\\"securityContext\\\":{\\\"allowPrivilegeEscalation\\\":false,\\\"capabilities\\\":{\\\"drop\\\":[\\\"all\\\"]}},\\\"volumeMounts\\\":[{\\\"mountPath\\\":\\\"/var/run/secrets/tokens\\\",\\\"name\\\":\\\"konnectivity-agent-token\\\"}]}],\\\"nodeSelector\\\":{\\\"beta.kubernetes.io/os\\\":\\\"linux\\\"},\\\"priorityClassName\\\":\\\"system-cluster-critical\\\",\\\"securityContext\\\":{\\\"fsGroup\\\":1000,\\\"runAsGroup\\\":1000,\\\"runAsUser\\\":1000},\\\"serviceAccountName\\\":\\\"konnectivity-agent\\\",\\\"tolerations\\\":[{\\\"key\\\":\\\"CriticalAddonsOnly\\\",\\\"operator\\\":\\\"Exists\\\"},{\\\"effect\\\":\\\"NoSchedule\\\",\\\"key\\\":\\\"sandbox.gke.io/runtime\\\",\\\"operator\\\":\\\"Equal\\\",\\\"value\\\":\\\"gvisor\\\"},{\\\"key\\\":\\\"components.gke.io/gke-managed-components\\\",\\\"operator\\\":\\\"Exists\\\"}],\\\"topologySpreadConstraints\\\":[{\\\"labelSelector\\\":{\\\"matchLabels\\\":{\\\"k8s-app\\\":\\\"konnectivity-agent\\\"}},\\\"maxSkew\\\":1,\\\"topologyKey\\\":\\\"topology.kubernetes.io/zone\\\",\\\"whenUnsatisfiable\\\":\\\"ScheduleAnyway\\\"},{\\\"labelSelector\\\":{\\\"matchLabels\\\":{\\\"k8s-app\\\":\\\"konnectivity-agent\\\"}},\\\"maxSkew\\\":1,\\\"topologyKey\\\":\\\"kubernetes.io/hostname\\\",\\\"whenUnsatisfiable\\\":\\\"ScheduleAnyway\\\"}],\\\"volumes\\\":[{\\\"name\\\":\\\"konnectivity-agent-token\\\",\\\"projected\\\":{\\\"sources\\\":[{\\\"serviceAccountToken\\\":{\\\"audience\\\":\\\"system:konnectivity-server\\\",\\\"path\\\":\\\"konnectivity-agent-token\\\"}}]}}]}}}}\"},\"creationTimestamp\":\"2022-03-16T21:29:13Z\",\"generation\": 2,\"labels\":{\"addonmanager.kubernetes.io/mode\":\"Reconcile\",\"k8s-app\":\"konnectivity-agent\"},\"managedFields\":[{\"apiVersion\":\"apps/v1\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:components.gke.io/layer\":{},\"f:kubectl.kubernetes.io/last-applied-configuration\":{}},\"f:labels\":{\".\":{},\"f:addonmanager.kubernetes.io/mode\":{},\"f:k8s-app\":{}}},\"f:spec\":{\"f:progressDeadlineSeconds\":{},\"f:replicas\":{},\"f:revisionHistoryLimit\":{},\"f:selector\":{},\"f:strategy\":{\"f:rollingUpdate\":{\".\":{},\"f:maxSurge\":{},\"f:maxUnavailable\":{}},\"f:type\":{}},\"f:template\":{\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:cluster-autoscaler.kubernetes.io/safe-to-evict\":{},\"f:components.gke.io/component-name\":{},\"f:components.gke.io/component-version\":{}},\"f:labels\":{\".\":{},\"f:k8s-app\":{}}},\"f:spec\":{\"f:containers\":{\"k:{\\\"name\\\":\\\"konnectivity-agent\\\"}\":{\".\":{},\"f:args\":{},\"f:command\":{},\"f:env\":{\".\":{},\"k:{\\\"name\\\":\\\"POD_NAME\\\"}\":{\".\":{},\"f:name\":{},\"f:valueFrom\":{\".\":{},\"f:fieldRef\":{\".\":{},\"f:apiVersion\":{},\"f:fieldPath\":{}}}},\"k:{\\\"name\\\":\\\"POD_NAMESPACE\\\"}\":{\".\":{},\"f:name\":{},\"f:valueFrom\":{\".\":{},\"f:fieldRef\":{\".\":{},\"f:apiVersion\":{},\"f:fieldPath\":{}}}}},\"f:image\":{},\"f:imagePullPolicy\":{},\"f:livenessProbe\":{\".\":{},\"f:failureThreshold\":{},\"f:httpGet\":{\".\":{},\"f:path\":{},\"f:port\":{},\"f:scheme\":{}},\"f:initialDelaySeconds\":{},\"f:periodSeconds\":{},\"f:successThreshold\":{},\"f:timeoutSeconds\":{}},\"f:name\":{},\"f:ports\":{\".\":{},\"k:{\\\"containerPort\\\":8093,\\\"protocol\\\":\\\"TCP\\\"}\":{\".\":{},\"f:containerPort\":{},\"f:name\":{},\"f:protocol\":{}}},\"f:resources\":{\".\":{},\"f:limits\":{\".\":{},\"f:memory\":{}},\"f:requests\":{\".\":{},\"f:cpu\":{},\"f:memory\":{}}},\"f:securityContext\":{\".\":{},\"f:allowPrivilegeEscalation\":{},\"f:capabilities\":{\".\":{},\"f:drop\":{}}},\"f:terminationMessagePath\":{},\"f:terminationMessagePolicy\":{},\"f:volumeMounts\":{\".\":{},\"k:{\\\"mountPath\\\":\\\"/var/run/secrets/tokens\\\"}\":{\".\":{},\"f:mountPath\":{},\"f:name\":{}}}}},\"f:dnsPolicy\":{},\"f:nodeSelector\":{\".\":{},\"f:beta.kubernetes.io/os\":{}},\"f:priorityClassName\":{},\"f:restartPolicy\":{},\"f:schedulerName\":{},\"f:securityContext\":{\".\":{},\"f:fsGroup\":{},\"f:runAsGroup\":{},\"f:runAsUser\":{}},\"f:serviceAccount\":{},\"f:serviceAccountName\":{},\"f:terminationGracePeriodSeconds\":{},\"f:tolerations\":{},\"f:topologySpreadConstraints\":{\".\":{},\"k:{\\\"topologyKey\\\":\\\"kubernetes.io/hostname\\\",\\\"whenUnsatisfiable\\\":\\\"ScheduleAnyway\\\"}\":{\".\":{},\"f:labelSelector\":{},\"f:maxSkew\":{},\"f:topologyKey\":{},\"f:whenUnsatisfiable\":{}},\"k:{\\\"topologyKey\\\":\\\"topology.kubernetes.io/zone\\\",\\\"whenUnsatisfiable\\\":\\\"ScheduleAnyway\\\"}\":{\".\":{},\"f:labelSelector\":{},\"f:maxSkew\":{},\"f:topologyKey\":{},\"f:whenUnsatisfiable\":{}}},\"f:volumes\":{\".\":{},\"k:{\\\"name\\\":\\\"konnectivity-agent-token\\\"}\":{\".\":{},\"f:name\":{},\"f:projected\":{\".\":{},\"f:defaultMode\":{},\"f:sources\":{}}}}}}}},\"manager\":\"kubectl-client-side-apply\",\"operation\":\"Update\",\"time\":\"2022-03-16T21:29:13Z\"},{\"apiVersion\":\"apps/v1\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\"f:deployment.kubernetes.io/revision\":{}}},\"f:status\":{\"f:availableReplicas\":{},\"f:conditions\":{\".\":{},\"k:{\\\"type\\\":\\\"Available\\\"}\":{\".\":{},\"f:lastTransitionTime\":{},\"f:lastUpdateTime\":{},\"f:message\":{},\"f:reason\":{},\"f:status\":{},\"f:type\":{}},\"k:{\\\"type\\\":\\\"Progressing\\\"}\":{\".\":{},\"f:lastTransitionTime\":{},\"f:lastUpdateTime\":{},\"f:message\":{},\"f:reason\":{},\"f:status\":{},\"f:type\":{}}},\"f:observedGeneration\":{},\"f:readyReplicas\":{},\"f:replicas\":{},\"f:updatedReplicas\":{}}},\"manager\":\"kube-controller-manager\",\"operation\":\"Update\",\"time\":\"2022-03-17T08:55:52Z\"}],\"name\":\"konnectivity-agent\",\"namespace\":\"kube-system\",\"resourceVersion\":\"280105\",\"uid\":\"d3b49e97-7bac-435e-bfc6-19a25fe494fe\"},\"spec\":{\"progressDeadlineSeconds\": 600,\"replicas\": 6,\"revisionHistoryLimit\": 10,\"selector\":{\"matchLabels\":{\"k8s-app\":\"konnectivity-agent\"}},\"strategy\":{\"rollingUpdate\":{\"maxSurge\":\"25%\",\"maxUnavailable\":\"25%\"},\"type\":\"RollingUpdate\"},\"template\":{\"metadata\":{\"annotations\":{\"cluster-autoscaler.kubernetes.io/safe-to-evict\":\"true\",\"components.gke.io/component-name\":\"konnectivitynetworkproxy-combined\",\"components.gke.io/component-version\":\"1.3.3\"},\"creationTimestamp\": null,\"labels\":{\"k8s-app\":\"konnectivity-agent\"}},\"spec\":{\"containers\":[{\"args\":[\"--logtostderr=true\",\"--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt\",\"--proxy-server-host=34.75.195.103\",\"--proxy-server-port=8132\",\"--health-server-port=8093\",\"--admin-server-port=8094\",\"--sync-interval=5s\",\"--probe-interval=5s\",\"--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token\",\"--v=3\"],\"command\":[\"/proxy-agent\"],\"env\":[{\"name\":\"POD_NAME\",\"valueFrom\":{\"fieldRef\":{\"apiVersion\":\"v1\",\"fieldPath\":\"metadata.name\"}}},{\"name\":\"POD_NAMESPACE\",\"valueFrom\":{\"fieldRef\":{\"apiVersion\":\"v1\",\"fieldPath\":\"metadata.namespace\"}}}],\"image\":\"gke.gcr.io/proxy-agent:v0.0.24-gke.0\",\"imagePullPolicy\":\"IfNotPresent\",\"livenessProbe\":{\"failureThreshold\": 3,\"httpGet\":{\"path\":\"/healthz\",\"port\": 8093,\"scheme\":\"HTTP\"},\"initialDelaySeconds\": 15,\"periodSeconds\": 10,\"successThreshold\": 1,\"timeoutSeconds\": 15},\"name\":\"konnectivity-agent\",\"ports\":[{\"containerPort\": 8093,\"name\":\"metrics\",\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"memory\":\"125Mi\"},\"requests\":{\"cpu\":\"10m\",\"memory\":\"30Mi\"}},\"securityContext\":{\"allowPrivilegeEscalation\": false,\"capabilities\":{\"drop\":[\"all\"]}},\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"volumeMounts\":[{\"mountPath\":\"/var/run/secrets/tokens\",\"name\":\"konnectivity-agent-token\"}]}],\"dnsPolicy\":\"ClusterFirst\",\"nodeSelector\":{\"beta.kubernetes.io/os\":\"linux\"},\"priorityClassName\":\"system-cluster-critical\",\"restartPolicy\":\"Always\",\"schedulerName\":\"default-scheduler\",\"securityContext\":{\"fsGroup\": 1000,\"runAsGroup\": 1000,\"runAsUser\": 1000},\"serviceAccount\":\"konnectivity-agent\",\"serviceAccountName\":\"konnectivity-agent\",\"terminationGracePeriodSeconds\": 30,\"tolerations\":[{\"key\":\"CriticalAddonsOnly\",\"operator\":\"Exists\"},{\"effect\":\"NoSchedule\",\"key\":\"sandbox.gke.io/runtime\",\"operator\":\"Equal\",\"value\":\"gvisor\"},{\"key\":\"components.gke.io/gke-managed-components\",\"operator\":\"Exists\"}],\"topologySpreadConstraints\":[{\"labelSelector\":{\"matchLabels\":{\"k8s-app\":\"konnectivity-agent\"}},\"maxSkew\": 1,\"topologyKey\":\"topology.kubernetes.io/zone\",\"whenUnsatisfiable\":\"ScheduleAnyway\"},{\"labelSelector\":{\"matchLabels\":{\"k8s-app\":\"konnectivity-agent\"}},\"maxSkew\": 1,\"topologyKey\":\"kubernetes.io/hostname\",\"whenUnsatisfiable\":\"ScheduleAnyway\"}],\"volumes\":[{\"name\":\"konnectivity-agent-token\",\"projected\":{\"defaultMode\": 420,\"sources\":[{\"serviceAccountToken\":{\"audience\":\"system:konnectivity-server\",\"expirationSeconds\": 3600,\"path\":\"konnectivity-agent-token\"}}]}}]}}},\"status\":{\"availableReplicas\": 6,\"conditions\":[{\"lastTransitionTime\":\"2022-03-17T08:55:41Z\",\"lastUpdateTime\":\"2022-03-17T08:55:41Z\",\"message\":\"ReplicaSet \\\"konnectivity-agent-56c9b8cf8\\\" has successfully progressed.\",\"reason\":\"NewReplicaSetAvailable\",\"status\":\"True\",\"type\":\"Progressing\"},{\"lastTransitionTime\":\"2022-03-17T08:55:52Z\",\"lastUpdateTime\":\"2022-03-17T08:55:52Z\",\"message\":\"Deployment has minimum availability.\",\"reason\":\"MinimumReplicasAvailable\",\"status\":\"True\",\"type\":\"Available\"}],\"observedGeneration\": 2,\"readyReplicas\": 6,\"replicas\": 6,\"updatedReplicas\": 6}},\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2022-03-21T19:46:38.090036928Z\",\"resource\":{\"labels\":{\"cluster_name\":\"iammai-340819-gke-cluster\",\"location\":\"us-east1\",\"project_id\":\"iammai-340819\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2022-03-21T19:46:36.090498Z\"}", "outcome": "success", "provider": "activity", "type": [ @@ -1554,6 +1655,14 @@ }, "type": "kubernetes" }, + "related": { + "ip": [ + "10.142.0.152" + ], + "user": [ + "system:addon-manager" + ] + }, "service": { "name": "k8s.io" }, @@ -1578,8 +1687,8 @@ "@timestamp": "2022-06-01T11:15:10.842Z", "client": { "user": { - "email": "service-150691754250@container-engine-robot.iam.gserviceaccount.com", - "id": "serviceAccount:service-150691754250@container-engine-robot.iam.gserviceaccount.com" + "email": "servoce-xxxx@developer.gserviceaccount.com", + "id": "serviceAccount:servoce-xxxx@developer.gserviceaccount.com" } }, "cloud": { @@ -1599,7 +1708,7 @@ ], "id": "15ciwwfd47gm", "kind": "event", - "original": "{\"insertId\":\"15ciwwfd47gm\",\"logName\":\"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"service-150691754250@container-engine-robot.iam.gserviceaccount.com\",\"principalSubject\":\"serviceAccount:service-150691754250@container-engine-robot.iam.gserviceaccount.com\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"container.clusters.get\",\"resourceAttributes\":{}}],\"methodName\":\"google.container.v1.ClusterManager.GetCluster\",\"policyViolationInfo\":{\"orgPolicyViolationInfo\":{}},\"request\":{\"@type\":\"type.googleapis.com/google.container.v1alpha1.GetClusterRequest\",\"name\":\"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co\"},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2022-06-01T11:15:10.836131149Z\"}},\"resourceLocation\":{\"currentLocations\":[\"us-central1-a\"]},\"resourceName\":\"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co\",\"serviceName\":\"container.googleapis.com\"},\"receiveTimestamp\":\"2022-06-01T11:15:11.07151757Z\",\"resource\":{\"labels\":{\"cluster_name\":\"demo-elastic-co\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-product\"},\"type\":\"gke_cluster\"},\"severity\":\"INFO\",\"timestamp\":\"2022-06-01T11:15:10.842495409Z\",\"logging.googleapis.com/timestamp\":\"2022-06-01T11:15:10.842495409Z\"}", + "original": "{\"insertId\":\"15ciwwfd47gm\",\"logName\":\"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"servoce-xxxx@developer.gserviceaccount.com\",\"principalSubject\":\"serviceAccount:servoce-xxxx@developer.gserviceaccount.com\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"container.clusters.get\",\"resourceAttributes\":{}}],\"methodName\":\"google.container.v1.ClusterManager.GetCluster\",\"policyViolationInfo\":{\"orgPolicyViolationInfo\":{}},\"request\":{\"@type\":\"type.googleapis.com/google.container.v1alpha1.GetClusterRequest\",\"name\":\"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co\"},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2022-06-01T11:15:10.836131149Z\"}},\"resourceLocation\":{\"currentLocations\":[\"us-central1-a\"]},\"resourceName\":\"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co\",\"serviceName\":\"container.googleapis.com\"},\"receiveTimestamp\":\"2022-06-01T11:15:11.07151757Z\",\"resource\":{\"labels\":{\"cluster_name\":\"demo-elastic-co\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-product\"},\"type\":\"gke_cluster\"},\"severity\":\"INFO\",\"timestamp\":\"2022-06-01T11:15:10.842495409Z\",\"logging.googleapis.com/timestamp\":\"2022-06-01T11:15:10.842495409Z\"}", "outcome": "success", "provider": "data_access", "type": [ @@ -1637,6 +1746,14 @@ }, "type": "kubernetes" }, + "related": { + "ip": [ + "192.168.1.1" + ], + "user": [ + "servoce-xxxx@developer.gserviceaccount.com" + ] + }, "service": { "name": "container.googleapis.com" }, @@ -1678,7 +1795,7 @@ ], "id": "4pyr6eegiuw1", "kind": "event", - "original": "{\"insertId\":\"4pyr6eegiuw1\",\"logName\":\"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"xxx-compute@developer.gserviceaccount.com\",\"serviceAccountDelegationInfo\":[{}]},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"storage.objects.get\",\"resource\":\"projects/_/buckets/dataflow-staging-us-central1-xxx/objects/staging/xxx.jar\",\"resourceAttributes\":{}}],\"methodName\":\"storage.objects.get\",\"requestMetadata\":{\"callerSuppliedUserAgent\":\"BigstoreFile BigstoreIO (cr/xxx) \",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2022-06-01T11:19:08.205760711Z\"}},\"resourceLocation\":{\"currentLocations\":[\"us-central1\"]},\"resourceName\":\"projects/_/buckets/dataflow-staging-us-central1-xxx/objects/staging/jfxrt-xxx.jar\",\"serviceName\":\"storage.googleapis.com\",\"status\":{}},\"receiveTimestamp\":\"2022-06-01T11:19:08.699785539Z\",\"resource\":{\"labels\":{\"bucket_name\":\"dataflow-staging-us-central1-150691754250\",\"location\":\"us-central1\",\"project_id\":\"elastic-product\"},\"type\":\"gcs_bucket\"},\"severity\":\"INFO\",\"timestamp\":\"2022-06-01T11:19:08.199407722Z\",\"logging.googleapis.com/timestamp\":\"2022-06-01T11:19:08.199407722Z\"}", + "original": "{\"insertId\":\"4pyr6eegiuw1\",\"logName\":\"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"xxx-compute@developer.gserviceaccount.com\",\"serviceAccountDelegationInfo\":[{}]},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"storage.objects.get\",\"resource\":\"projects/_/buckets/dataflow-staging-us-central1-xxx/objects/staging/xxx.jar\",\"resourceAttributes\":{}}],\"methodName\":\"storage.objects.get\",\"requestMetadata\":{\"callerSuppliedUserAgent\":\"BigstoreFile BigstoreIO (cr/xxx)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2022-06-01T11:19:08.205760711Z\"}},\"resourceLocation\":{\"currentLocations\":[\"us-central1\"]},\"resourceName\":\"projects/_/buckets/dataflow-staging-us-central1-xxx/objects/staging/jfxrt-xxx.jar\",\"serviceName\":\"storage.googleapis.com\",\"status\":{}},\"receiveTimestamp\":\"2022-06-01T11:19:08.699785539Z\",\"resource\":{\"labels\":{\"bucket_name\":\"dataflow-staging-us-central1-150691754250\",\"location\":\"us-central1\",\"project_id\":\"elastic-product\"},\"type\":\"gcs_bucket\"},\"severity\":\"INFO\",\"timestamp\":\"2022-06-01T11:19:08.199407722Z\",\"logging.googleapis.com/timestamp\":\"2022-06-01T11:19:08.199407722Z\"}", "outcome": "success", "provider": "data_access", "type": [ @@ -1708,6 +1825,11 @@ "level": "INFO", "logger": "projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access" }, + "related": { + "user": [ + "xxx-compute@developer.gserviceaccount.com" + ] + }, "service": { "name": "storage.googleapis.com" }, @@ -1719,15 +1841,15 @@ "name": "Other" }, "name": "Other", - "original": "BigstoreFile BigstoreIO (cr/xxx) " + "original": "BigstoreFile BigstoreIO (cr/xxx)" } }, { "@timestamp": "2022-06-01T11:15:10.842Z", "client": { "user": { - "email": "service-150691754250@container-engine-robot.iam.gserviceaccount.com", - "id": "serviceAccount:service-150691754250@container-engine-robot.iam.gserviceaccount.com" + "email": "servoce-xxxx@developer.gserviceaccount.com", + "id": "serviceAccount:servoce-xxxx@developer.gserviceaccount.com" } }, "cloud": { @@ -1747,7 +1869,7 @@ ], "id": "15ciwwfd47gf", "kind": "event", - "original": "{\"insertId\":\"15ciwwfd47gf\",\"logName\":\"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"service-150691754250@container-engine-robot.iam.gserviceaccount.com\",\"principalSubject\":\"serviceAccount:service-150691754250@container-engine-robot.iam.gserviceaccount.com\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"container.clusters.get\",\"resourceAttributes\":{}}],\"methodName\":\"google.container.v1.ClusterManager.GetCluster\",\"policyViolationInfo\":{\"orgPolicyViolationInfo\":{}},\"request\":{\"@type\":\"type.googleapis.com/google.container.v1alpha1.GetClusterRequest\",\"name\":\"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co\",\"policy\":\"scalar-policy\"},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2022-06-01T11:15:10.836131149Z\"}},\"resourceLocation\":{\"currentLocations\":[\"us-central1-a\"]},\"resourceName\":\"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co\",\"serviceName\":\"container.googleapis.com\"},\"receiveTimestamp\":\"2022-06-01T11:15:11.07151757Z\",\"resource\":{\"labels\":{\"cluster_name\":\"demo-elastic-co\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-product\"},\"type\":\"gke_cluster\"},\"severity\":\"INFO\",\"timestamp\":\"2022-06-01T11:15:10.842495409Z\",\"logging.googleapis.com/timestamp\":\"2022-06-01T11:15:10.842495409Z\"}", + "original": "{\"insertId\":\"15ciwwfd47gf\",\"logName\":\"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"servoce-xxxx@developer.gserviceaccount.com\",\"principalSubject\":\"serviceAccount:servoce-xxxx@developer.gserviceaccount.com\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"container.clusters.get\",\"resourceAttributes\":{}}],\"methodName\":\"google.container.v1.ClusterManager.GetCluster\",\"policyViolationInfo\":{\"orgPolicyViolationInfo\":{}},\"request\":{\"@type\":\"type.googleapis.com/google.container.v1alpha1.GetClusterRequest\",\"name\":\"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co\",\"policy\":\"scalar-policy\"},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2022-06-01T11:15:10.836131149Z\"}},\"resourceLocation\":{\"currentLocations\":[\"us-central1-a\"]},\"resourceName\":\"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co\",\"serviceName\":\"container.googleapis.com\"},\"receiveTimestamp\":\"2022-06-01T11:15:11.07151757Z\",\"resource\":{\"labels\":{\"cluster_name\":\"demo-elastic-co\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-product\"},\"type\":\"gke_cluster\"},\"severity\":\"INFO\",\"timestamp\":\"2022-06-01T11:15:10.842495409Z\",\"logging.googleapis.com/timestamp\":\"2022-06-01T11:15:10.842495409Z\"}", "outcome": "success", "provider": "data_access", "type": [ @@ -1786,6 +1908,14 @@ }, "type": "kubernetes" }, + "related": { + "ip": [ + "192.168.1.1" + ], + "user": [ + "servoce-xxxx@developer.gserviceaccount.com" + ] + }, "service": { "name": "container.googleapis.com" }, @@ -1861,6 +1991,11 @@ "level": "INFO", "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" }, + "related": { + "user": [ + "xxx@xxx.xxx" + ] + }, "service": { "name": "iam.googleapis.com" }, @@ -1874,6 +2009,314 @@ "name": "Other", "original": "google-api-go-client/0.5,gzip(gfe)" } + }, + { + "@timestamp": "2024-08-20T23:40:30.997Z", + "client": { + "user": { + "email": "system@google.com" + } + }, + "cloud": { + "instance": { + "id": "5630355820693738547" + }, + "project": { + "id": "elastic-siem" + }, + "provider": "gcp" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "compute.instances.migrateOnHostMaintenance", + "id": "-g2g374e10tyi", + "kind": "event", + "original": "{\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"status\":{\"message\":\"InstancemigratedduringComputeEnginemaintenance.\"},\"authenticationInfo\":{\"principalEmail\":\"system@google.com\"},\"serviceName\":\"compute.googleapis.com\",\"methodName\":\"compute.instances.migrateOnHostMaintenance\",\"resourceName\":\"projects/elastic-siem/zones/us-central1-c/instances/sep-perf-debian-11-155\",\"request\":{\"@type\":\"type.googleapis.com/compute.instances.migrateOnHostMaintenance\"}},\"insertId\":\"-g2g374e10tyi\",\"resource\":{\"type\":\"gce_instance\",\"labels\":{\"instance_id\":\"5630355820693738547\",\"zone\":\"us-central1-c\",\"project_id\":\"elastic-siem\"}},\"timestamp\":\"2024-08-20T23:40:30.997109Z\",\"severity\":\"INFO\",\"labels\":{\"compute.googleapis.com/root_trigger_id\":\"b11f3ce7-7400-4ba4-9cee-eee4c65e38b4\"},\"logName\":\"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fsystem_event\",\"operation\":{\"id\":\"systemevent-1724197136000-62025edd06400-961ecb86-ebb8062e\",\"producer\":\"compute.instances.migrateOnHostMaintenance\",\"first\":true,\"last\":true},\"receiveTimestamp\":\"2024-08-20T23:40:31.703530860Z\"}", + "outcome": "unknown", + "provider": "system_event" + }, + "gcp": { + "audit": { + "labels": { + "compute.googleapis.com/root_trigger_id": "b11f3ce7-7400-4ba4-9cee-eee4c65e38b4" + }, + "logentry_operation": { + "id": "systemevent-1724197136000-62025edd06400-961ecb86-ebb8062e" + }, + "request": { + "@type": "type.googleapis.com/compute.instances.migrateOnHostMaintenance" + }, + "resource_name": "projects/elastic-siem/zones/us-central1-c/instances/sep-perf-debian-11-155", + "status": { + "message": "InstancemigratedduringComputeEnginemaintenance." + }, + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + } + }, + "log": { + "level": "INFO", + "logger": "projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fsystem_event" + }, + "related": { + "user": [ + "system@google.com" + ] + }, + "service": { + "name": "compute.googleapis.com" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-09-13T03:10:14.801Z", + "cloud": { + "project": { + "id": "elastic-siem" + }, + "provider": "gcp" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "google.storage.buckets.get", + "id": "d21cmyd7av9", + "kind": "event", + "original": "{\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"status\":{\"code\": 7,\"message\":\"PERMISSION_DENIED\",\"details\":[{\"@type\":\"type.googleapis.com/google.rpc.PreconditionFailure\",\"violations\":[{\"type\":\"VPC_SERVICE_CONTROLS\",\"description\":\"ljv4RZNmza4g69MMoOXBtRrlNKRYTjjhgkadQiqlfhmDZhClaMVgjoWA\"}]}]},\"authenticationInfo\":{},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"requestAttributes\":{},\"destinationAttributes\":{}},\"serviceName\":\"storage.googleapis.com\",\"methodName\":\"google.storage.buckets.get\",\"resourceName\":\"projects/elastic-siem\",\"metadata\":{\"securityPolicyInfo\":{\"servicePerimeterName\":\"accessPolicies/30507210272/servicePerimeters/some_service\",\"organizationId\":\"614830067722\"},\"vpcServiceControlsUniqueId\":\"ljv4RZNmza4g69MMoOXBtRrlNKRYTjjhgkadQiqlfhmDZhClaMVgjoWA\",\"accessLevels\":[\"accessPolicies/30507210272/accessLevels/thingy\",\"accessPolicies/30507210272/accessLevels/test_us\"],\"@type\":\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\",\"ingressViolations\":[{\"servicePerimeter\":\"accessPolicies/30507210272/servicePerimeters/some_service\",\"targetResource\":\"projects/elastic-siem/locations/us-central1\"}],\"violationReason\":\"NO_MATCHING_ACCESS_LEVEL\",\"resourceNames\":[\"projects/elastic-siem/locations/us-central1\"]}},\"insertId\":\"d21cmyd7av9\",\"resource\":{\"type\":\"audited_resource\",\"labels\":{\"project_id\":\"elastic-siem\",\"method\":\"google.storage.buckets.get\",\"service\":\"storage.googleapis.com\"}},\"timestamp\":\"2021-09-13T03:10:14.801613786Z\",\"severity\":\"ERROR\",\"logName\":\"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fpolicy\",\"receiveTimestamp\":\"2021-09-13T03:10:15.410616031Z\"}", + "outcome": "failure", + "provider": "policy" + }, + "gcp": { + "audit": { + "metadata": { + "@type": "type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata", + "accessLevels": [ + "accessPolicies/30507210272/accessLevels/thingy", + "accessPolicies/30507210272/accessLevels/test_us" + ], + "ingressViolations": [ + { + "servicePerimeter": "accessPolicies/30507210272/servicePerimeters/some_service", + "targetResource": "projects/elastic-siem/locations/us-central1" + } + ], + "resourceNames": [ + "projects/elastic-siem/locations/us-central1" + ], + "securityPolicyInfo": { + "organizationId": "614830067722", + "servicePerimeterName": "accessPolicies/30507210272/servicePerimeters/some_service" + }, + "violationReason": "NO_MATCHING_ACCESS_LEVEL", + "vpcServiceControlsUniqueId": "ljv4RZNmza4g69MMoOXBtRrlNKRYTjjhgkadQiqlfhmDZhClaMVgjoWA" + }, + "resource_name": "projects/elastic-siem", + "status": { + "code": 7, + "details": [ + { + "@type": "type.googleapis.com/google.rpc.PreconditionFailure", + "violations": [ + { + "description": "ljv4RZNmza4g69MMoOXBtRrlNKRYTjjhgkadQiqlfhmDZhClaMVgjoWA", + "type": "VPC_SERVICE_CONTROLS" + } + ] + } + ], + "message": "PERMISSION_DENIED" + }, + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + } + }, + "log": { + "level": "ERROR", + "logger": "projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fpolicy" + }, + "related": { + "ip": [ + "192.168.1.1" + ] + }, + "service": { + "name": "storage.googleapis.com" + }, + "source": { + "ip": "192.168.1.1" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-06-01T11:15:10.842Z", + "client": { + "user": { + "email": "servoce-xxxx@developer.gserviceaccount.com", + "id": "serviceAccount:servoce-xxxx@developer.gserviceaccount.com" + } + }, + "cloud": { + "project": { + "id": "elastic-product" + }, + "provider": "gcp" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "google.container.v1.ClusterManager.GetCluster", + "category": [ + "network", + "configuration" + ], + "id": "15ciwwfd47gf", + "kind": "event", + "original": "{\"insertId\":\"15ciwwfd47gf\",\"logName\":\"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"servoce-xxxx@developer.gserviceaccount.com\",\"principalSubject\":\"serviceAccount:servoce-xxxx@developer.gserviceaccount.com\"},\"authorizationInfo\":[{\"granted\": true,\"permission\":\"container.clusters.get\",\"resourceAttributes\":{}}],\"methodName\":\"google.container.v1.ClusterManager.GetCluster\",\"policyViolationInfo\":{\"orgPolicyViolationInfo\":{\"payload\":{\"key1\":\"value1\",\"key2\":\"value2\"},\"resourceType\":\"compute.googleapis.com/Instance\",\"resourceTags\":{\"instance_id\":\"INSTANCE_ID\",\"zone\":\"us-central1-a\"},\"violationInfo\":[{\"constraint\":\"compute.vmExternalIpAccess\",\"errorMessage\":\"This policy disallows the use of external IP addresses for VM instances.\",\"checkedValue\":\"Value\",\"policyType\":\"CUSTOM_CONSTRAINT\"}]}},\"request\":{\"@type\":\"type.googleapis.com/google.container.v1alpha1.GetClusterRequest\",\"name\":\"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co\",\"policy\":\"scalar-policy\"},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2022-06-01T11:15:10.836131149Z\"}},\"resourceLocation\":{\"currentLocations\":[\"us-central1-a\"]},\"resourceName\":\"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co\",\"serviceName\":\"container.googleapis.com\"},\"receiveTimestamp\":\"2022-06-01T11:15:11.07151757Z\",\"resource\":{\"labels\":{\"cluster_name\":\"demo-elastic-co\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-product\"},\"type\":\"gke_cluster\"},\"severity\":\"INFO\",\"timestamp\":\"2022-06-01T11:15:10.842495409Z\",\"logging.googleapis.com/timestamp\":\"2022-06-01T11:15:10.842495409Z\"}", + "outcome": "success", + "provider": "data_access", + "type": [ + "access", + "allowed" + ] + }, + "gcp": { + "audit": { + "authorization_info": [ + { + "granted": true, + "permission": "container.clusters.get" + } + ], + "policy_violation_info": { + "payload": { + "key1": "value1", + "key2": "value2" + }, + "resource_tags": { + "instance_id": "INSTANCE_ID", + "zone": "us-central1-a" + }, + "resource_type": "compute.googleapis.com/Instance", + "violations": [ + { + "checkedValue": "Value", + "constraint": "compute.vmExternalIpAccess", + "errorMessage": "This policy disallows the use of external IP addresses for VM instances.", + "policyType": "CUSTOM_CONSTRAINT" + } + ] + }, + "request": { + "@type": "type.googleapis.com/google.container.v1alpha1.GetClusterRequest", + "name": "projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co", + "policy_value": "scalar-policy" + }, + "resource_location": { + "current_locations": [ + "us-central1-a" + ] + }, + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + } + }, + "log": { + "level": "INFO", + "logger": "projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access" + }, + "orchestrator": { + "cluster": { + "name": "demo-elastic-co" + }, + "type": "kubernetes" + }, + "related": { + "ip": [ + "192.168.1.1" + ], + "user": [ + "servoce-xxxx@developer.gserviceaccount.com" + ] + }, + "service": { + "name": "container.googleapis.com" + }, + "source": { + "ip": "192.168.1.1" + }, + "tags": [ + "preserve_original_event" + ], + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)" + } + }, + { + "@timestamp": "2024-08-23T02:12:01.626Z", + "cloud": { + "project": { + "id": "elastic-siem" + }, + "provider": "gcp" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "google.container.v1.ClusterManager.SetLabels", + "category": [ + "session" + ], + "id": "17ah0cpe10gvp", + "kind": "event", + "original": "{\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"status\":{},\"serviceName\":\"container.googleapis.com\",\"methodName\":\"google.container.v1.ClusterManager.SetLabels\",\"resourceName\":\"projects/elastic-siem/zones/us-central1-c/clusters/endpoint-gke-cluster\",\"metadata\":{\"operationType\":\"UPDATE_CLUSTER\"},\"resourceLocation\":{\"currentLocations\":[\"us-central1-c\"]},\"policyViolationInfo\":{\"orgPolicyViolationInfo\":{}}},\"insertId\":\"17ah0cpe10gvp\",\"resource\":{\"type\":\"gke_cluster\",\"labels\":{\"location\":\"us-central1-c\",\"cluster_name\":\"endpoint-gke-cluster\",\"project_id\":\"elastic-siem\"}},\"timestamp\":\"2024-08-23T02:12:01.626546355Z\",\"severity\":\"NOTICE\",\"logName\":\"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"id\":\"operation-1724379121483-d43ef943-bcf8-46e9-9ff2-ba71cfbc26b2\",\"producer\":\"container.googleapis.com\",\"last\": true},\"receiveTimestamp\":\"2024-08-23T02:12:02.419428097Z\"}", + "outcome": "unknown", + "provider": "activity", + "type": [ + "end" + ] + }, + "gcp": { + "audit": { + "logentry_operation": { + "id": "operation-1724379121483-d43ef943-bcf8-46e9-9ff2-ba71cfbc26b2" + }, + "metadata": { + "operationType": "UPDATE_CLUSTER" + }, + "resource_location": { + "current_locations": [ + "us-central1-c" + ] + }, + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + } + }, + "log": { + "level": "NOTICE", + "logger": "projects/elastic-siem/logs/cloudaudit.googleapis.com%2Factivity" + }, + "orchestrator": { + "cluster": { + "name": "endpoint-gke-cluster" + }, + "type": "kubernetes" + }, + "service": { + "name": "container.googleapis.com" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-sdh-3695.log-expected.json b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-sdh-3695.log-expected.json index 5ca8763f2b8..fb79f53d17a 100644 --- a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-sdh-3695.log-expected.json +++ b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-sdh-3695.log-expected.json @@ -39,6 +39,11 @@ "level": "INFO", "logger": "organizations/123456789098/logs/cloudaudit.googleapis.com%2Fdata_access" }, + "related": { + "user": [ + "joel.miller@contoso.com" + ] + }, "service": { "name": "cloudresourcemanager.googleapis.com" }, diff --git a/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index aeb43637671..a6b3566495f 100644 --- a/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -178,6 +178,7 @@ processors: field: gcp.audit.labels copy_from: json.labels if: ctx.json?.labels != null + ## # RequestMetadata # .protoPayload.requestMetadata @@ -196,6 +197,48 @@ processors: - user_agent: field: user_agent.original ignore_missing: true + +## +# Metadata +# .protoPayload.metadata +# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog +## + - set: + field: gcp.audit.metadata + copy_from: json.protoPayload.metadata + if: ctx.json?.protoPayload?.metadata != null + +## +# PolicyViolationInfo +# .protoPayload.orgPolicyViolationInfo +# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#policyviolationinfo +## + - set: + field: gcp.audit.policy_violation_info.violations + copy_from: json.protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo + ignore_failure: true + - foreach: + field: gcp.audit.policy_violation_info.violations + ignore_missing: true + ignore_failure: true + processor: + rename: + field: _ingest._value.resourceAttributes + target_field: _ingest._value.resource_attributes + if: ctx?.gcp?.audit?.policy_violation_info != null && ctx?.gcp?.audit?.policy_violation_info instanceof List + - rename: + field: json.protoPayload.policyViolationInfo.orgPolicyViolationInfo.payload + target_field: gcp.audit.policy_violation_info.payload + ignore_failure: true + - rename: + field: json.protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceType + target_field: gcp.audit.policy_violation_info.resource_type + ignore_failure: true + - rename: + field: json.protoPayload.policyViolationInfo.orgPolicyViolationInfo.resourceTags + target_field: gcp.audit.policy_violation_info.resource_tags + ignore_failure: true + ## # LogEntryOperation # .operation @@ -300,6 +343,10 @@ processors: field: gcp.audit.status.message copy_from: json.protoPayload.status.message ignore_failure: true + - set: + field: gcp.audit.status.details + copy_from: json.protoPayload.status.details + if: ctx.json?.protoPayload?.status?.details != null - set: field: event.outcome value: success @@ -365,6 +412,14 @@ processors: target_field: source.as.organization.name ignore_missing: true +# Related fields + - append: + field: related.ip + value: "{{{source.ip}}}" + - append: + field: related.user + value: "{{{client.user.email}}}" + if: ctx.client?.user?.email != null ## # clean-up ## diff --git a/packages/gcp/data_stream/audit/fields/fields.yml b/packages/gcp/data_stream/audit/fields/fields.yml index 2c7d5fd5364..64c5a61dd19 100644 --- a/packages/gcp/data_stream/audit/fields/fields.yml +++ b/packages/gcp/data_stream/audit/fields/fields.yml @@ -73,6 +73,10 @@ - name: last type: boolean description: "Optional. Set this to True if this is the last log entry in the operation." + - name: metadata + type: flattened + description: | + Service-specific data about the request, response, and other information associated with the current audited event. - name: method_name type: keyword description: | @@ -81,6 +85,35 @@ type: long description: | The number of items returned from a List or Query API method, if applicable. + - name: policy_violation_info + type: group + fields: + - name: payload + type: flattened + description: Resource payload that is currently in scope and is subjected to orgpolicy conditions. + - name: resource_tags + type: flattened + description: Tags referenced on the resource at the time of evaluation. + - name: resource_type + type: keyword + description: Resource type that the orgpolicy is checked against. + - name: violations + type: nested + description: | + Provides information about the Policy violation info for the request. + fields: + - name: constraint + type: keyword + description: "Constraint name." + - name: errorMessage + type: keyword + description: "Error message that policy is indicating." + - name: checkedValue + type: keyword + description: "Value that is being checked for the policy." + - name: policyType + type: keyword + description: "Indicates the type of the policy." - name: request type: flattened - name: request_metadata @@ -122,6 +155,10 @@ - name: message type: keyword description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." + - name: details + type: flattened + description: | + A list of messages that carry the error details. - name: flattened type: flattened description: Contains the full audit document as sent by GCP. diff --git a/packages/gcp/docs/README.md b/packages/gcp/docs/README.md index e0bad49f091..a03698d796a 100644 --- a/packages/gcp/docs/README.md +++ b/packages/gcp/docs/README.md @@ -248,8 +248,16 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | | gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | | gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | +| gcp.audit.metadata | Service-specific data about the request, response, and other information associated with the current audited event. | flattened | | gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | | gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | +| gcp.audit.policy_violation_info.payload | Resource payload that is currently in scope and is subjected to orgpolicy conditions. | flattened | +| gcp.audit.policy_violation_info.resource_tags | Tags referenced on the resource at the time of evaluation. | flattened | +| gcp.audit.policy_violation_info.resource_type | Resource type that the orgpolicy is checked against. | keyword | +| gcp.audit.policy_violation_info.violations.checkedValue | Value that is being checked for the policy. | keyword | +| gcp.audit.policy_violation_info.violations.constraint | Constraint name. | keyword | +| gcp.audit.policy_violation_info.violations.errorMessage | Error message that policy is indicating. | keyword | +| gcp.audit.policy_violation_info.violations.policyType | Indicates the type of the policy. | keyword | | gcp.audit.request | | flattened | | gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | | gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | @@ -259,6 +267,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | gcp.audit.response | | flattened | | gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | | gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | +| gcp.audit.status.details | A list of messages that carry the error details. | flattened | | gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | | gcp.audit.type | Type property. | keyword | | gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | diff --git a/packages/gcp/docs/audit.md b/packages/gcp/docs/audit.md index 00194adda03..de36ff79bf8 100644 --- a/packages/gcp/docs/audit.md +++ b/packages/gcp/docs/audit.md @@ -37,8 +37,16 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | | gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | | gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | +| gcp.audit.metadata | Service-specific data about the request, response, and other information associated with the current audited event. | flattened | | gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | | gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | +| gcp.audit.policy_violation_info.payload | Resource payload that is currently in scope and is subjected to orgpolicy conditions. | flattened | +| gcp.audit.policy_violation_info.resource_tags | Tags referenced on the resource at the time of evaluation. | flattened | +| gcp.audit.policy_violation_info.resource_type | Resource type that the orgpolicy is checked against. | keyword | +| gcp.audit.policy_violation_info.violations.checkedValue | Value that is being checked for the policy. | keyword | +| gcp.audit.policy_violation_info.violations.constraint | Constraint name. | keyword | +| gcp.audit.policy_violation_info.violations.errorMessage | Error message that policy is indicating. | keyword | +| gcp.audit.policy_violation_info.violations.policyType | Indicates the type of the policy. | keyword | | gcp.audit.request | | flattened | | gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | | gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | @@ -48,6 +56,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | gcp.audit.response | | flattened | | gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | | gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | +| gcp.audit.status.details | A list of messages that carry the error details. | flattened | | gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | | gcp.audit.type | Type property. | keyword | | gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | diff --git a/packages/gcp/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json index f29347eb9d9..45ee20ec766 100644 --- a/packages/gcp/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ b/packages/gcp/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json @@ -2,7 +2,7 @@ "attributes": { "columns": [ "event.action", - "user.email", + "client.user.email", "service.name", "gcp.audit.type", "event.outcome", diff --git a/packages/gcp/manifest.yml b/packages/gcp/manifest.yml index 42b6273ef85..64276f363b5 100644 --- a/packages/gcp/manifest.yml +++ b/packages/gcp/manifest.yml @@ -1,6 +1,6 @@ name: gcp title: Google Cloud Platform -version: "2.37.1" +version: "2.38.0" description: Collect logs and metrics from Google Cloud Platform with Elastic Agent. type: integration icons: From 4a938930fdce6980996c3f9960ce28693a1df964 Mon Sep 17 00:00:00 2001 From: Hanna Tamoudi Date: Mon, 26 Aug 2024 17:22:10 +0200 Subject: [PATCH 2/7] update changelog entry --- packages/gcp/changelog.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/gcp/changelog.yml b/packages/gcp/changelog.yml index f65b554ef38..0232b07bb8e 100644 --- a/packages/gcp/changelog.yml +++ b/packages/gcp/changelog.yml @@ -1,9 +1,9 @@ # newer versions go on top - version: "2.38.0" changes: - - description: Add `policy_violation_info`, `metadata` and `related` fields to audit logs. + - description: Add `policy_violation_info`, `metadata` and `related` fields to audit logs. Update GCP audit log dashboard to use correct `email` field. type: enhancement - link: https://github.com/elastic/integrations/pull/9931 + link: https://github.com/elastic/integrations/pull/10886 - version: "2.37.1" changes: - description: Improve GCP Billing documentation. From d25b938a912801d1b982d3b9c7d623dd1d552a21 Mon Sep 17 00:00:00 2001 From: Hanna Tamoudi Date: Fri, 6 Sep 2024 09:19:43 +0200 Subject: [PATCH 3/7] Update packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log Co-authored-by: Dan Kortschak --- .../gcp/data_stream/audit/_dev/test/pipeline/test-audit.log | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log index 3bdf7260aef..dbf8c6e9fff 100644 --- a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log +++ b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log @@ -12,7 +12,7 @@ {"insertId":"03adfb9f-71a3-4f41-9701-29b5542f4d23","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx","principalSubject":"sub","serviceAccountKeyName":"//xxx@xxx"},"authorizationInfo":[{"granted":true,"permission":"iam.serviceAccounts.list","resource":"projects/project","resourceAttributes":{}}],"methodName":"google.iam.admin.v1.ListServiceAccounts","request":{"@type":"type.googleapis.com/google.iam.admin.v1.ListServiceAccountsRequest","name":"projects/project","page_token":"cg:FFFFFF"},"requestMetadata":{"callerIp":"gce-internal-ip","callerSuppliedUserAgent":"google-api-go-client/0.5,gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-02-21T13:57:39.178418578Z"}},"resourceName":"projects/project","serviceName":"iam.googleapis.com","status":{}},"receiveTimestamp":"2022-02-21T13:57:39.341344991Z","resource":{"labels":{"location":"global","method":"google.iam.admin.v1.ListServiceAccounts","project_id":"project","service":"iam.googleapis.com","version":"v1"},"type":"api"},"severity":"INFO","timestamp":"2022-02-21T13:57:39.174555198Z"} {"insertId":"03adfb9f-71a3-4f41-9701-29b5542f4d24","labels":{"authentication.k8s.io/legacy-token":"system:serviceaccount:kube-system:metrics-server","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"metrics-server:system:auth-delegator\" of ClusterRole \"system:auth-delegator\" to ServiceAccount \"metrics-server/kube-system\"","k8s.io/deprecated":"true","k8s.io/removed-release":"1.22"},"logName":"projects/project","operation":{"first":true,"id":"924fbbf6-1982-4173-9355-3fca0ab7b0ee","last":true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.authorization.v1beta1.subjectaccessreviews.create","resource":"authorization.k8s.io/v1beta1/subjectaccessreviews"}],"methodName":"io.k8s.authorization.v1beta1.subjectaccessreviews.create","request":{"@type":"authorization.k8s.io/v1beta1.SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","kind":"SubjectAccessReview","metadata":{"creationTimestamp":null},"spec":{"group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"nonResourceAttributes":{"path":"/apis/metrics.k8s.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller"},"status":{"allowed":false}},"requestMetadata":{"callerIp":"67.43.156.13","callerSuppliedUserAgent":"metrics-server/v0.0.0 (linux/amd64) kubernetes/$Format"},"resourceName":"authorization.k8s.io/v1beta1/subjectaccessreviews","response":{"@type":"authorization.k8s.io/v1beta1.SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","kind":"SubjectAccessReview","metadata":{"creationTimestamp":null,"managedFields":[{"apiVersion":"authorization.k8s.io/v1beta1","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{"f:group":{},"f:nonResourceAttributes":{".":{},"f:path":{},"f:verb":{}},"f:user":{}}},"manager":"metrics-server","operation":"Update","time":"2022-02-21T14:00:40Z"}]},"spec":{"group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"nonResourceAttributes":{"path":"/apis/metrics.k8s.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller"},"status":{"allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\""}},"serviceName":"k8s.io","status":{}},"receiveTimestamp":"2022-02-21T14:00:42.030209174Z","resource":{"labels":{"cluster_name":"elastic","location":"europe-west1","project_id":"project"},"type":"k8s_cluster"},"timestamp":"2022-02-21T14:00:40.802327Z"} {"insertId":"e5132c86-462b-41b3-9b6a-47966addbb0b","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""},"logName":"projects/iammai-340819/logs/cloudaudit.googleapis.com%2Factivity","operation":{"first": true,"id":"e5132c86-462b-41b3-9b6a-47966addbb0b","last": true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"system:addon-manager"},"authorizationInfo":[{"granted": true,"permission":"io.k8s.apps.v1.deployments.patch","resource":"apps/v1/namespaces/kube-system/deployments/konnectivity-agent"}],"methodName":"io.k8s.apps.v1.deployments.patch","request":{"@type":"k8s.io/Patch","spec":{"strategy":{"$retainKeys":["type"]},"template":{"spec":{"$setElementOrder/volumes":[{"name":"konnectivity-agent-token"}],"volumes":[{"$retainKeys":["name","projected"],"name":"konnectivity-agent-token","projected":{"sources":[{"serviceAccountToken":{"audience":"system:konnectivity-server","path":"konnectivity-agent-token"}}]}}]}}}},"requestMetadata":{"callerIp":"10.142.0.152","callerSuppliedUserAgent":"kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19"},"resourceName":"apps/v1/namespaces/kube-system/deployments/konnectivity-agent","response":{"@type":"apps.k8s.io/v1.Deployment","apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"components.gke.io/layer":"addon","deployment.kubernetes.io/revision":"1","kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"metadata\":{\"annotations\":{\"components.gke.io/layer\":\"addon\"},\"labels\":{\"addonmanager.kubernetes.io/mode\":\"Reconcile\",\"k8s-app\":\"konnectivity-agent\"},\"name\":\"konnectivity-agent\",\"namespace\":\"kube-system\"},\"spec\":{\"selector\":{\"matchLabels\":{\"k8s-app\":\"konnectivity-agent\"}},\"strategy\":{\"type\":\"RollingUpdate\"},\"template\":{\"metadata\":{\"annotations\":{\"cluster-autoscaler.kubernetes.io/safe-to-evict\":\"true\",\"components.gke.io/component-name\":\"konnectivitynetworkproxy-combined\",\"components.gke.io/component-version\":\"1.3.3\"},\"labels\":{\"k8s-app\":\"konnectivity-agent\"}},\"spec\":{\"containers\":[{\"args\":[\"--logtostderr=true\",\"--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt\",\"--proxy-server-host=34.75.195.103\",\"--proxy-server-port=8132\",\"--health-server-port=8093\",\"--admin-server-port=8094\",\"--sync-interval=5s\",\"--probe-interval=5s\",\"--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token\",\"--v=3\"],\"command\":[\"/proxy-agent\"],\"env\":[{\"name\":\"POD_NAME\",\"valueFrom\":{\"fieldRef\":{\"fieldPath\":\"metadata.name\"}}},{\"name\":\"POD_NAMESPACE\",\"valueFrom\":{\"fieldRef\":{\"fieldPath\":\"metadata.namespace\"}}}],\"image\":\"gke.gcr.io/proxy-agent:v0.0.24-gke.0\",\"livenessProbe\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":8093},\"initialDelaySeconds\":15,\"timeoutSeconds\":15},\"name\":\"konnectivity-agent\",\"ports\":[{\"containerPort\":8093,\"name\":\"metrics\",\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"memory\":\"125Mi\"},\"requests\":{\"cpu\":\"10m\",\"memory\":\"30Mi\"}},\"securityContext\":{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"all\"]}},\"volumeMounts\":[{\"mountPath\":\"/var/run/secrets/tokens\",\"name\":\"konnectivity-agent-token\"}]}],\"nodeSelector\":{\"beta.kubernetes.io/os\":\"linux\"},\"priorityClassName\":\"system-cluster-critical\",\"securityContext\":{\"fsGroup\":1000,\"runAsGroup\":1000,\"runAsUser\":1000},\"serviceAccountName\":\"konnectivity-agent\",\"tolerations\":[{\"key\":\"CriticalAddonsOnly\",\"operator\":\"Exists\"},{\"effect\":\"NoSchedule\",\"key\":\"sandbox.gke.io/runtime\",\"operator\":\"Equal\",\"value\":\"gvisor\"},{\"key\":\"components.gke.io/gke-managed-components\",\"operator\":\"Exists\"}],\"topologySpreadConstraints\":[{\"labelSelector\":{\"matchLabels\":{\"k8s-app\":\"konnectivity-agent\"}},\"maxSkew\":1,\"topologyKey\":\"topology.kubernetes.io/zone\",\"whenUnsatisfiable\":\"ScheduleAnyway\"},{\"labelSelector\":{\"matchLabels\":{\"k8s-app\":\"konnectivity-agent\"}},\"maxSkew\":1,\"topologyKey\":\"kubernetes.io/hostname\",\"whenUnsatisfiable\":\"ScheduleAnyway\"}],\"volumes\":[{\"name\":\"konnectivity-agent-token\",\"projected\":{\"sources\":[{\"serviceAccountToken\":{\"audience\":\"system:konnectivity-server\",\"path\":\"konnectivity-agent-token\"}}]}}]}}}}"},"creationTimestamp":"2022-03-16T21:29:13Z","generation": 2,"labels":{"addonmanager.kubernetes.io/mode":"Reconcile","k8s-app":"konnectivity-agent"},"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:components.gke.io/layer":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}},"f:labels":{".":{},"f:addonmanager.kubernetes.io/mode":{},"f:k8s-app":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:annotations":{".":{},"f:cluster-autoscaler.kubernetes.io/safe-to-evict":{},"f:components.gke.io/component-name":{},"f:components.gke.io/component-version":{}},"f:labels":{".":{},"f:k8s-app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"konnectivity-agent\"}":{".":{},"f:args":{},"f:command":{},"f:env":{".":{},"k:{\"name\":\"POD_NAME\"}":{".":{},"f:name":{},"f:valueFrom":{".":{},"f:fieldRef":{".":{},"f:apiVersion":{},"f:fieldPath":{}}}},"k:{\"name\":\"POD_NAMESPACE\"}":{".":{},"f:name":{},"f:valueFrom":{".":{},"f:fieldRef":{".":{},"f:apiVersion":{},"f:fieldPath":{}}}}},"f:image":{},"f:imagePullPolicy":{},"f:livenessProbe":{".":{},"f:failureThreshold":{},"f:httpGet":{".":{},"f:path":{},"f:port":{},"f:scheme":{}},"f:initialDelaySeconds":{},"f:periodSeconds":{},"f:successThreshold":{},"f:timeoutSeconds":{}},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8093,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:name":{},"f:protocol":{}}},"f:resources":{".":{},"f:limits":{".":{},"f:memory":{}},"f:requests":{".":{},"f:cpu":{},"f:memory":{}}},"f:securityContext":{".":{},"f:allowPrivilegeEscalation":{},"f:capabilities":{".":{},"f:drop":{}}},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{},"f:volumeMounts":{".":{},"k:{\"mountPath\":\"/var/run/secrets/tokens\"}":{".":{},"f:mountPath":{},"f:name":{}}}}},"f:dnsPolicy":{},"f:nodeSelector":{".":{},"f:beta.kubernetes.io/os":{}},"f:priorityClassName":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{".":{},"f:fsGroup":{},"f:runAsGroup":{},"f:runAsUser":{}},"f:serviceAccount":{},"f:serviceAccountName":{},"f:terminationGracePeriodSeconds":{},"f:tolerations":{},"f:topologySpreadConstraints":{".":{},"k:{\"topologyKey\":\"kubernetes.io/hostname\",\"whenUnsatisfiable\":\"ScheduleAnyway\"}":{".":{},"f:labelSelector":{},"f:maxSkew":{},"f:topologyKey":{},"f:whenUnsatisfiable":{}},"k:{\"topologyKey\":\"topology.kubernetes.io/zone\",\"whenUnsatisfiable\":\"ScheduleAnyway\"}":{".":{},"f:labelSelector":{},"f:maxSkew":{},"f:topologyKey":{},"f:whenUnsatisfiable":{}}},"f:volumes":{".":{},"k:{\"name\":\"konnectivity-agent-token\"}":{".":{},"f:name":{},"f:projected":{".":{},"f:defaultMode":{},"f:sources":{}}}}}}}},"manager":"kubectl-client-side-apply","operation":"Update","time":"2022-03-16T21:29:13Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2022-03-17T08:55:52Z"}],"name":"konnectivity-agent","namespace":"kube-system","resourceVersion":"280105","uid":"d3b49e97-7bac-435e-bfc6-19a25fe494fe"},"spec":{"progressDeadlineSeconds": 600,"replicas": 6,"revisionHistoryLimit": 10,"selector":{"matchLabels":{"k8s-app":"konnectivity-agent"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"annotations":{"cluster-autoscaler.kubernetes.io/safe-to-evict":"true","components.gke.io/component-name":"konnectivitynetworkproxy-combined","components.gke.io/component-version":"1.3.3"},"creationTimestamp": null,"labels":{"k8s-app":"konnectivity-agent"}},"spec":{"containers":[{"args":["--logtostderr=true","--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt","--proxy-server-host=34.75.195.103","--proxy-server-port=8132","--health-server-port=8093","--admin-server-port=8094","--sync-interval=5s","--probe-interval=5s","--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token","--v=3"],"command":["/proxy-agent"],"env":[{"name":"POD_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.name"}}},{"name":"POD_NAMESPACE","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}}],"image":"gke.gcr.io/proxy-agent:v0.0.24-gke.0","imagePullPolicy":"IfNotPresent","livenessProbe":{"failureThreshold": 3,"httpGet":{"path":"/healthz","port": 8093,"scheme":"HTTP"},"initialDelaySeconds": 15,"periodSeconds": 10,"successThreshold": 1,"timeoutSeconds": 15},"name":"konnectivity-agent","ports":[{"containerPort": 8093,"name":"metrics","protocol":"TCP"}],"resources":{"limits":{"memory":"125Mi"},"requests":{"cpu":"10m","memory":"30Mi"}},"securityContext":{"allowPrivilegeEscalation": false,"capabilities":{"drop":["all"]}},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/tokens","name":"konnectivity-agent-token"}]}],"dnsPolicy":"ClusterFirst","nodeSelector":{"beta.kubernetes.io/os":"linux"},"priorityClassName":"system-cluster-critical","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{"fsGroup": 1000,"runAsGroup": 1000,"runAsUser": 1000},"serviceAccount":"konnectivity-agent","serviceAccountName":"konnectivity-agent","terminationGracePeriodSeconds": 30,"tolerations":[{"key":"CriticalAddonsOnly","operator":"Exists"},{"effect":"NoSchedule","key":"sandbox.gke.io/runtime","operator":"Equal","value":"gvisor"},{"key":"components.gke.io/gke-managed-components","operator":"Exists"}],"topologySpreadConstraints":[{"labelSelector":{"matchLabels":{"k8s-app":"konnectivity-agent"}},"maxSkew": 1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"k8s-app":"konnectivity-agent"}},"maxSkew": 1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}],"volumes":[{"name":"konnectivity-agent-token","projected":{"defaultMode": 420,"sources":[{"serviceAccountToken":{"audience":"system:konnectivity-server","expirationSeconds": 3600,"path":"konnectivity-agent-token"}}]}}]}}},"status":{"availableReplicas": 6,"conditions":[{"lastTransitionTime":"2022-03-17T08:55:41Z","lastUpdateTime":"2022-03-17T08:55:41Z","message":"ReplicaSet \"konnectivity-agent-56c9b8cf8\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2022-03-17T08:55:52Z","lastUpdateTime":"2022-03-17T08:55:52Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration": 2,"readyReplicas": 6,"replicas": 6,"updatedReplicas": 6}},"serviceName":"k8s.io","status":{}},"receiveTimestamp":"2022-03-21T19:46:38.090036928Z","resource":{"labels":{"cluster_name":"iammai-340819-gke-cluster","location":"us-east1","project_id":"iammai-340819"},"type":"k8s_cluster"},"timestamp":"2022-03-21T19:46:36.090498Z"} -{"insertId":"15ciwwfd47gm","logName":"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"servoce-xxxx@developer.gserviceaccount.com","principalSubject":"serviceAccount:servoce-xxxx@developer.gserviceaccount.com"},"authorizationInfo":[{"granted":true,"permission":"container.clusters.get","resourceAttributes":{}}],"methodName":"google.container.v1.ClusterManager.GetCluster","policyViolationInfo":{"orgPolicyViolationInfo":{}},"request":{"@type":"type.googleapis.com/google.container.v1alpha1.GetClusterRequest","name":"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-06-01T11:15:10.836131149Z"}},"resourceLocation":{"currentLocations":["us-central1-a"]},"resourceName":"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co","serviceName":"container.googleapis.com"},"receiveTimestamp":"2022-06-01T11:15:11.07151757Z","resource":{"labels":{"cluster_name":"demo-elastic-co","location":"us-central1-a","project_id":"elastic-product"},"type":"gke_cluster"},"severity":"INFO","timestamp":"2022-06-01T11:15:10.842495409Z","logging.googleapis.com/timestamp":"2022-06-01T11:15:10.842495409Z"} +{"insertId":"15ciwwfd47gm","logName":"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"service-xxxx@developer.gserviceaccount.com","principalSubject":"serviceAccount:service-xxxx@developer.gserviceaccount.com"},"authorizationInfo":[{"granted":true,"permission":"container.clusters.get","resourceAttributes":{}}],"methodName":"google.container.v1.ClusterManager.GetCluster","policyViolationInfo":{"orgPolicyViolationInfo":{}},"request":{"@type":"type.googleapis.com/google.container.v1alpha1.GetClusterRequest","name":"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-06-01T11:15:10.836131149Z"}},"resourceLocation":{"currentLocations":["us-central1-a"]},"resourceName":"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co","serviceName":"container.googleapis.com"},"receiveTimestamp":"2022-06-01T11:15:11.07151757Z","resource":{"labels":{"cluster_name":"demo-elastic-co","location":"us-central1-a","project_id":"elastic-product"},"type":"gke_cluster"},"severity":"INFO","timestamp":"2022-06-01T11:15:10.842495409Z","logging.googleapis.com/timestamp":"2022-06-01T11:15:10.842495409Z"} {"insertId":"4pyr6eegiuw1","logName":"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx-compute@developer.gserviceaccount.com","serviceAccountDelegationInfo":[{}]},"authorizationInfo":[{"granted":true,"permission":"storage.objects.get","resource":"projects/_/buckets/dataflow-staging-us-central1-xxx/objects/staging/xxx.jar","resourceAttributes":{}}],"methodName":"storage.objects.get","requestMetadata":{"callerSuppliedUserAgent":"BigstoreFile BigstoreIO (cr/xxx)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-06-01T11:19:08.205760711Z"}},"resourceLocation":{"currentLocations":["us-central1"]},"resourceName":"projects/_/buckets/dataflow-staging-us-central1-xxx/objects/staging/jfxrt-xxx.jar","serviceName":"storage.googleapis.com","status":{}},"receiveTimestamp":"2022-06-01T11:19:08.699785539Z","resource":{"labels":{"bucket_name":"dataflow-staging-us-central1-150691754250","location":"us-central1","project_id":"elastic-product"},"type":"gcs_bucket"},"severity":"INFO","timestamp":"2022-06-01T11:19:08.199407722Z","logging.googleapis.com/timestamp":"2022-06-01T11:19:08.199407722Z"} {"insertId":"15ciwwfd47gf","logName":"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"servoce-xxxx@developer.gserviceaccount.com","principalSubject":"serviceAccount:servoce-xxxx@developer.gserviceaccount.com"},"authorizationInfo":[{"granted":true,"permission":"container.clusters.get","resourceAttributes":{}}],"methodName":"google.container.v1.ClusterManager.GetCluster","policyViolationInfo":{"orgPolicyViolationInfo":{}},"request":{"@type":"type.googleapis.com/google.container.v1alpha1.GetClusterRequest","name":"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co","policy":"scalar-policy"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-06-01T11:15:10.836131149Z"}},"resourceLocation":{"currentLocations":["us-central1-a"]},"resourceName":"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co","serviceName":"container.googleapis.com"},"receiveTimestamp":"2022-06-01T11:15:11.07151757Z","resource":{"labels":{"cluster_name":"demo-elastic-co","location":"us-central1-a","project_id":"elastic-product"},"type":"gke_cluster"},"severity":"INFO","timestamp":"2022-06-01T11:15:10.842495409Z","logging.googleapis.com/timestamp":"2022-06-01T11:15:10.842495409Z"} {"insertId":"03adfb9f-71a3-4f41-9701-29b5542f4d23","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx","principalSubject":"sub","serviceAccountKeyName":"//xxx@xxx"},"authorizationInfo":[{"granted":true,"permission":"iam.serviceAccounts.list","resource":"projects/project","resourceAttributes":{}}],"methodName":"google.iam.admin.v1.ListServiceAccounts","request":{"@type":"type.googleapis.com/google.iam.admin.v1.ListServiceAccountsRequest","name":"projects/project","page_token":"cg:FFFFFF"},"requestMetadata":{"callerIp":"private","callerSuppliedUserAgent":"google-api-go-client/0.5,gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-02-21T13:57:39.178418578Z"}},"resourceName":"projects/project","serviceName":"iam.googleapis.com","status":{}},"receiveTimestamp":"2022-02-21T13:57:39.341344991Z","resource":{"labels":{"location":"global","method":"google.iam.admin.v1.ListServiceAccounts","project_id":"project","service":"iam.googleapis.com","version":"v1"},"type":"api"},"severity":"INFO","timestamp":"2022-02-21T13:57:39.174555198Z"} From 5e93e6227f101780c8e2c8fa3b14e282d15da7e8 Mon Sep 17 00:00:00 2001 From: Hanna Tamoudi Date: Fri, 6 Sep 2024 13:39:57 +0200 Subject: [PATCH 4/7] Update packages/gcp/changelog.yml Co-authored-by: Dan Kortschak --- packages/gcp/changelog.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/packages/gcp/changelog.yml b/packages/gcp/changelog.yml index 0232b07bb8e..adc4039cdc9 100644 --- a/packages/gcp/changelog.yml +++ b/packages/gcp/changelog.yml @@ -1,9 +1,12 @@ # newer versions go on top - version: "2.38.0" changes: - - description: Add `policy_violation_info`, `metadata` and `related` fields to audit logs. Update GCP audit log dashboard to use correct `email` field. + - description: Add `policy_violation_info`, `metadata` and `related` fields to audit logs. type: enhancement link: https://github.com/elastic/integrations/pull/10886 + - description: Update GCP audit log dashboard to use correct `email` field. + type: bugfix + link: https://github.com/elastic/integrations/pull/10886 - version: "2.37.1" changes: - description: Improve GCP Billing documentation. From e5f67618cbe4c6097152ba9375774cd8e9ca2043 Mon Sep 17 00:00:00 2001 From: Hanna Tamoudi Date: Fri, 6 Sep 2024 13:40:14 +0200 Subject: [PATCH 5/7] Update packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Co-authored-by: Dan Kortschak --- .../data_stream/audit/elasticsearch/ingest_pipeline/default.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index a6b3566495f..016258f8de9 100644 --- a/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -346,7 +346,7 @@ processors: - set: field: gcp.audit.status.details copy_from: json.protoPayload.status.details - if: ctx.json?.protoPayload?.status?.details != null + ignore_empty_value: true - set: field: event.outcome value: success From e909a3d531864005e9f607cefd789ece32473ca6 Mon Sep 17 00:00:00 2001 From: Hanna Tamoudi Date: Fri, 6 Sep 2024 13:40:36 +0200 Subject: [PATCH 6/7] Update packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Co-authored-by: Dan Kortschak --- .../data_stream/audit/elasticsearch/ingest_pipeline/default.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 016258f8de9..7e2c1c114a4 100644 --- a/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -225,7 +225,7 @@ processors: rename: field: _ingest._value.resourceAttributes target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.policy_violation_info != null && ctx?.gcp?.audit?.policy_violation_info instanceof List + if: ctx.gcp?.audit?.policy_violation_info instanceof List - rename: field: json.protoPayload.policyViolationInfo.orgPolicyViolationInfo.payload target_field: gcp.audit.policy_violation_info.payload From 0c205512410359ce7780fcdb759e36bd9eb107a0 Mon Sep 17 00:00:00 2001 From: Hanna Tamoudi Date: Fri, 6 Sep 2024 19:53:40 +0200 Subject: [PATCH 7/7] allow duplicate false in gcp audit log --- .../data_stream/audit/_dev/test/pipeline/test-audit.log | 2 +- .../audit/_dev/test/pipeline/test-audit.log-expected.json | 8 ++++---- .../audit/elasticsearch/ingest_pipeline/default.yml | 2 ++ 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log index dbf8c6e9fff..42d0170e4d4 100644 --- a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log +++ b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log @@ -19,4 +19,4 @@ {"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","status":{"message":"InstancemigratedduringComputeEnginemaintenance."},"authenticationInfo":{"principalEmail":"system@google.com"},"serviceName":"compute.googleapis.com","methodName":"compute.instances.migrateOnHostMaintenance","resourceName":"projects/elastic-siem/zones/us-central1-c/instances/sep-perf-debian-11-155","request":{"@type":"type.googleapis.com/compute.instances.migrateOnHostMaintenance"}},"insertId":"-g2g374e10tyi","resource":{"type":"gce_instance","labels":{"instance_id":"5630355820693738547","zone":"us-central1-c","project_id":"elastic-siem"}},"timestamp":"2024-08-20T23:40:30.997109Z","severity":"INFO","labels":{"compute.googleapis.com/root_trigger_id":"b11f3ce7-7400-4ba4-9cee-eee4c65e38b4"},"logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fsystem_event","operation":{"id":"systemevent-1724197136000-62025edd06400-961ecb86-ebb8062e","producer":"compute.instances.migrateOnHostMaintenance","first":true,"last":true},"receiveTimestamp":"2024-08-20T23:40:31.703530860Z"} {"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","status":{"code": 7,"message":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"VPC_SERVICE_CONTROLS","description":"ljv4RZNmza4g69MMoOXBtRrlNKRYTjjhgkadQiqlfhmDZhClaMVgjoWA"}]}]},"authenticationInfo":{},"requestMetadata":{"callerIp":"192.168.1.1","requestAttributes":{},"destinationAttributes":{}},"serviceName":"storage.googleapis.com","methodName":"google.storage.buckets.get","resourceName":"projects/elastic-siem","metadata":{"securityPolicyInfo":{"servicePerimeterName":"accessPolicies/30507210272/servicePerimeters/some_service","organizationId":"614830067722"},"vpcServiceControlsUniqueId":"ljv4RZNmza4g69MMoOXBtRrlNKRYTjjhgkadQiqlfhmDZhClaMVgjoWA","accessLevels":["accessPolicies/30507210272/accessLevels/thingy","accessPolicies/30507210272/accessLevels/test_us"],"@type":"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata","ingressViolations":[{"servicePerimeter":"accessPolicies/30507210272/servicePerimeters/some_service","targetResource":"projects/elastic-siem/locations/us-central1"}],"violationReason":"NO_MATCHING_ACCESS_LEVEL","resourceNames":["projects/elastic-siem/locations/us-central1"]}},"insertId":"d21cmyd7av9","resource":{"type":"audited_resource","labels":{"project_id":"elastic-siem","method":"google.storage.buckets.get","service":"storage.googleapis.com"}},"timestamp":"2021-09-13T03:10:14.801613786Z","severity":"ERROR","logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fpolicy","receiveTimestamp":"2021-09-13T03:10:15.410616031Z"} {"insertId":"15ciwwfd47gf","logName":"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"servoce-xxxx@developer.gserviceaccount.com","principalSubject":"serviceAccount:servoce-xxxx@developer.gserviceaccount.com"},"authorizationInfo":[{"granted": true,"permission":"container.clusters.get","resourceAttributes":{}}],"methodName":"google.container.v1.ClusterManager.GetCluster","policyViolationInfo":{"orgPolicyViolationInfo":{"payload":{"key1":"value1","key2":"value2"},"resourceType":"compute.googleapis.com/Instance","resourceTags":{"instance_id":"INSTANCE_ID","zone":"us-central1-a"},"violationInfo":[{"constraint":"compute.vmExternalIpAccess","errorMessage":"This policy disallows the use of external IP addresses for VM instances.","checkedValue":"Value","policyType":"CUSTOM_CONSTRAINT"}]}},"request":{"@type":"type.googleapis.com/google.container.v1alpha1.GetClusterRequest","name":"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co","policy":"scalar-policy"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2022-06-01T11:15:10.836131149Z"}},"resourceLocation":{"currentLocations":["us-central1-a"]},"resourceName":"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co","serviceName":"container.googleapis.com"},"receiveTimestamp":"2022-06-01T11:15:11.07151757Z","resource":{"labels":{"cluster_name":"demo-elastic-co","location":"us-central1-a","project_id":"elastic-product"},"type":"gke_cluster"},"severity":"INFO","timestamp":"2022-06-01T11:15:10.842495409Z","logging.googleapis.com/timestamp":"2022-06-01T11:15:10.842495409Z"} -{"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","status":{},"serviceName":"container.googleapis.com","methodName":"google.container.v1.ClusterManager.SetLabels","resourceName":"projects/elastic-siem/zones/us-central1-c/clusters/endpoint-gke-cluster","metadata":{"operationType":"UPDATE_CLUSTER"},"resourceLocation":{"currentLocations":["us-central1-c"]},"policyViolationInfo":{"orgPolicyViolationInfo":{}}},"insertId":"17ah0cpe10gvp","resource":{"type":"gke_cluster","labels":{"location":"us-central1-c","cluster_name":"endpoint-gke-cluster","project_id":"elastic-siem"}},"timestamp":"2024-08-23T02:12:01.626546355Z","severity":"NOTICE","logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Factivity","operation":{"id":"operation-1724379121483-d43ef943-bcf8-46e9-9ff2-ba71cfbc26b2","producer":"container.googleapis.com","last": true},"receiveTimestamp":"2024-08-23T02:12:02.419428097Z"} \ No newline at end of file +{"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","status":{},"serviceName":"container.googleapis.com","methodName":"google.container.v1.ClusterManager.SetLabels","resourceName":"projects/elastic-siem/zones/us-central1-c/clusters/endpoint-gke-cluster","metadata":{"operationType":"UPDATE_CLUSTER"},"resourceLocation":{"currentLocations":["us-central1-c"]},"policyViolationInfo":{"orgPolicyViolationInfo":{}}},"insertId":"17ah0cpe10gvp","resource":{"type":"gke_cluster","labels":{"location":"us-central1-c","cluster_name":"endpoint-gke-cluster","project_id":"elastic-siem"}},"timestamp":"2024-08-23T02:12:01.626546355Z","severity":"NOTICE","logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Factivity","operation":{"id":"operation-1724379121483-d43ef943-bcf8-46e9-9ff2-ba71cfbc26b2","producer":"container.googleapis.com","last": true},"receiveTimestamp":"2024-08-23T02:12:02.419428097Z"} diff --git a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json index d0129ba4c9d..8ea7905c637 100644 --- a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json +++ b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json @@ -1687,8 +1687,8 @@ "@timestamp": "2022-06-01T11:15:10.842Z", "client": { "user": { - "email": "servoce-xxxx@developer.gserviceaccount.com", - "id": "serviceAccount:servoce-xxxx@developer.gserviceaccount.com" + "email": "service-xxxx@developer.gserviceaccount.com", + "id": "serviceAccount:service-xxxx@developer.gserviceaccount.com" } }, "cloud": { @@ -1708,7 +1708,7 @@ ], "id": "15ciwwfd47gm", "kind": "event", - "original": "{\"insertId\":\"15ciwwfd47gm\",\"logName\":\"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"servoce-xxxx@developer.gserviceaccount.com\",\"principalSubject\":\"serviceAccount:servoce-xxxx@developer.gserviceaccount.com\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"container.clusters.get\",\"resourceAttributes\":{}}],\"methodName\":\"google.container.v1.ClusterManager.GetCluster\",\"policyViolationInfo\":{\"orgPolicyViolationInfo\":{}},\"request\":{\"@type\":\"type.googleapis.com/google.container.v1alpha1.GetClusterRequest\",\"name\":\"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co\"},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2022-06-01T11:15:10.836131149Z\"}},\"resourceLocation\":{\"currentLocations\":[\"us-central1-a\"]},\"resourceName\":\"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co\",\"serviceName\":\"container.googleapis.com\"},\"receiveTimestamp\":\"2022-06-01T11:15:11.07151757Z\",\"resource\":{\"labels\":{\"cluster_name\":\"demo-elastic-co\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-product\"},\"type\":\"gke_cluster\"},\"severity\":\"INFO\",\"timestamp\":\"2022-06-01T11:15:10.842495409Z\",\"logging.googleapis.com/timestamp\":\"2022-06-01T11:15:10.842495409Z\"}", + "original": "{\"insertId\":\"15ciwwfd47gm\",\"logName\":\"projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"service-xxxx@developer.gserviceaccount.com\",\"principalSubject\":\"serviceAccount:service-xxxx@developer.gserviceaccount.com\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"container.clusters.get\",\"resourceAttributes\":{}}],\"methodName\":\"google.container.v1.ClusterManager.GetCluster\",\"policyViolationInfo\":{\"orgPolicyViolationInfo\":{}},\"request\":{\"@type\":\"type.googleapis.com/google.container.v1alpha1.GetClusterRequest\",\"name\":\"projects/elastic-product/locations/us-central1-a/clusters/demo-elastic-co\"},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"google-api-go-client/0.5 cluster-autoscaler,gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2022-06-01T11:15:10.836131149Z\"}},\"resourceLocation\":{\"currentLocations\":[\"us-central1-a\"]},\"resourceName\":\"projects/elastic-product/zones/us-central1-a/clusters/demo-elastic-co\",\"serviceName\":\"container.googleapis.com\"},\"receiveTimestamp\":\"2022-06-01T11:15:11.07151757Z\",\"resource\":{\"labels\":{\"cluster_name\":\"demo-elastic-co\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-product\"},\"type\":\"gke_cluster\"},\"severity\":\"INFO\",\"timestamp\":\"2022-06-01T11:15:10.842495409Z\",\"logging.googleapis.com/timestamp\":\"2022-06-01T11:15:10.842495409Z\"}", "outcome": "success", "provider": "data_access", "type": [ @@ -1751,7 +1751,7 @@ "192.168.1.1" ], "user": [ - "servoce-xxxx@developer.gserviceaccount.com" + "service-xxxx@developer.gserviceaccount.com" ] }, "service": { diff --git a/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 7e2c1c114a4..e705b8f329a 100644 --- a/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -416,10 +416,12 @@ processors: - append: field: related.ip value: "{{{source.ip}}}" + allow_duplicates: false - append: field: related.user value: "{{{client.user.email}}}" if: ctx.client?.user?.email != null + allow_duplicates: false ## # clean-up ##