As per documentation:
- Admin activity logs - those are enabled by default at no cost
- k8s_cluster - Log entries written by the Kubernetes API server apply to the k8s_cluster resource type. These log entries describe operations on Kubernetes resources in your cluster, for example, Pods, Deployments, and Secrets.
logName="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.serviceName="k8s.io"
- gke_cluster - Log entries written by the Kubernetes Engine API server apply to the gke_cluster resource. These log entries describe operations like cluster creation and deletion.
logName="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.serviceName="gke_cluster"
- Data access logs - Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data. Data Access audit logs do not record the data-access operations on resources that are publicly shared (available to All Users or All Authenticated Users) or that can be accessed without logging into Google Cloud. Data access logs are something that can log very extensively depending on the configuration. Those you need to enable yourself, may be billed according to Quotas.
There are 3 kinds of operations, you choose which you want to log:
- ADMIN_READ: Records operations that read metadata or configuration information.
- DATA_READ: Records operations that read user-provided data (eg. CRD).
- DATA_WRITE: Records operations that write user-provided data (eg. CRD).
resource.type="k8s_cluster"
logName="projects/my-project/logs/cloudaudit.googleapis.com%2Fdata_access"
For most projects Admin activity logs is enough. If you need to log what type of resources which service / user access then you should enable Data Access logs.
More here GKE Audit logs
