GCP Kubernetes Monitoring

Your number of Kubernetes clusters can grow pretty fast - and so could be your pain points.

Following GCP Kubernetes checks are performed at a configurable frequency

Web Dashboard Should Be Disabled

Ensures all Kubernetes clusters have the web dashboard disabled. It is recommended to disable the web dashboard because it is backed by a highly privileged service account.

Private Endpoints Should Be Enabled

Ensures the private endpoint setting is enabled for kubernetes clusters. Kubernetes private endpoints can be used to route all traffic between the Kubernetes worker and control plane nodes over a private VPC endpoint rather than across the public internet.

Private Cluster Should Be Enabled

Ensures private cluster is enabled for all Kubernetes clusters. Kubernetes private clusters only have internal ip ranges, which ensures that their workloads are isolated from the public internet.

Pod Security Policy Should Be Enabled

Ensures pod security policy is enabled for all Kubernetes clusters. Kubernetes pod security policy is a resource that controls security sensitive aspects of the pod configuration.

Network Policy Should Be Enabled

Ensures all Kubernetes clusters have network policy enabled. Kubernetes network policy creates isolation between cluster pods, this creates a more secure environment with only specified connections allowed.

Monitoring Should Be Enabled

Ensures all Kubernetes clusters have monitoring enabled.

Master Authorized Network Should Be Enabled

Ensures master authorized networks is set to enabled on Kubernetes clusters

Logging Should Be Enabled

Ensures all Kubernetes clusters have logging enabled. This setting should be enabled to ensure Kubernetes control plane logs are properly recorded.

Legacy Authorization Should Be Disabled

Ensure legacy authorization is set to disabled on Kubernetes clusters. The legacy authorizer in Kubernetes grants broad, statically defined permissions.

Default Service Accounts Should Not Be Used

Ensure Kubernetes cluster nodes do use the default service account. Kubernetes cluster nodes should use customized service accounts that have minimal privileges to run. This reduces the attack surface in the case of a malicious attack on the cluster.

Container-Optimized OS Should Be Enabled

Ensures all Kubernetes cluster nodes have Container-Optimized OS enabled. Container-Optimized OS is optimized to enhance node security. It is backed by a team at Google that can quickly patch it.

Cluster Should Have Limited Service Account Access

Ensures Kubernetes clusters are created with limited service account access scopes. Kubernetes service accounts should be limited in scope to the services necessary to operate the clusters.

Basic Authentication Should Be Disabled

Ensure basic authentication is set to disabled on Kubernetes clusters.

Automatic Node Upgrades Should Be Enabled

Ensures all Kubernetes cluster nodes have automatic upgrades enabled. Enabling automatic upgrades on nodes ensures that each node stays current with the latest version of the master branch, also ensuring that the latest security patches are installed to provide the most secure environment.

Automatic Node Repair Should Be Enabled

Ensures all Kubernetes cluster nodes have automatic repair enabled. When automatic repair on nodes is enabled, the Kubernetes engine performs health checks on all nodes, automatically repairing nodes that fail health checks. This ensures that the Kubernetes environment stays optimal.

Alias IP Ranges Should Be Enabled

Ensures all Kubernetes clusters have alias IP ranges enabled. Alias IP ranges allow users to assign ranges of internal IP addresses as alias to a network interface.

Kubernetes Node Pool Autoscaling Should Be Enabled

Ensure that node pool autoscaling is enabled

Kubernetes Boot Disk Should Be Encrypted With Customer Managed Keys

Ensure that boot disk on k8 node pools are encrypted with CMK

Integrity Monitoring Should Be Enabled For Kubernetes Node Pools

Ensure that kubernetes node pools have Integrity Monitoring enabled

Secure Boot Should Be Enabled For Kubernetes Node Pools

Ensure that kubernetes node pools have secure boot enabled

Shielded Nodes Should Be Used For Kubernetes Cluster

Ensure that shielded nodes are used in node pools

Autoscaling Profile For Clusters Should Be Set To Optimize_Utilization or Balanced

Ensure that cluster autoscaling profile is set to OPTIMIZE_UTILIZATION or BALANCED for optimal resource utilization

Cluster Master Endpoint Should Not Be Global.

Ensure that the endpoint of cluster master in not public

Latest Kubernetes Version Should Be Used.

Ensure that the kubernetes version is up to date