Views:
Profile applicability: Level 2
Enable VPC Flow Logs and Intranode Visibility to see pod-level traffic, even for traffic within a worker node.
Enabling Intranode Visibility makes intranode pod to pod traffic visible to the networking fabric. With this feature, VPC Flow Logs or other VPC features can be used for intranode traffic.
Note
Note
By default, Intranode Visibility is disabled.

Impact

Enabling it on existing cluster causes the cluster master and the cluster nodes to restart, which might cause disruption.

Audit

Using Google Cloud Console:
  1. Go to Kubernetes Engine website.
  2. Select the desired cluster.
  3. Under the Cluster section, make sure that Intranode visibility is set to Enabled.
Using Command Line:
Run this command: 
gcloud container clusters describe <cluster_name> --zone <compute_zone> --
format json | jq '.networkConfig.enableIntraNodeVisibility'
The result should return true if Intranode Visibility is Enabled.

Remediation

Enable Intranode Visibility:

Using Google Cloud Console:
  1. Go to Kubernetes Engine website.
  2. Select Kubernetes clusters for which intranode visibility is disabled.
  3. Within the Details pane, under the Network section, click on the pencil icon named Edit intranode visibility.
  4. Check the box next to Enable Intranode visibility.
  5. Click SAVE CHANGES.
Using Command Line:
To enable intranode visibility on an existing cluster, run the following command: 
gcloud container clusters update <cluster_name> --enable-intra-node-
visibility

Enable VPC Flow Logs:

Using Google Cloud Console:
  1. Go to Kubernetes Engine website.
  2. Select Kubernetes clusters for which VPC Flow Logs are disabled.
  3. Select Nodes tab.
  4. Select Node Pool without VPC Flow Logs enabled.
  5. Select an Instance Group within the node pool.
  6. Select an Instance Group Member.
  7. Select the Subnetwork under Network Interfaces.
  8. Click EDIT.
  9. Set Flow logs to On.
  10. Click SAVE.
Using Command Line:
Find the subnetwork name associated with the cluster: 
gcloud container clusters describe <cluster_name> --region <cluster_region> 
--format json | jq '.subnetwork'
Update the subnetwork to enable VPC Flow Logs: 
gcloud compute networks subnets update <subnet_name> --enable-flow-logs