Support for Google Kubernetes Engine (GKE)

[cpick]

Google's managed Kubernetes service redirects the Kubernetes Audit Log to their Cloud Audit Logging/Stackdriver Logging services. These logs can be queried using the gcloud command line tools, eg:

gcloud logging read --freshness=1h --format=json 'logName="projects/MY_PROJECT_NAME/logs/cloudaudit.googleapis.com%2Factivity" severity=ERROR'

This produces output formatted like this:

[
  {
    "insertId": "230ba8alnweli",
    "labels": {
      "cluster_version": "1.10.6-gke.2"
    },
    "logName": "projects/test-project/logs/cloudaudit.googleapis.com%2Factivity",
    "operation": {
      "id": "ae820cad-230q-ae80-8ca0-ce0af238adwd",
      "producer": "k8s.io"
    },
    "protoPayload": {
      "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
      "authenticationInfo": {
        "principalEmail": "system:serviceaccount:test-ns:test-sa"
      },
      "authorizationInfo": [
        {
          "permission": "com.coreos.database.etcd.v1beta2.etcdbackups.create",
          "resource": "etcd.database.coreos.com/v1beta2/namespaces/test-ns/etcdbackups"
        }
      ],
      "methodName": "com.coreos.database.etcd.v1beta2.etcdbackups.create",
      "requestMetadata": {
        "callerIp": "78.123.102.30"
      },
      "resourceName": "etcd.database.coreos.com/v1beta2/namespaces/test-ns/etcdbackups",
      "serviceName": "k8s.io",
      "status": {
        "code": 7,
        "message": "etcdbackups.etcd.database.coreos.com is forbidden: User \"system:serviceaccount:test-ns:test-sa\" cannot create etcdbackups.etcd.database.coreos.com in the namespace \"test-ns\": Unknown user \"system:serviceaccount:test-ns:test-sa\""
      }
    },
    "receiveTimestamp": "2018-09-10T11:18:00.109312987Z",
    "resource": {
      "labels": {
        "cluster_name": "test-cluster",
        "location": "us-central1",
        "project_id": "test-project"
      },
      "type": "k8s_cluster"
    },
    "severity": "ERROR",
    "timestamp": "2018-09-10T11:18:00.109312Z"
  }
]

Would it be reasonable to try to support this format in audit2rbac?

(I am relatively new to Kubernetes/GKE so I could be mistaken about how GKE's audit logging works, but I think the above description is accurate.)

[liggitt]

hmm... I'd like to deal just with k8s audit events if possible.

@tallclair do you know if the raw k8s audit events are available from gke?

[tallclair]

No, they are not. Dynamic audit control will address this need. Once that merges, it would be awesome to have a version of audit2rbac that can be deployed as a pod in a cluster, and configured as an audit backend.

[larstiq]

audit2rbac v0.7.0 doesn't handle my GKE audit log, is there some other way I can make use of audit2rbac with Google's Kubernetes Engine?

[kvokka]

This feature might be very useful. Is there any interest in adding it?