Ensure that the Integrity Monitoring feature is enabled for your Google Kubernetes Engine (GKE) cluster nodes in order to monitor and automatically check the runtime boot integrity of your shielded cluster nodes using the Google Cloud Monitoring service.
Integrity Monitoring enables monitoring and attestation of the boot integrity for your GKE cluster nodes. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the cluster node is created. To protect your application data and ensure that the boot loader on your GKE cluster nodes remains untampered, it is strongly recommended to enable Integrity Monitoring for all cluster nodes.
Audit
To determine if the Integrity Monitoring feature is enabled for all your GKE cluster nodes, perform the following operations:
Remediation / Resolution
To enable the Integrity Monitoring feature for your Google Kubernetes Engine (GKE) cluster nodes, you have to re-create the existing cluster node pools with the appropriate monitoring configuration by performing the following operations:
References
- Google Cloud Platform (GCP) Documentation
- Google Kubernetes Engine
- Harden your cluster's security
- Using Shielded GKE Nodes
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud container clusters list
- gcloud container node-pools list
- gcloud container node-pools describe
- gcloud container node-pools create
- gcloud container node-pools delete
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable Integrity Monitoring for Cluster Nodes
Risk Level: Medium