lacework-global-769
Enable Integrity Monitoring for Shielded Google Kubernetes Engine (GKE) Nodes (Automated)
Description
Enable Integrity Monitoring for Shielded GKE Nodes to ensure notification of inconsistencies during the node boot sequence.
Remediation
After provisioning a Node pool, it is not possible to enable Integrity Monitoring.
You must create new Node pools within the cluster with Integrity Monitoring enabled.
Using Google Cloud Console:
- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
- From the list of clusters, click the cluster requiring the update and click
Add Node Pool
. - Select
Integrity monitoring
under theShielded options
Heading. - Click Save.
You must migrate workloads from existing non-conforming Node pools to the newly created Node pool, then delete the non-conforming pools.
Using Command Line:
To create a Node pool within the cluster with Integrity Monitoring enabled, run the following command:
gcloud container node-pools create <node_pool_name> --cluster <cluster_name> --zone <compute_zone> --shielded-integrity-monitoring
You must migrate workloads from existing non-conforming Node pools to the newly created Node pool, then delete the non-conforming pools.
References
https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes
https://cloud.google.com/compute/shielded-vm/docs/integrity-monitoring