More Info:

Enable VPC Flow Logs and Intranode Visibility to see pod-level traffic, even for traffic within a worker node.

Risk Level

Low

Address

Security, Reliability, Operational Excellence, Performance Efficiency

Compliance Standards

CISGKE

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of enabling VPC Flow Logs and Intranode Visibility for GCP using GCP console, please follow the below steps:
  1. Login to the Google Cloud Console with your credentials.
  2. Navigate to the VPC network section from the left-hand navigation menu.
  3. Select the VPC network for which you want to enable flow logs and intranode visibility.
  4. Click on the Edit button at the top of the page.
  5. Scroll down to the Flow Logs section and enable it.
  6. Select the destination where you want to store the logs. You can choose either Stackdriver Logging or a Cloud Storage bucket.
  7. Choose the filter for the logs. You can choose to log all traffic or only specific traffic.
  8. Scroll down to the Intranode Visibility section and enable it.
  9. Click on the Save button at the bottom of the page to apply the changes.
After following these steps, VPC Flow Logs and Intranode Visibility will be enabled for the selected VPC network in GCP.

To remediate the misconfiguration of enabling VPC Flow Logs and Intranode Visibility in GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell in the GCP Console.
  2. Run the following command to enable VPC Flow Logs: 
gcloud compute networks subnets update [SUBNET_NAME] --enable-flow-logs
Replace [SUBNET_NAME] with the name of the subnet that you want to enable flow logs for.
  1. Run the following command to enable Intranode Visibility:
gcloud container clusters update [CLUSTER_NAME] --enable-intra-node-visibility
Replace [CLUSTER_NAME] with the name of the cluster that you want to enable intra-node visibility for.
  1. Verify that the changes have been made by running the following command:
gcloud compute networks subnets describe [SUBNET_NAME] | grep enableFlowLogs
This command should return “enableFlowLogs: true” if flow logs have been enabled for the subnet.
  1. Similarly, verify that the changes have been made for Intranode Visibility by running the following command:
gcloud container clusters describe [CLUSTER_NAME] | grep enableIntraNodeVisibility
This command should return “enableIntraNodeVisibility: true” if intra-node visibility has been enabled for the cluster.By following these steps, you can remediate the misconfiguration of enabling VPC Flow Logs and Intranode Visibility in GCP using GCP CLI.
To enable VPC Flow Logs and Intranode Visibility in GCP using Python, follow these steps:
  1. Import the necessary libraries:
from google.cloud import logging_v2
from google.cloud.logging_v2.types import LogMetric
from google.cloud import compute_v1
from google.protobuf import duration_pb2
  1. Set the project ID, region, and zone:
project_id = "your-project-id"
region = "your-region"
zone = "your-zone"
  1. Create a logging client:
logging_client = logging_v2.LoggingServiceV2Client()
  1. Create a log metric for VPC flow logs:
metric_name = "vpc-flow-logs"
metric_filter = "resource.type=gce_subnetwork AND logName=projects/{}/logs/compute.googleapis.com%2Fvpc_flows".format(project_id)
metric_description = "Metric for VPC flow logs"
metric = LogMetric(name=metric_name, filter=metric_filter, description=metric_description)
  1. Create the metric:
parent = "projects/{}".format(project_id)
response = logging_client.create_log_metric(parent=parent, metric=metric)
  1. Create a compute client:
compute_client = compute_v1.ComputeClient()
  1. Get the list of subnetworks in the region:
subnetworks = compute_client.subnetworks().list(project=project_id, region=region).execute()
  1. Enable VPC flow logs for each subnetwork:
for subnetwork in subnetworks.get("items", []):
    subnetwork_link = subnetwork.get("selfLink")
    flow_logs = {
        "metadata": {
            "name": "vpc-flow-logs",
            "region": region,
            "selfLink": subnetwork_link
        },
        "enable": True,
        "filterExpr": "true"
    }
    compute_client.subnetworks().updateFlowLog(project=project_id, region=region, subnetwork=subnetwork.get("name"), request_body=flow_logs).execute()
  1. Create a log metric for intranode visibility:
metric_name = "intranode-visibility"
metric_filter = "resource.type=gce_instance AND logName=projects/{}/logs/syslog".format(project_id)
metric_description = "Metric for intranode visibility"
metric = LogMetric(name=metric_name, filter=metric_filter, description=metric_description)
  1. Create the metric:
parent = "projects/{}".format(project_id)
response = logging_client.create_log_metric(parent=parent, metric=metric)
  1. Get the list of instances in the zone:
instances = compute_client.instances().list(project=project_id, zone=zone).execute()
  1. Enable intranode visibility for each instance:
for instance in instances.get("items", []):
    instance_link = instance.get("selfLink")
    metadata = {
        "items": [
            {
                "key": "enable-intranode-visibility",
                "value": "true"
            }
        ]
    }
    compute_client.instances().setMetadata(project=project_id, zone=zone, instance=instance.get("name"), metadata=metadata).execute()
That’s it! These steps will enable VPC Flow Logs and Intranode Visibility in GCP using Python.

Additional Reading: