5.7.1 Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled - monitoringService

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Send logs and metrics to a remote aggregator to mitigate the risk of local tampering in the event of a breach.

Rationale:

Exporting logs and metrics to a dedicated, persistent datastore such as Stackdriver ensures availability of audit data following a cluster security event, and provides a central location for analysis of log and metric data collated from multiple sources.

Currently, there are two mutually exclusive variants of Stackdriver available for use with GKE clusters: Legacy Stackdriver Support and Stackdriver Kubernetes Engine Monitoring Support.

Although Stackdriver Kubernetes Engine Monitoring is the preferred option, starting with GKE versions 1.12.7 and 1.13, Legacy Stackdriver is the default option up through GKE version 1.13. The use of either of these services is sufficient to pass the benchmark recommendation.

However, note that as Legacy Stackdriver Support is not getting any improvements and lacks features present in Stackdriver Kubernetes Engine Monitoring, Legacy Stackdriver Support may be deprecated in favour of Stackdriver Kubernetes Engine Monitoring Support in future versions of this benchmark.

Solution

Using Google Cloud Console

STACKDRIVER KUBERNETES ENGINE MONITORING SUPPORT (PREFERRED):

Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list

Select Kubernetes clusters for which Stackdriver Kubernetes Engine Monitoring is disabled

Click on EDIT

Set 'Stackdriver Kubernetes Engine Monitoring' to 'Enabled'

Click SAVE.

LEGACY STACKDRIVER SUPPORT:

Both Logging and Monitoring support must be enabled.
For Logging:

Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list

Select Kubernetes clusters for which logging is disabled

Click on EDIT

Set 'Legacy Stackdriver Logging' to 'Enabled'

Click SAVE.

For Monitoring:

Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list

Select Kubernetes clusters for which monitoring is disabled

Click on EDIT

Set 'Legacy Stackdriver Monitoring' to 'Enabled'

Click SAVE.

Using Command Line

STACKDRIVER KUBERNETES ENGINE MONITORING SUPPORT (PREFERRED):

To enable Stackdriver Kubernetes Engine Monitoring for an existing cluster, run the following command:

gcloud container clusters update [CLUSTER_NAME] \
--zone [COMPUTE_ZONE] \
--enable-stackdriver-kubernetes

LEGACY STACKDRIVER SUPPORT:

Both Logging and Monitoring support must be enabled.
To enable Legacy Stackdriver Logging for an existing cluster, run the following command:

gcloud container clusters update [CLUSTER_NAME] --zone [COMPUTE_ZONE] --logging-service logging.googleapis.com

To enable Legacy Stackdriver Monitoring for an existing cluster, run the following command:

gcloud container clusters update [CLUSTER_NAME] --zone [COMPUTE_ZONE] --monitoring-service monitoring.googleapis.com

Impact:

Stackdriver Kubernetes Engine Monitoring and Legacy Stackdriver are incompatible because they have different data models. To move from Legacy Stackdriver to Stackdriver Kubernetes Engine Monitoring, you must manually change a number of your Stackdriver artifacts, including alerting policies, group filters, and log queries. See https://cloud.google.com/monitoring/kubernetes-engine/migration.

Default Value:

Stackdriver Kubernetes Engine monitoring is enabled by default starting in GKE version 1.14; Legacy Stackdriver Logging and Monitoring support is enabled by default for earlier versions.

See Also

https://workbench.cisecurity.org/files/2764