Send logs and metrics to a remote aggregator to mitigate the risk of local tampering in the event of a breach. Rationale: Exporting logs and metrics to a dedicated, persistent datastore such as Stackdriver ensures availability of audit data following a cluster security event, and provides a central location for analysis of log and metric data collated from multiple sources. Currently, there are two mutually exclusive variants of Stackdriver available for use with GKE clusters: Legacy Stackdriver Support and Stackdriver Kubernetes Engine Monitoring Support. Although Stackdriver Kubernetes Engine Monitoring is the preferred option, starting with GKE versions 1.12.7 and 1.13, Legacy Stackdriver is the default option up through GKE version 1.13. The use of either of these services is sufficient to pass the benchmark recommendation. However, note that as Legacy Stackdriver Support is not getting any improvements and lacks features present in Stackdriver Kubernetes Engine Monitoring, Legacy Stackdriver Support may be deprecated in favour of Stackdriver Kubernetes Engine Monitoring Support in future versions of this benchmark.
Solution
Using Google Cloud Console STACKDRIVER KUBERNETES ENGINE MONITORING SUPPORT (PREFERRED): Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list Select Kubernetes clusters for which Stackdriver Kubernetes Engine Monitoring is disabled Click on EDIT Set 'Stackdriver Kubernetes Engine Monitoring' to 'Enabled' Click SAVE. LEGACY STACKDRIVER SUPPORT: Both Logging and Monitoring support must be enabled. For Logging: Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list Select Kubernetes clusters for which logging is disabled Click on EDIT Set 'Legacy Stackdriver Logging' to 'Enabled' Click SAVE. For Monitoring: Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list Select Kubernetes clusters for which monitoring is disabled Click on EDIT Set 'Legacy Stackdriver Monitoring' to 'Enabled' Click SAVE. Using Command Line STACKDRIVER KUBERNETES ENGINE MONITORING SUPPORT (PREFERRED): To enable Stackdriver Kubernetes Engine Monitoring for an existing cluster, run the following command: gcloud container clusters update [CLUSTER_NAME] \ --zone [COMPUTE_ZONE] \ --enable-stackdriver-kubernetes LEGACY STACKDRIVER SUPPORT: Both Logging and Monitoring support must be enabled. To enable Legacy Stackdriver Logging for an existing cluster, run the following command: gcloud container clusters update [CLUSTER_NAME] --zone [COMPUTE_ZONE] --logging-service logging.googleapis.com To enable Legacy Stackdriver Monitoring for an existing cluster, run the following command: gcloud container clusters update [CLUSTER_NAME] --zone [COMPUTE_ZONE] --monitoring-service monitoring.googleapis.com Impact: Stackdriver Kubernetes Engine Monitoring and Legacy Stackdriver are incompatible because they have different data models. To move from Legacy Stackdriver to Stackdriver Kubernetes Engine Monitoring, you must manually change a number of your Stackdriver artifacts, including alerting policies, group filters, and log queries. See https://cloud.google.com/monitoring/kubernetes-engine/migration. Default Value: Stackdriver Kubernetes Engine monitoring is enabled by default starting in GKE version 1.14; Legacy Stackdriver Logging and Monitoring support is enabled by default for earlier versions.