After implementing argocd-k8s-auth seeing Connection closed early in gke audit logs #9794
Comments
|
I looked into this and found that those audit logs are normal and not harmful. I think we can close this issue. At first, those logs are generated here and intended to record a long running request (i.e. watch API). I’m not a person in GKE team, so the only thing I can do is guessing from the sample Audit policy here. The default level is set to Metadata, and the kube-apiserver log request metadata without request and response body. As you know, the Argo CD application controller is calling watch API for available resources, so I found other controller in a similar situation. The following is the audit logs for watch API called by GKE internal controllers with GCP internal service account: {
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "service-********************@container-engine-robot.iam.gserviceaccount.com"
},
"authorizationInfo": [
{
"granted": true,
"permission": "io.k8s.apiextensions.v1.customresourcedefinitions.watch",
"resource": "apiextensions.k8s.io/v1/customresourcedefinitions"
}
],
"methodName": "io.k8s.apiextensions.v1.customresourcedefinitions.watch",
"requestMetadata": {
"callerIp": "xx.xx.xx.xx",
"callerSuppliedUserAgent": "GoogleGKEGatewayController"
},
"resourceName": "apiextensions.k8s.io/v1/customresourcedefinitions",
"serviceName": "k8s.io",
"status": {
"code": 0,
"message": "Connection closed early"
}
},
"resource": {
"type": "k8s_cluster"
},
"labels": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "access granted by IAM permissions."
},
"logName": "projects/gcp-xxxxxxx/logs/cloudaudit.googleapis.com%2Factivity"
} |
|
Thanks for the detailed analysis @toVersus ! Closing the issue |
As per, 9786
cc @toVersus
The text was updated successfully, but these errors were encountered: