🛡️ Google GKE Cluster Monitoring is not enabled🟢

• Contextual name: 🛡️ Cluster Monitoring is not enabled🟢
• ID: /ce/ca/google/gke/cluster-monitoring
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY, RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google GKE Cluster
  • 🔌 Google GKE Cluster - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy ensures that Cloud Monitoring is enabled for all Google Kubernetes Engine (GKE) clusters. Cloud Monitoring collects metrics, events, and metadata from your clusters, providing visibility into cluster performance, uptime, and overall health.

Rationale

Enabling Cloud Monitoring allows you to track resource utilization, troubleshoot issues, and set up alerts for abnormal behavior. Without monitoring, you lack the necessary visibility to diagnose problems, optimize performance, or respond effectively to security incidents.

Audit

This policy marks a Google GKE Cluster as INCOMPLIANT if Monitoring Service is not set to monitoring.googleapis.com/kubernetes.

Default Value

Cloud Monitoring is enabled by default starting in GKE version 1.14; Legacy Logging and Monitoring support is enabled by default for earlier versions.

References

1. https://cloud.google.com/stackdriver/docs/solutions/gke/observing
2. https://cloud.google.com/stackdriver/docs/solutions/gke/managing-logs
3. https://cloud.google.com/stackdriver/docs/solutions/gke/installing

... see more

Remediation

Open File

Remediation

To ensure visibility into cluster performance, uptime, and overall health, Cloud Monitoring should be enabled for GKE clusters.

Enable Cloud Monitoring on an Existing Cluster

From gcloud CLI

```sh
gcloud container clusters update {{cluster-name}} \
    --location {{location}} \
    --monitoring=SYSTEM,API_SERVER,POD
```

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GKE v1.8.0 → 💼 5.7.1 Ensure Logging and Cloud Monitoring is Enabled (Automated)			2		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			65		no data
💼 PCI DSS v3.2.1 → 💼 10.1 Implement audit trails to link all access to system components to each individual user.		4	7		no data
💼 PCI DSS v3.2.1 → 💼 10.2 Implement automated audit trails for all system components.	7	6	28		no data
💼 PCI DSS v4.0.1 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7		27		no data
💼 PCI DSS v4.0 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7	1	27		no data