Ensure that logging is enabled on all Kubernetes clusters.
Risk Level: High
Description
This plugin makes sure logging is enabled in all Kubernetes clusters. This ensures that the logs are correctly logged and saved in a separate database. If logging is enabled, you can search, store, analyze, monitor, and alert on logging data. It also allows you to query your logs and read and write log entities.
About the Service
Google Cloud Kubernetes Engine:
The Google Cloud Kubernetes Engine is a Kubernetes-based service that includes a control plane, nodes that house pods, and Google Cloud services. It aids in the modernization of your programs by offering a platform for deploying, managing, and scaling containerized applications. The Google Cloud Console or kubectl can be used to interact with this Google Cloud Kubernetes Engine. To know more, read here.
Impact
Without logging enabled, you will not be able to view the logs or perform any operations on them. This puts you at a significant disadvantage in the event of a security breach because you won't be able to examine or analyze the logs. It will also make discovering and resolving errors more difficult. The performance and efficiency of the clusters will suffer as a result of this.
Steps to Reproduce
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the navigation panel on the left side of the console, go to Kubernetes Engine and select Clusters. You can use this link here to navigate directly if you’re already logged in.
- Select the cluster you want to investigate from the list of clusters displayed.
- Under the Features section, check the status of Cloud Logging. If it says disabled then logging is disabled for the selected cluster and SentinelOne CNS strongly recommends you to enable it.
- Repeat steps 4 and 5 for all the clusters you want to investigate in the selected project.
- If you have multiple projects that you want to investigate, repeat steps 2 to 6 for each project in your GCP console.
Steps for Remediation
Determine whether or not you truly require the logging to be disabled. If not, make the necessary changes to enable it using the steps given below.
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the navigation panel on the left side of the console, go to Kubernetes Engine and select Clusters. You can use this link here to navigate directly if you’re already logged in.
- Select the cluster you want to reconfigure from the list of clusters displayed and go to the DETAILS tab of the selected cluster. (In case you aren’t sure which node pool needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
- Under the Features section, click on the edit icon in the Cloud Logging row to edit the configuration.
- In the Edit Cloud Logging pop-up box, check the checkbox, select the desired applications you want to collect logs for from the drop-down list and click on SAVE CHANGES to save the edit.
- Repeat steps 4 to 6 for all the clusters you want to reconfigure in the selected project.
- If you have multiple projects, repeat steps 2 to 7 for each project in your GCP console.