Ensure Integrity Monitoring For Shielded GKE Nodes Is Enabled

More Info:

Enable Integrity Monitoring for Shielded GKE Nodes to be notified of inconsistencies during the node boot sequence.

Risk Level

High

Address

Security, Reliability, Operational Excellence, Performance Efficiency

Compliance Standards

CISGKE

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Ensure Integrity Monitoring For Shielded GKE Nodes Is Enabled” for GCP using GCP CLI, you can follow these steps:

Open the Cloud Shell from the GCP Console.
Ensure that you have the necessary permissions to make changes to the GKE cluster.
Run the following command to enable integrity monitoring for shielded GKE nodes:

gcloud container clusters update [CLUSTER_NAME] --update-shielded-nodes-integrity-monitoring

Note: Replace [CLUSTER_NAME] with the name of your GKE cluster.

Verify that integrity monitoring is enabled for shielded GKE nodes using the following command:

gcloud container clusters describe [CLUSTER_NAME] --format="value(shieldedNodes.integrityMonitoringEnabled)"

The output should be “true”, indicating that integrity monitoring is enabled for shielded GKE nodes.

Repeat the above steps for all the GKE clusters in your GCP project.

By following these steps, you can remediate the misconfiguration “Ensure Integrity Monitoring For Shielded GKE Nodes Is Enabled” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Ensure Integrity Monitoring For Shielded GKE Nodes Is Enabled” in GCP using Python, you can follow the below steps:Step 1: Install the necessary libraries.

pip install google-cloud-monitoring google-auth google-auth-oauthlib google-auth-httplib2

Step 2: Set up the authentication credentials for the GCP project.

from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_file>')

Step 3: Import the necessary libraries.

from google.cloud import monitoring_v3
from google.protobuf import duration_pb2
from google.protobuf import timestamp_pb2

Step 4: Create a client object for the Monitoring API.

client = monitoring_v3.MetricServiceClient(credentials=credentials)

Step 5: Define the necessary variables.

project_id = '<your_project_id>'
cluster_name = '<your_cluster_name>'

Step 6: Define the metric descriptor for the Shielded Instance Integrity Monitoring metric.

descriptor = monitoring_v3.types.MetricDescriptor()
descriptor.type = 'container.googleapis.com/container/shielded_instance_integrity_status'
descriptor.metric_kind = monitoring_v3.enums.MetricDescriptor.MetricKind.GAUGE
descriptor.value_type = monitoring_v3.enums.MetricDescriptor.ValueType.BOOL
descriptor.description = 'Indicates whether the shielded integrity monitoring is enabled for the node.'
descriptor.display_name = 'Shielded Instance Integrity Monitoring Status'
descriptor.unit = monitoring_v3.enums.MetricDescriptor.Unit.BOOL

Step 7: Create the metric descriptor if it doesn’t already exist.

project_name = f'projects/{project_id}'
descriptor_name = f'{project_name}/metricDescriptors/{descriptor.type}'
try:
    client.create_metric_descriptor(name=project_name, metric_descriptor=descriptor)
except AlreadyExists:
    pass

Step 8: Define the time range for the query.

now = time.time()
seconds = int(now)
nanos = int((now - seconds) * 10 ** 9)
end_time = timestamp_pb2.Timestamp(seconds=seconds, nanos=nanos)
start_time = timestamp_pb2.Timestamp(seconds=seconds - 3600, nanos=nanos)
interval = monitoring_v3.types.TimeInterval(start_time=start_time, end_time=end_time)

Step 9: Define the query for the Shielded Instance Integrity Monitoring metric.

query = f'resource.type="gke_container" resource.labels.cluster_name="{cluster_name}" metric.type="container.googleapis.com/container/shielded_instance_integrity_status"'

Step 10: Execute the query and check if the Shielded Instance Integrity Monitoring metric is enabled for all nodes.

results = client.list_time_series(
    name=project_name,
    filter=query,
    interval=interval,
    view=monitoring_v3.enums.ListTimeSeriesRequest.TimeSeriesView.FULL,
)

for result in results:
    if not result.points[0].value.bool_value:
        print(f'Shielded Instance Integrity Monitoring is not enabled for node {result.resource.labels.instance_id}.')

These steps will help you remediate the misconfiguration “Ensure Integrity Monitoring For Shielded GKE Nodes Is Enabled” in GCP using Python.

Additional Reading:

https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes#system_integrity_monitoring

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Ensure Integrity Monitoring For Shielded GKE Nodes Is Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: