Integrity Monitoring Should Be Enabled For Kubernetes Node Pools

More Info:

Ensure that kubernetes node pools have Integrity Monitoring enabled

Risk Level

Medium

Address

Performance Efficiency, Operational Excellence, Reliability, Security

Compliance Standards

HITRUST, SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Integrity Monitoring should be enabled for Kubernetes Node Pools” for GCP using GCP CLI, follow the below steps:

Open the GCP Cloud Shell or open the terminal and connect to the GCP project using the command gcloud auth login and gcloud config set project [PROJECT_ID].
Run the following command to enable the integrity monitoring for Kubernetes node pools:

gcloud container node-pools update [NODE_POOL_NAME] --cluster=[CLUSTER_NAME] --enable-intra-node-visibility --enable-integrity-monitoring

Replace [NODE_POOL_NAME] with the name of the node pool and [CLUSTER_NAME] with the name of the cluster.

Verify the integrity monitoring is enabled for the node pool by running the following command:

gcloud container node-pools describe [NODE_POOL_NAME] --cluster=[CLUSTER_NAME] | grep integrity

If the output shows "integrityMonitoringEnabled: true", then the integrity monitoring is enabled for the node pool.

Repeat the above steps for all the node pools in the cluster.

By following the above steps, integrity monitoring will be enabled for Kubernetes node pools in GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Integrity Monitoring Should Be Enabled For Kubernetes Node Pools” for GCP using python, you can follow the below steps:

First, you need to authenticate with the GCP project using the following python code:

from google.auth import compute_engine
from google.cloud import monitoring_v3

# Authenticate with GCP project
credentials = compute_engine.Credentials()
client = monitoring_v3.MetricServiceClient(credentials=credentials)
project_id = 'your-project-id'

Then, you need to get the list of Kubernetes node pools in the GCP project using the following python code:

# Get the list of Kubernetes node pools
node_pools = []
for cluster in client.list_clusters(project_id):
    for pool in client.list_node_pools(project_id, cluster.name):
        node_pools.append(pool)

Next, you need to check if integrity monitoring is enabled for each Kubernetes node pool using the following python code:

# Check if integrity monitoring is enabled for each node pool
for pool in node_pools:
    if not pool.management.auto_repair.integrity_monitoring:
        # Enable integrity monitoring
        pool.management.auto_repair.integrity_monitoring = True
        client.update_node_pool(project_id, pool.cluster_id, pool.name, pool)

Finally, you can print a message indicating that the remediation is complete using the following python code:

# Print a message indicating that the remediation is complete
print('Integrity monitoring has been enabled for all Kubernetes node pools.')

By following these steps, you can remediate the misconfiguration “Integrity Monitoring Should Be Enabled For Kubernetes Node Pools” for GCP using python.

Additional Reading:

https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Integrity Monitoring Should Be Enabled For Kubernetes Node Pools

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: