GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Ensure Stackdriver Kubernetes Logging And Monitoring Is Enabled
More Info:
Send logs and metrics to a remote aggregator to mitigate the risk of local tampering in the event of a breach.
Risk Level
Low
Address
Security, Reliability, Operational Excellence, Performance Efficiency
Compliance Standards
CISGKE
Triage and Remediation
Remediation
To remediate the misconfiguration “Ensure Stackdriver Kubernetes Logging And Monitoring Is Enabled” for GCP using GCP console, follow the below steps:
- Login to the GCP console with valid credentials.
- Navigate to the Google Kubernetes Engine (GKE) cluster for which you want to enable Stackdriver Kubernetes Logging and Monitoring.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Stackdriver” section and click on it.
- Under the “Stackdriver Logging” section, toggle the switch to “Enabled”.
- Under the “Stackdriver Monitoring” section, toggle the switch to “Enabled”.
- Click on the “Save” button at the bottom of the page.
Once the above steps are completed, Stackdriver Kubernetes Logging and Monitoring will be enabled for the GKE cluster. You can then view logs and metrics for your Kubernetes cluster in the Stackdriver Logging and Monitoring UI.
To remediate the misconfiguration of Stackdriver Kubernetes Logging and Monitoring not being enabled on GCP using GCP CLI, follow the below steps:
-
Install and configure the Google Cloud SDK (CLI) on your local machine.
-
Open the terminal or command prompt and authenticate to your GCP account using the following command:
gcloud auth login
- Set the default project for the CLI to the project where the Kubernetes cluster is deployed using the following command:
gcloud config set project [PROJECT_ID]
- Enable the Stackdriver Kubernetes Logging and Monitoring API for the project using the following command:
gcloud services enable container.googleapis.com stackdriver.googleapis.com
- Verify that the Stackdriver Kubernetes Logging and Monitoring API is enabled by running the following command:
gcloud services list --enabled
- If the API is enabled, you should see the following services listed:
NAME TITLE
container.googleapis.com Kubernetes Engine API
logging.googleapis.com Stackdriver Logging API
monitoring.googleapis.com Stackdriver Monitoring API
stackdriver.googleapis.com Stackdriver API
- Once the API is enabled, you can configure the Kubernetes cluster to send logs and metrics to Stackdriver by following the official GCP documentation:
https://cloud.google.com/kubernetes-engine/docs/how-to/logging
To remediate the misconfiguration “Ensure Stackdriver Kubernetes Logging And Monitoring Is Enabled” for GCP using Python, you can follow these steps:
- Install the
google-cloud-monitoringandgoogle-cloud-loggingPython libraries usingpip.
pip install google-cloud-monitoring google-cloud-logging
-
Create a service account with the necessary permissions to enable Stackdriver Kubernetes logging and monitoring.
-
Set the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable to the path of the service account key file.
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service_account_key.json
- Use the
google-cloud-monitoringandgoogle-cloud-logginglibraries to enable Stackdriver Kubernetes logging and monitoring.
from google.cloud.monitoring_v3 import MetricServiceClient
from google.cloud.logging_v2 import LoggingServiceV2Client
from google.cloud.logging_v2.types import LogMetric
# Enable Kubernetes API metrics
metric_client = MetricServiceClient()
project_name = f"projects/{project_id}"
metric_descriptor = metric_client.get_metric_descriptor(
name=f"{project_name}/metricDescriptors/kubernetes.io/container/cpu/usage_time"
)
metric_descriptor.enabled = True
metric_client.update_metric_descriptor(metric_descriptor)
# Create a Stackdriver Logging metric for Kubernetes logs
logging_client = LoggingServiceV2Client()
parent = logging_client.project_path(project_id)
log_metric = LogMetric(
name="kubernetes_log",
description="Kubernetes logs",
filter='resource.type="k8s_container"',
metric_descriptor_name=f"{project_name}/metricDescriptors/logging.googleapis.com/container/log_bytes",
value_extractor="SUM(jsonPayload.message_size)",
)
logging_client.create_log_metric(parent=parent, metric=log_metric)
Note: Replace project_id with your GCP project ID.
- Verify that Stackdriver Kubernetes logging and monitoring is enabled by checking the Stackdriver Metrics Explorer and Logs Viewer in the GCP Console.
That’s it! You have now remediated the misconfiguration “Ensure Stackdriver Kubernetes Logging And Monitoring Is Enabled” for GCP using Python.