How to audit and show which user made changes to a GKE node pool using Logs Explorer?

Question

I am trying to determine the user/serviceaccount that made changes to a node pool within my GKE cluster.

For example:

Openning Log Explorer: logName: "projects/spotinst-labs/logs/cloudaudit.googleapis.com%2Factivity"

There is a method called: google.container.v1.ClusterManager.SetNodePoolSize

However, in the returned log there is no authenticationInfo, normally its returned in protoPayload.authenticationInfo.principalEmail.

Does anyone know how I would be able to retrieve who made changes on the given node pool?

Answer 1

Every Node pool in a GKE Cluster has a corresponding “Managed Instance Group” GCE resource created; we can view MIG details in Node pool details under the “Instance groups” section.

When I make any modification in the Node pool size there are logs created for the corresponding MIG. These logs have field,methodName: "v1.compute.instanceGroups.addInstances"(if the Node pool size is increased) or methodName: "v1.compute.instanceGroups.removeInstances" (if Node pool size is decreased) and also protoPayload.authenticationInfo.principalEmail with Default GCE Service Account in my case.

So, with the help of MIG logs of corresponding Node pools we can retrieve the Identity of the User/Service Account that made changes to a given Node pool.

Update:

To view the User that made change to the Node pool size use the following log query,

 logName="projects/[PROJECT-ID]/logs/cloudaudit.googleapis.com%2Fdata_access"  
 protoPayload.methodName="google.container.v1.ClusterManager.SetNodePoolSize