GCP 中的 GKE 集群创建者
GKE cluster creator in GCP
我们如何在 GKE 中获取集群所有者的详细信息。日志记录部分仅包含服务帐户操作条目,任何地方都没有包含用户 ID 主体电子邮件的条目。
创建GKE集群的用户名好像很难获取
我们导出了完整的 json 日志文件,但没有导出实际单击创建集群按钮的用户条目。我认为这是了解 GKE 集群创建者的非常常见的用例,不确定我们是否遗漏了什么。
查询:
resource.type="k8s_cluster"
resource.labels.cluster_name="clusterName"
resource.labels.location="us-central1"
-protoPayload.methodName="io.k8s.core.v1.configmaps.update"
-protoPayload.methodName="io.k8s.coordination.v1.leases.update"
-protoPayload.methodName="io.k8s.core.v1.endpoints.update"
severity=DEFAULT
-protoPayload.authenticationInfo.principalEmail="system:addon-manager"
-protoPayload.methodName="io.k8s.apiserver.flowcontrol.v1beta1.flowschemas.status.patch"
-protoPayload.methodName="io.k8s.certificates.v1.certificatesigningrequests.create"
-protoPayload.methodName="io.k8s.core.v1.resourcequotas.delete"
-protoPayload.methodName="io.k8s.core.v1.pods.create"
-protoPayload.methodName="io.k8s.apiregistration.v1.apiservices.create"
我参考了下面的link,但也没有帮助。
https://cloud.google.com/blog/products/management-tools/finding-your-gke-logs
Audit Logs and specifically Admin Activity Logs
还有一个“技巧”:activity 审核日志条目包括 API 方法。您可以找到您感兴趣的 API 方法。这不是超级简单,但相对容易。您可以从确定服务的范围开始。对于 GKE,服务是 container.googleapis.com.
NOTE APIs Explorer and Kubenetes Engine API (but really container.googleapis.com) and projects.locations.clusters.create. The mechanism breaks down a little here as the protoPayload.methodName is a variant of the underlying REST method name.
因此您可以将日志资源管理器用于以下非常广泛的查询:
logName="projects/{PROJECT}/logs/cloudaudit.googleapis.com%2Factivity"
container.googleapis.com
NOTE replace {PROJECT} with the value.
然后根据返回的内容进行优化:
logName="projects/{PROJECT}/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.serviceName="container.googleapis.com"
protoPayload.methodName="google.container.v1beta1.ClusterManager.CreateCluster"
NOTE I mentioned that it isn't super straightforward because, as you can see in the above, I'd used gcloud beta container clusters create and so I need the google.container.v1beta1.ClusterManager.CreateCluster method but, it was easy to determine this from the logs.
而且,谁不知道?
protoPayload: {
authenticationInfo: {
principalEmail: "{me}"
}
}
所以:
PROJECT="[YOUR-PROJECT]"
FILTER="
logName=\"projects/${PROJECT}/logs/cloudaudit.googleapis.com%2Factivity\"
protoPayload.serviceName=\"container.googleapis.com\"
protoPayload.methodName=\"google.container.v1beta1.ClusterManager.CreateCluster\"
"
gcloud logging read "${FILTER}" \
--project=${PROJECT} \
--format="value(protoPayload.authenticationInfo.principalEmail)"
我们如何在 GKE 中获取集群所有者的详细信息。日志记录部分仅包含服务帐户操作条目,任何地方都没有包含用户 ID 主体电子邮件的条目。
创建GKE集群的用户名好像很难获取
我们导出了完整的 json 日志文件,但没有导出实际单击创建集群按钮的用户条目。我认为这是了解 GKE 集群创建者的非常常见的用例,不确定我们是否遗漏了什么。
查询:
resource.type="k8s_cluster"
resource.labels.cluster_name="clusterName"
resource.labels.location="us-central1"
-protoPayload.methodName="io.k8s.core.v1.configmaps.update"
-protoPayload.methodName="io.k8s.coordination.v1.leases.update"
-protoPayload.methodName="io.k8s.core.v1.endpoints.update"
severity=DEFAULT
-protoPayload.authenticationInfo.principalEmail="system:addon-manager"
-protoPayload.methodName="io.k8s.apiserver.flowcontrol.v1beta1.flowschemas.status.patch"
-protoPayload.methodName="io.k8s.certificates.v1.certificatesigningrequests.create"
-protoPayload.methodName="io.k8s.core.v1.resourcequotas.delete"
-protoPayload.methodName="io.k8s.core.v1.pods.create"
-protoPayload.methodName="io.k8s.apiregistration.v1.apiservices.create"
我参考了下面的link,但也没有帮助。
https://cloud.google.com/blog/products/management-tools/finding-your-gke-logs
Audit Logs and specifically Admin Activity Logs
还有一个“技巧”:activity 审核日志条目包括 API 方法。您可以找到您感兴趣的 API 方法。这不是超级简单,但相对容易。您可以从确定服务的范围开始。对于 GKE,服务是 container.googleapis.com.
NOTE APIs Explorer and Kubenetes Engine API (but really
container.googleapis.com) andprojects.locations.clusters.create. The mechanism breaks down a little here as theprotoPayload.methodNameis a variant of the underlying REST method name.
因此您可以将日志资源管理器用于以下非常广泛的查询:
logName="projects/{PROJECT}/logs/cloudaudit.googleapis.com%2Factivity"
container.googleapis.com
NOTE replace
{PROJECT}with the value.
然后根据返回的内容进行优化:
logName="projects/{PROJECT}/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.serviceName="container.googleapis.com"
protoPayload.methodName="google.container.v1beta1.ClusterManager.CreateCluster"
NOTE I mentioned that it isn't super straightforward because, as you can see in the above, I'd used
gcloud beta container clusters createand so I need thegoogle.container.v1beta1.ClusterManager.CreateClustermethod but, it was easy to determine this from the logs.
而且,谁不知道?
protoPayload: {
authenticationInfo: {
principalEmail: "{me}"
}
}
所以:
PROJECT="[YOUR-PROJECT]"
FILTER="
logName=\"projects/${PROJECT}/logs/cloudaudit.googleapis.com%2Factivity\"
protoPayload.serviceName=\"container.googleapis.com\"
protoPayload.methodName=\"google.container.v1beta1.ClusterManager.CreateCluster\"
"
gcloud logging read "${FILTER}" \
--project=${PROJECT} \
--format="value(protoPayload.authenticationInfo.principalEmail)"