GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Ensure Integrity Monitoring For Shielded GKE Nodes Is Enabled
More Info:
Enable Integrity Monitoring for Shielded GKE Nodes to be notified of inconsistencies during the node boot sequence.
Risk Level
High
Address
Security, Reliability, Operational Excellence, Performance Efficiency
Compliance Standards
CISGKE
Triage and Remediation
Remediation
To remediate the misconfiguration “Ensure Integrity Monitoring For Shielded GKE Nodes Is Enabled” for GCP using GCP console, you can follow the below steps:
- Open the Google Cloud Console and select the project where the GKE cluster is hosted.
- From the Navigation menu, select Kubernetes Engine and then Clusters.
- Select the GKE cluster you want to remediate.
- Click on the Edit button at the top of the page.
- In the Security section, click on the Shielded Nodes tab.
- Enable the Integrity Monitoring option by selecting the checkbox.
- Click on Save to apply the changes.
Once the above steps are completed, Integrity Monitoring will be enabled for the Shielded GKE Nodes in your GCP project, and the misconfiguration will be remediated.
To remediate the misconfiguration “Ensure Integrity Monitoring For Shielded GKE Nodes Is Enabled” for GCP using GCP CLI, you can follow these steps:
-
Open the Cloud Shell from the GCP Console.
-
Ensure that you have the necessary permissions to make changes to the GKE cluster.
-
Run the following command to enable integrity monitoring for shielded GKE nodes:
gcloud container clusters update [CLUSTER_NAME] --update-shielded-nodes-integrity-monitoring
Note: Replace [CLUSTER_NAME] with the name of your GKE cluster.
- Verify that integrity monitoring is enabled for shielded GKE nodes using the following command:
gcloud container clusters describe [CLUSTER_NAME] --format="value(shieldedNodes.integrityMonitoringEnabled)"
The output should be “true”, indicating that integrity monitoring is enabled for shielded GKE nodes.
- Repeat the above steps for all the GKE clusters in your GCP project.
By following these steps, you can remediate the misconfiguration “Ensure Integrity Monitoring For Shielded GKE Nodes Is Enabled” for GCP using GCP CLI.
To remediate the misconfiguration “Ensure Integrity Monitoring For Shielded GKE Nodes Is Enabled” in GCP using Python, you can follow the below steps:
Step 1: Install the necessary libraries.
pip install google-cloud-monitoring google-auth google-auth-oauthlib google-auth-httplib2
Step 2: Set up the authentication credentials for the GCP project.
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_file>')
Step 3: Import the necessary libraries.
from google.cloud import monitoring_v3
from google.protobuf import duration_pb2
from google.protobuf import timestamp_pb2
Step 4: Create a client object for the Monitoring API.
client = monitoring_v3.MetricServiceClient(credentials=credentials)
Step 5: Define the necessary variables.
project_id = '<your_project_id>'
cluster_name = '<your_cluster_name>'
Step 6: Define the metric descriptor for the Shielded Instance Integrity Monitoring metric.
descriptor = monitoring_v3.types.MetricDescriptor()
descriptor.type = 'container.googleapis.com/container/shielded_instance_integrity_status'
descriptor.metric_kind = monitoring_v3.enums.MetricDescriptor.MetricKind.GAUGE
descriptor.value_type = monitoring_v3.enums.MetricDescriptor.ValueType.BOOL
descriptor.description = 'Indicates whether the shielded integrity monitoring is enabled for the node.'
descriptor.display_name = 'Shielded Instance Integrity Monitoring Status'
descriptor.unit = monitoring_v3.enums.MetricDescriptor.Unit.BOOL
Step 7: Create the metric descriptor if it doesn’t already exist.
project_name = f'projects/{project_id}'
descriptor_name = f'{project_name}/metricDescriptors/{descriptor.type}'
try:
client.create_metric_descriptor(name=project_name, metric_descriptor=descriptor)
except AlreadyExists:
pass
Step 8: Define the time range for the query.
now = time.time()
seconds = int(now)
nanos = int((now - seconds) * 10 ** 9)
end_time = timestamp_pb2.Timestamp(seconds=seconds, nanos=nanos)
start_time = timestamp_pb2.Timestamp(seconds=seconds - 3600, nanos=nanos)
interval = monitoring_v3.types.TimeInterval(start_time=start_time, end_time=end_time)
Step 9: Define the query for the Shielded Instance Integrity Monitoring metric.
query = f'resource.type="gke_container" resource.labels.cluster_name="{cluster_name}" metric.type="container.googleapis.com/container/shielded_instance_integrity_status"'
Step 10: Execute the query and check if the Shielded Instance Integrity Monitoring metric is enabled for all nodes.
results = client.list_time_series(
name=project_name,
filter=query,
interval=interval,
view=monitoring_v3.enums.ListTimeSeriesRequest.TimeSeriesView.FULL,
)
for result in results:
if not result.points[0].value.bool_value:
print(f'Shielded Instance Integrity Monitoring is not enabled for node {result.resource.labels.instance_id}.')
These steps will help you remediate the misconfiguration “Ensure Integrity Monitoring For Shielded GKE Nodes Is Enabled” in GCP using Python.