Google Kubernetes Engine Audit Logs

Cloud & SaaSCloud InfrastructureGoogle CloudGoogle Kubernetes EngineKubernetesCloud Control PlaneSIEM / Log Aggregator

Location

Cloud Logging > GKE cluster audit streams and Kubernetes API audit entries

Description

Kubernetes API audit records for Google Kubernetes Engine clusters, capturing authenticated resource requests, secret access, RBAC changes, pod exec activity, and high-value control-plane actions.

Forensic Value

GKE audit logs are the highest-fidelity source for reconstructing attacker actions in the cluster control plane. They reveal secret access, privilege escalation, abuse of service accounts, and direct API activity that may never be visible in node or application logs.

Tools Required

Google Cloud Consolegcloud CLIkubectlSIEM

Collection Commands

gcloud CLI

gcloud logging read "resource.type="k8s_cluster" AND logName:("cloudaudit.googleapis.com%2Factivity" OR "cloudaudit.googleapis.com%2Fdata_access") AND timestamp>="2026-03-01T00:00:00Z"" --format=json > gke_audit_logs.json

kubectl

kubectl get events -A --sort-by=.metadata.creationTimestamp > gke_cluster_events.txt

Collection Constraints

•Audit fidelity depends on the cluster logging configuration and how logs were routed and retained in Cloud Logging or downstream sinks.
•Control-plane logs and Kubernetes events should be exported quickly because cluster state can change rapidly after containment begins.

MITRE ATT&CK Techniques

T1552T1525T1611

References

About logs in GKE Kubernetes auditing

Used in Procedures

Review Cloud Hardening Gaps After Identity Compromise

post-incident

Related Blockers

Cloud or Container Logging Coverage Missing

The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.

SaaS Audit Logging Not Enabled or Not Licensed

The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.

SaaS Audit Retention Expired Before Collection

The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.