Enable VPC Flow Logs And Intranode Visibility

More Info:

Enable VPC Flow Logs and Intranode Visibility to see pod-level traffic, even for traffic within a worker node.

Risk Level

Low

Address

Security, Reliability, Operational Excellence, Performance Efficiency

Compliance Standards

CISGKE

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of enabling VPC Flow Logs and Intranode Visibility in GCP using GCP CLI, follow these steps:

Open the Cloud Shell in the GCP Console.
Run the following command to enable VPC Flow Logs:

gcloud compute networks subnets update [SUBNET_NAME] --enable-flow-logs

Replace [SUBNET_NAME] with the name of the subnet that you want to enable flow logs for.

Run the following command to enable Intranode Visibility:

gcloud container clusters update [CLUSTER_NAME] --enable-intra-node-visibility

Replace [CLUSTER_NAME] with the name of the cluster that you want to enable intra-node visibility for.

Verify that the changes have been made by running the following command:

gcloud compute networks subnets describe [SUBNET_NAME] | grep enableFlowLogs

This command should return “enableFlowLogs: true” if flow logs have been enabled for the subnet.

Similarly, verify that the changes have been made for Intranode Visibility by running the following command:

gcloud container clusters describe [CLUSTER_NAME] | grep enableIntraNodeVisibility

This command should return “enableIntraNodeVisibility: true” if intra-node visibility has been enabled for the cluster.By following these steps, you can remediate the misconfiguration of enabling VPC Flow Logs and Intranode Visibility in GCP using GCP CLI.

Using Python

To enable VPC Flow Logs and Intranode Visibility in GCP using Python, follow these steps:

Import the necessary libraries:

from google.cloud import logging_v2
from google.cloud.logging_v2.types import LogMetric
from google.cloud import compute_v1
from google.protobuf import duration_pb2

Set the project ID, region, and zone:

project_id = "your-project-id"
region = "your-region"
zone = "your-zone"

Create a logging client:

logging_client = logging_v2.LoggingServiceV2Client()

Create a log metric for VPC flow logs:

metric_name = "vpc-flow-logs"
metric_filter = "resource.type=gce_subnetwork AND logName=projects/{}/logs/compute.googleapis.com%2Fvpc_flows".format(project_id)
metric_description = "Metric for VPC flow logs"
metric = LogMetric(name=metric_name, filter=metric_filter, description=metric_description)

Create the metric:

parent = "projects/{}".format(project_id)
response = logging_client.create_log_metric(parent=parent, metric=metric)

Create a compute client:

compute_client = compute_v1.ComputeClient()

Get the list of subnetworks in the region:

subnetworks = compute_client.subnetworks().list(project=project_id, region=region).execute()

Enable VPC flow logs for each subnetwork:

for subnetwork in subnetworks.get("items", []):
    subnetwork_link = subnetwork.get("selfLink")
    flow_logs = {
        "metadata": {
            "name": "vpc-flow-logs",
            "region": region,
            "selfLink": subnetwork_link
        },
        "enable": True,
        "filterExpr": "true"
    }
    compute_client.subnetworks().updateFlowLog(project=project_id, region=region, subnetwork=subnetwork.get("name"), request_body=flow_logs).execute()

Create a log metric for intranode visibility:

metric_name = "intranode-visibility"
metric_filter = "resource.type=gce_instance AND logName=projects/{}/logs/syslog".format(project_id)
metric_description = "Metric for intranode visibility"
metric = LogMetric(name=metric_name, filter=metric_filter, description=metric_description)

Create the metric:

parent = "projects/{}".format(project_id)
response = logging_client.create_log_metric(parent=parent, metric=metric)

Get the list of instances in the zone:

instances = compute_client.instances().list(project=project_id, zone=zone).execute()

Enable intranode visibility for each instance:

for instance in instances.get("items", []):
    instance_link = instance.get("selfLink")
    metadata = {
        "items": [
            {
                "key": "enable-intranode-visibility",
                "value": "true"
            }
        ]
    }
    compute_client.instances().setMetadata(project=project_id, zone=zone, instance=instance.get("name"), metadata=metadata).execute()

That’s it! These steps will enable VPC Flow Logs and Intranode Visibility in GCP using Python.

Additional Reading:

https://cloud.google.com/kubernetes-engine/docs/how-to/intranode-visibility

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Enable VPC Flow Logs And Intranode Visibility

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: