Detections
Analytics

Enable VPC Flow Logs and Intranode Visibility

MEDIUM

Description

Description:

Enable VPC Flow Logs and Intranode Visibility to see pod-level traffic, even for traffic within a worker node.

Rationale:

Enabling Intranode Visibility makes your intranode pod to pod traffic visible to the networking fabric. With this feature, you can use VPC Flow Logs or other VPC features for intranode traffic.

This is a beta feature. Enabling it on existing cluster causes the cluster master and the cluster nodes to restart, which might cause disruption.

Remediation

Using Google Cloud Console

  1. Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list
  2. Select Kubernetes clusters for which intranode visibility is disabled
  3. Click on EDIT
  4. Set 'Intranode visibility' to 'Enabled'
  5. Click SAVE.

Using Command Line

To enable intranode visibility on an existing cluster, run the following command:

gcloud beta container clusters update [CLUSTER_NAME]
--enable-intra-node-visibility

Policy Details

Rule Reference ID: AC_GCP_0231
CSP: GCP
Remediation Available: Yes
Domain: Infrastructure Security
Resource: google_container_cluster
Resource Category: Compute
Resource Type: Google Kubernetes Engine (GKE)

Frameworks