| Workload location |
Root and organization workloads |
| Audit log source | |
| Audited operations |
Update a zone
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user.username |
For example, "user":{ "username": "dns@example.com" } |
|
Target (Fields and values that call the API) |
requestURI |
|
|
Action (Fields containing the performed operation) |
verb |
|
| Event timestamp |
ts
|
For example,
|
| Source of action | sourceIPs |
For example,
|
| Outcome | responseStatus.code |
For example, "responseStatus":{ "code":200 } |
| Other fields |
|
For example, "annotations":{ "authorization.k8s.io/decision":"allow" }, "objectRef":{ "resourceVersion":"697063", "uid":"aed2e6f7-ca03-4bcd-9c07-167ccd4da88e", "apiVersion":"v1", "resource":"configmaps", "apiGroup":"UNKNOWN", "namespace":"dns-system", "name":"gpc-coredns-external-zonefile" } |
Example log
{
"_gdch_cluster":"root-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-7s769",
"_gdch_service_name":"apiserver",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"dns-core-controllers-rolebinding\" of ClusterRole \"dns-core-controllers-role\" to ServiceAccount \"dns-core-controller-sa/dns-system\"",
},
"apiVersion":"audit.k8s.io/v1",
"auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
"kind":"Event",
"level":"Metadata",
"objectRef":{
"resourceVersion":"697063",
"uid":"aed2e6f7-ca03-4bcd-9c07-167ccd4da88e",
"apiVersion":"v1",
"resource":"configmaps",
"apiGroup":"UNKNOWN",
"namespace":"dns-system",
"name":"gpc-coredns-external-zonefile"
},
"requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
"requestURI":"/api/v1/namespaces/dns-system/configmaps/gpc-coredns-external-zonefile",
"responseStatus":{
"metadata":{},
"code":200
},
"sourceIPs":["10.142.5.147"],
"stage":"ResponseComplete",
"stageTimestamp":"2022-11-11T22:02:02.045045Z",
"ts":2022-11-11T22:02:02.074Z,
"tsNs":1668204122074601081,
"user":{
"uid":"08f727c9-5e3d-403f-bf35-06ef53f9832c",
"groups":[
"system:serviceaccounts",
"system:serviceaccounts:dns-system",
"system:authenticated"
],
"username": "system:serviceaccount:dns-system:dns-core-controller-sa",
"extra": {
"authentication.kubernetes.io/pod-name":["dns-core-controller-58c4646858-z8kmr"],
"authentication.kubernetes.io/pod-uid":["7cfc9b72-aacc-4e86-b43f-016498055230"]
}
},
"userAgent":"controller-manager/v0.0.0 (linux/amd64) kubernetes/$Format",
"verb":"update"
}
Create a ManagedDNSZone
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user.username |
For example, "user":{ "username": "system:bootstrap:xqk4xc" } |
|
Target (Fields and values that call the API) |
requestURI |
|
|
Action (Fields containing the performed operation) |
verb |
|
| Event timestamp |
requestReceivedTimestamp
|
For example,
|
| Source of action | sourceIPs |
For example,
|
| Outcome | responseStatus.code |
For example, "responseStatus":{ "code":201 } |
| Other fields |
|
For example, "annotations":{ "authorization.k8s.io/decision":"allow", "authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"e2e-test\" of ClusterRole \"cluster-admin\" to Group \"system:bootstrappers:gce-e2e\"", "mutation.webhook.admission.k8s.io/round_0_index_1":"{\"configuration\":\"gatekeeper-mutating-webhook-configuration\",\"webhook\":\"mutation.gatekeeper.sh\",\"mutated\":false}" }, "objectRef":{ "apiGroup":"networking.global.gdc.goog", "apiVersion":"v1", "name":"public-cf-zone-1", "namespace":"cloud-dns-2", "resource":"manageddnszones" } |
Example log
{
"_gdch_cluster": "org-1-admin",
"_gdch_component": "user_kubectl",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-ttpfw",
"_gdch_org_id": "org-1.zone1.google.gdch.test",
"_gdch_org_name": "org-1",
"_gdch_zone_id": "zone1",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"e2e-test\" of ClusterRole \"cluster-admin\" to Group \"system:bootstrappers:gce-e2e\"",
"mutation.webhook.admission.k8s.io/round_0_index_1": "{\"configuration\":\"gatekeeper-mutating-webhook-configuration\",\"webhook\":\"mutation.gatekeeper.sh\",\"mutated\":false}"
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "3de6821e-4e40-4bbc-9c9c-285c59ddaa19",
"kind": "Event",
"level": "Request",
"objectRef": {
"apiGroup": "networking.global.gdc.goog",
"apiVersion": "v1",
"name": "public-cf-zone-1",
"namespace": "cloud-dns-2",
"resource": "manageddnszones"
},
"requestObject": {
"apiVersion": "networking.global.gdc.goog/v1",
"kind": "ManagedDNSZone",
"metadata": {
"creationTimestamp": null,
"name": "public-cf-zone-1",
"namespace": "cloud-dns-2"
},
"spec": {
"description": "Public DNS zone for Cloud Foundry",
"dnsName": "cf1.dns2",
"visibility": "PUBLIC"
}
},
"requestReceivedTimestamp": "2026-05-08T09:51:45.320229Z",
"requestURI": "/apis/networking.global.gdc.goog/v1/namespaces/cloud-dns-2/manageddnszones?fieldManager=kubectl-create&fieldValidation=Strict",
"responseStatus": {
"code": 201,
"metadata": {}
},
"sourceIPs": [
"10.200.0.1",
"10.0.138.150"
],
"stage": "ResponseComplete",
"stageTimestamp": "2026-05-08T09:51:45.528379Z",
"user": {
"groups": [
"system:bootstrappers",
"system:bootstrappers:gce-e2e",
"system:authenticated"
],
"username": "system:bootstrap:xqk4xc"
},
"userAgent": "kubectl/v1.28.3 (linux/amd64) kubernetes/a8a1abc",
"verb": "create"
}
Create a ResourceRecordSet
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user.username |
For example, "user":{ "username": "system:serviceaccount:dns-system:dns-prober-sa" } |
|
Target (Fields and values that call the API) |
requestURI |
|
|
Action (Fields containing the performed operation) |
verb |
|
| Event timestamp |
requestReceivedTimestamp
|
For example,
|
| Source of action | sourceIPs |
For example,
|
| Outcome | responseStatus.code |
For example, "responseStatus":{ "code":201 } |
| Other fields |
|
For example, "annotations":{ "authorization.k8s.io/decision":"allow", "authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"dns-prober-global-prober-rolebinding/dns-system\" of Role \"dns-prober-global-prober-role\" to ServiceAccount \"dns-prober-sa/dns-system\"", "mutation.webhook.admission.k8s.io/round_0_index_0":"{\"configuration\":\"dns-managed-dns-v1-mutation\",\"webhook\":\"resourcerecordsets.networking.global.gdc.goog\",\"mutated\":true}", "mutation.webhook.admission.k8s.io/round_0_index_1":"{\"configuration\":\"gatekeeper-mutating-webhook-configuration\",\"webhook\":\"mutation.gatekeeper.sh\",\"mutated\":false}", "patch.webhook.admission.k8s.io/round_0_index_0":"{\"configuration\":\"dns-managed-dns-v1-mutation\",\"webhook\":\"resourcerecordsets.networking.global.gdc.goog\",\"patch\":[{\"op\":\"add\",\"path\":\"/metadata/creationTimestamp\",\"value\":null},{\"op\":\"add\",\"path\":\"/metadata/labels\",\"value\":{\"clouddns.private.gdc.goog/dnszone\":\"test.prober.private\"}},{\"op\":\"add\",\"path\":\"/metadata/annotations\",\"value\":{\"clouddns.private.gdc.goog/token\":\"synpi4vyatjbdwy2-a-pri\"}}],\"patchType\":\"JSONPatch\"}" }, "objectRef":{ "apiGroup":"networking.global.gdc.goog", "apiVersion":"v1", "name":"prober-test-rrs-zone1-private", "namespace":"dns-system", "resource":"resourcerecordsets" } |
Example log
{
"_gdch_cluster": "org-1-admin",
"_gdch_component": "dns",
"_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-ggwr5",
"_gdch_org_id": "org-1.zone1.google.gdch.test",
"_gdch_org_name": "org-1",
"_gdch_zone_id": "zone1",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by RoleBinding \"dns-prober-global-prober-rolebinding/dns-system\" of Role \"dns-prober-global-prober-role\" to ServiceAccount \"dns-prober-sa/dns-system\"",
"mutation.webhook.admission.k8s.io/round_0_index_0": "{\"configuration\":\"dns-managed-dns-v1-mutation\",\"webhook\":\"resourcerecordsets.networking.global.gdc.goog\",\"mutated\":true}",
"mutation.webhook.admission.k8s.io/round_0_index_1": "{\"configuration\":\"gatekeeper-mutating-webhook-configuration\",\"webhook\":\"mutation.gatekeeper.sh\",\"mutated\":false}",
"patch.webhook.admission.k8s.io/round_0_index_0": "{\"configuration\":\"dns-managed-dns-v1-mutation\",\"webhook\":\"resourcerecordsets.networking.global.gdc.goog\",\"patch\":[{\"op\":\"add\",\"path\":\"/metadata/creationTimestamp\",\"value\":null},{\"op\":\"add\",\"path\":\"/metadata/labels\",\"value\":{\"clouddns.private.gdc.goog/dnszone\":\"test.prober.private\"}},{\"op\":\"add\",\"path\":\"/metadata/annotations\",\"value\":{\"clouddns.private.gdc.goog/token\":\"synpi4vyatjbdwy2-a-pri\"}}],\"patchType\":\"JSONPatch\"}"
},
"apiVersion": "audit.k8s.io/v1",
"auditID": "12851275-a785-41fa-8e2b-8469bd9d1f65",
"kind": "Event",
"level": "Request",
"objectRef": {
"apiGroup": "networking.global.gdc.goog",
"apiVersion": "v1",
"name": "prober-test-rrs-zone1-private",
"namespace": "dns-system",
"resource": "resourcerecordsets"
},
"requestObject": {
"apiVersion": "networking.global.gdc.goog/v1",
"kind": "ResourceRecordSet",
"metadata": {
"creationTimestamp": null,
"name": "prober-test-rrs-zone1-private",
"namespace": "dns-system"
},
"spec": {
"dnsZone": "prober-test-managed-dns-private",
"name": "prober-test-rrs-zone1-private.test.prober.private",
"rrData": [
"192.168.100.100"
],
"ttlSeconds": 30,
"type": "A"
},
"status": {
"rollout": {
"strategy": {
"type": ""
}
}
}
},
"requestReceivedTimestamp": "2026-05-08T08:48:30.748194Z",
"requestURI": "/apis/networking.global.gdc.goog/v1/namespaces/dns-system/resourcerecordsets",
"responseStatus": {
"code": 201,
"metadata": {}
},
"sourceIPs": [
"10.0.130.26",
"10.0.136.209"
],
"stage": "ResponseComplete",
"stageTimestamp": "2026-05-08T08:48:30.964607Z",
"user": {
"extra": {
"__AIS_token_issuer_zone": [
"zone1"
]
},
"groups": [
"system:authenticated"
],
"username": "system:serviceaccount:dns-system:dns-prober-sa"
},
"userAgent": "prober/v0.0.0 (linux/amd64) kubernetes/$Format",
"verb": "create"
}