GCP Kubernetes Monitoring

Your number of Kubernetes clusters can grow pretty fast - and so could be your pain points.

Following GCP Kubernetes checks are performed at a configurable frequency

Dashboard Disabled

Ensures all Kubernetes clusters have the web dashboard disabled. It is recommended to disable the web dashboard because it is backed by a highly privileged service account.

Private Endpoint

Ensures the private endpoint setting is enabled for kubernetes clusters. Kubernetes private endpoints can be used to route all traffic between the Kubernetes worker and control plane nodes over a private VPC endpoint rather than across the public internet.

Private Cluster Enabled

Ensures private cluster is enabled for all Kubernetes clusters. Kubernetes private clusters only have internal ip ranges, which ensures that their workloads are isolated from the public internet.

Pod Security Policy Enabled

Ensures pod security policy is enabled for all Kubernetes clusters. Kubernetes pod security policy is a resource that controls security sensitive aspects of the pod configuration.

Network Policy Enabled

Ensures all Kubernetes clusters have network policy enabled. Kubernetes network policy creates isolation between cluster pods, this creates a more secure environment with only specified connections allowed.

Monitoring Enabled

Ensures all Kubernetes clusters have monitoring enabled.

Master Authorized Network

Ensures master authorized networks is set to enabled on Kubernetes clusters

Logging Enabled

Ensures all Kubernetes clusters have logging enabled. This setting should be enabled to ensure Kubernetes control plane logs are properly recorded.

Legacy Authorization Disabled

Ensure legacy authorization is set to disabled on Kubernetes clusters. The legacy authorizer in Kubernetes grants broad, statically defined permissions.

Default Service Account

Ensure Kubernetes cluster nodes do use the default service account. Kubernetes cluster nodes should use customized service accounts that have minimal privileges to run. This reduces the attack surface in the case of a malicious attack on the cluster.

COS Image Enabled

Ensures all Kubernetes cluster nodes have Container-Optimized OS enabled. Container-Optimized OS is optimized to enhance node security. It is backed by a team at Google that can quickly patch it.

Cluster Least Privilege

Ensures Kubernetes clusters are created with limited service account access scopes. Kubernetes service accounts should be limited in scope to the services necessary to operate the clusters.

Basic Authentication Disabled

Ensure basic authentication is set to disabled on Kubernetes clusters.

Automatic Node Upgrades Enabled

Ensures all Kubernetes cluster nodes have automatic upgrades enabled. Enabling automatic upgrades on nodes ensures that each node stays current with the latest version of the master branch, also ensuring that the latest security patches are installed to provide the most secure environment.

Automatic Node Repair Enabled

Ensures all Kubernetes cluster nodes have automatic repair enabled. When automatic repair on nodes is enabled, the Kubernetes engine performs health checks on all nodes, automatically repairing nodes that fail health checks. This ensures that the Kubernetes environment stays optimal.

Alias IP Ranges Enabled

Ensures all Kubernetes clusters have alias IP ranges enabled. Alias IP ranges allow users to assign ranges of internal IP addresses as alias to a network interface.