5.5.6 - Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled (Automated)

Views:

Profile applicability: Level 1

Enable Integrity Monitoring for Shielded GKE Nodes to be notified of inconsistencies during the node boot sequence.

Integrity Monitoring provides active alerting for Shielded GKE nodes which allows administrators to respond to integrity failures and prevent compromised nodes from being deployed into the cluster.

Note

Integrity Monitoring is disabled by default on GKE clusters. Integrity Monitoring is enabled by default for Shielded GKE Nodes; however, if Secure Boot is enabled at creation time, Integrity Monitoring is disabled.

Audit

Using Google Cloud Console:

Go to Kubernetes Engine website.
From the list of clusters, click on the name of the cluster under test.
Open the Details pane for each Node pool within the cluster, and ensure that Integrity monitoring is set to Enabled under the Security heading.

Using Command Line:

To check if Integrity Monitoring is enabled for the Node pools in the cluster, run the following command for each Node pool:

gcloud container node-pools describe <node_pool_name> --cluster 
<cluster_name> --zone <compute_zone> --format json | jq 
.config.shieldedInstanceConfig

This will return the following, if Integrity Monitoring is enabled:

{ 
    "enableIntegrityMonitoring": true 
}

Remediation

Once a Node pool is provisioned, it cannot be updated to enable Integrity Monitoring. New Node pools must be created within the cluster with Integrity Monitoring enabled.

Using Google Cloud Console:

Go to Kubernetes Engine website.
From the list of clusters, click on the cluster requiring the update and click ADD NODE POOL.
Ensure that the 'Integrity monitoring' checkbox is checked under the Shielded options heading.
Click SAVE.

Workloads from existing non-conforming Node pools will need to be migrated to the newly created Node pool, then delete non-conforming Node pools to complete the remediation.

Using Command Line:

To create a Node pool within the cluster with Integrity Monitoring enabled, run the following command:

gcloud container node-pools create <node_pool_name> --cluster <cluster_name> 
--zone <compute_zone> --shielded-integrity-monitoring

Workloads from existing non-conforming Node pools will need to be migrated to the newly created Node pool, then delete non-conforming Node pools to complete the remediation