Kubernetes Audit Logs for GKE
Overview
To create the Polygraph for user and workload activities, Lacework ingests audit logs from user-selected GKE clusters to find anomalous events as described in the Default Policy page. You can create additional custom policies using the Lacework Query Language (LQL) to target any specific action or resource. Go to the Custom Policies Overview for more information.
Audit Logs Processed by Lacework
The GKE audit log policy is managed by Google and cannot be changed by the user. The logs do not contain sensitive information such as secrets or keys. Some events are excluded from the GKE audit policy and therefore are not sent to Lacework.
User Mapping
If GKE audit logs contain the GCP identity of the actual user, Lacework is able to report the username of the person that triggered an activity inside GKE. The Polygraph and the API calls table will show the username.
Lacework reports Kubernetes impersonation (assumed role).
GKE Audit Log Integration
Lacework provides an easy way to ingest logs from any GKE cluster using Terraform. Go to GKE Audit Log Integration Using Terraform to get started.