Views:
Profile applicability: Level 1
Send logs and metrics to a remote aggregator to mitigate the risk of local tampering in the event of a breach.
Exporting logs and metrics to a dedicated, persistent datastore such as Cloud Operations for GKE ensures availability of audit data following a cluster security event, and provides a central location for analysis of log and metric data collated from multiple sources.
Note
Note
Logging and Cloud Monitoring is enabled by default starting in GKE version 1.14; Legacy Logging and Monitoring support is enabled by default for earlier versions.

Impact

Audit

Using Google Cloud Console:
LOGGING AND CLOUD MONITORING SUPPORT (PREFERRED):
  1. Go to Kubernetes Engine website.
  2. From the list of clusters, click on the cluster of interest.
  3. Under the details pane, within the Features section, ensure that Logging is Enabled.
  4. Also ensure that Cloud Monitoring is Enabled.
LEGACY STACKDRIVER SUPPORT:
This option cannot be checked in the GCP console.
Using Command Line:
LOGGING AND CLOUD MONITORING SUPPORT (PREFERRED):
Run the following commands:
gcloud container clusters describe <cluster_name> --zone <compute_zone> 
--format json | jq '.loggingService' 
gcloud container clusters describe <cluster_name> --zone <compute_zone> 
--format json | jq '.monitoringService'
The output of the above commands should return logging.googleapis.com/kubernetes and monitoring.googleapis.com/kubernetes respectively if Logging and Cloud Monitoring is Enabled.
LEGACY STACKDRIVER SUPPORT:
Note
Note
This functionality was decommissioned on 31st March 2021, kept here for posterity (see Google documentation for more information.)
Both Logging and Monitoring support must be enabled. For Logging, run the following command:
gcloud container clusters describe <cluster_name> --zone <compute_zone> 
--format json | jq '.loggingService'
The output should return monitoring.googleapis.com if Legacy Stackdriver Monitoring is Enabled.

Remediation

Using Google Cloud Console:
To enable Logging:
  1. Go to Kubernetes Engine website.
  2. Select the cluster for which Logging is disabled.
  3. Under the details pane, within the Features section, click on the pencil icon named Edit logging.
  4. Check the box next to Enable Logging.
  5. In the drop-down Components box, select the components to be logged.
  6. Click SAVE CHANGES, and wait for the cluster to update.
To enable Cloud Monitoring:
  1. Go to Kubernetes Engine website.
  2. Select the cluster for which Logging is disabled.
  3. Under the details pane, within the Features section, click on the pencil icon named Edit Cloud Monitoring.
  4. Check the box next to Enable Cloud Monitoring.
  5. In the drop-down Components box, select the components to be logged.
  6. Click SAVE CHANGES, and wait for the cluster to update.
Using Command Line:
To enable Logging for an existing cluster, run the following command: 
gcloud container clusters update <cluster_name> --zone <compute_zone> 
--logging=<components_to_be_logged>
Note
Note
See Google documentation for a list of available components for logging.
To enable Cloud Monitoring for an existing cluster, run the following command: 
gcloud container clusters update <cluster_name> --zone <compute_zone> 
--monitoring=<components_to_be_logged>
Note
Note
See Google documentation for a list of available components for Cloud Monitoring.