GKE Control Plane and Workload Logs

Cloud & SaaSExecution EvidenceGoogle CloudGoogle Kubernetes EngineKubernetesCloud Control PlaneSIEM / Log Aggregator

Location

Cloud Logging entries for GKE control plane, workload stdout/stderr, and cluster operations

Description

Control-plane operational logs plus workload and node-adjacent telemetry for GKE, including kube-system activity, container stdout/stderr, and cluster-level logging streams available through Cloud Logging.

Forensic Value

These logs complement audit trails by showing what workloads actually ran, what pods emitted at runtime, and whether short-lived containers or crash loops point to exploitation, staging, or post-exploitation activity in the cluster.

Tools Required

Google Cloud Consolegcloud CLIkubectlSIEM

Collection Commands

gcloud CLI

gcloud logging read "resource.type=("k8s_container" OR "k8s_node" OR "k8s_cluster") AND timestamp>="2026-03-01T00:00:00Z"" --format=json > gke_runtime_logs.json

kubectl

kubectl get pods -A -o wide > gke_pod_inventory.txt && kubectl logs -n <namespace> <pod-name> --all-containers=true --timestamps > gke_selected_pod_logs.txt

Collection Constraints

•Container stdout/stderr and workload logs are only available if workload logging was enabled and retained in Cloud Logging or a sink.
•Short-lived pods and auto-scaling clusters can remove the most useful runtime evidence quickly, so export timing matters.

MITRE ATT&CK Techniques

T1610T1525T1059

References

About logs in GKE View and manage logs in GKE

Used in Procedures

Collect and Analyze Web Server Logs for Web App Compromise

collect

Acquisition Methods

GKE Audit and Runtime Log Export

linux — cloud

Kubernetes Resource Inventory Export

linux — container