GCP Kubernetes Monitoring

Your number of Lambda can grow pretty fast - and so could be your painpoints.

What we do?

Dashboard Disabled

Ensures all Kubernetes clusters have the web dashboard disabled. It is recommended to disable the web dashboard because it is backed by a highly privileged service account.

Addresses: Security

Additional Reading:

Private Endpoint

Ensures the private endpoint setting is enabled for kubernetes clusters. Kubernetes private endpoints can be used to route all traffic between the Kubernetes worker and control plane nodes over a private VPC endpoint rather than across the public internet.

Addresses: Security

Additional Reading:

Private Cluster Enabled

Ensures private cluster is enabled for all Kubernetes clusters. Kubernetes private clusters only have internal ip ranges, which ensures that their workloads are isolated from the public internet.

Addresses: Security

Additional Reading:

Pod Security Policy Enabled

Ensures pod security policy is enabled for all Kubernetes clusters. Kubernetes pod security policy is a resource that controls security sensitive aspects of the pod configuration.

Addresses: Security

Additional Reading:

Network Policy Enabled

Ensures all Kubernetes clusters have network policy enabled. Kubernetes network policy creates isolation between cluster pods, this creates a more secure environment with only specified connections allowed.

Addresses: Security

Additional Reading:

Monitoring Enabled

Ensures all Kubernetes clusters have monitoring enabled.

Addresses: Security, Operational maturity

Additional Reading:

Master Authorized Network

Ensures master authorized networks is set to enabled on Kubernetes clusters

Addresses: Security

Additional Reading:

Logging Enabled

Ensures all Kubernetes clusters have logging enabled. This setting should be enabled to ensure Kubernetes control plane logs are properly recorded.

Addresses: Security

Additional Reading:

Legacy Authorization Disabled

Ensure legacy authorization is set to disabled on Kubernetes clusters. The legacy authorizer in Kubernetes grants broad, statically defined permissions.

Addresses: Security

Additional Reading:

Default Service Account

Ensure Kubernetes cluster nodes do use the default service account. Kubernetes cluster nodes should use customized service accounts that have minimal privileges to run. This reduces the attack surface in the case of a malicious attack on the cluster.

Addresses: Security

Additional Reading:

COS Image Enabled

Ensures all Kubernetes cluster nodes have Container-Optimized OS enabled. Container-Optimized OS is optimized to enhance node security. It is backed by a team at Google that can quickly patch it.

Addresses: Security

Additional Reading:

Cluster Least Privilege

Ensures Kubernetes clusters are created with limited service account access scopes. Kubernetes service accounts should be limited in scope to the services necessary to operate the clusters.

Addresses: Security

Additional Reading:

Basic Authentication Disabled

Ensure basic authentication is set to disabled on Kubernetes clusters.

Addresses: Security

Additional Reading:

Automatic Node Upgrades Enabled

Ensures all Kubernetes cluster nodes have automatic upgrades enabled. Enabling automatic upgrades on nodes ensures that each node stays current with the latest version of the master branch, also ensuring that the latest security patches are installed to provide the most secure environment.

Addresses: Security

Additional Reading:

Automatic Node Repair Enabled

Ensures all Kubernetes cluster nodes have automatic repair enabled. When automatic repair on nodes is enabled, the Kubernetes engine performs health checks on all nodes, automatically repairing nodes that fail health checks. This ensures that the Kubernetes environment stays optimal.

Addresses: Security

Additional Reading:

Alias IP Ranges Enabled

Ensures all Kubernetes clusters have alias IP ranges enabled. Alias IP ranges allow users to assign ranges of internal IP addresses as alias to a network interface.

Addresses: Security

Additional Reading: