Skip to main content

lacework-global-769

5.5.6 Enable Integrity Monitoring for Shielded Google Kubernetes Engine (GKE) Nodes (Automated)

Description

Enable Integrity Monitoring for Shielded GKE Nodes to ensure notification of inconsistencies during the node boot sequence.

Remediation

After provisioning a Node pool, it is not possible to enable Integrity Monitoring.

You must create new Node pools within the cluster with Integrity Monitoring enabled.

Using Google Cloud Console:

  1. Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.

  2. From the list of clusters, click the cluster requiring the update and click Add Node Pool.

  3. Select Integrity monitoring under the Shielded options Heading.

  4. Click Save.

You must migrate workloads from existing non-conforming Node pools to the newly created Node pool, then delete the non-conforming pools.

Using Command Line:

To create a Node pool within the cluster with Integrity Monitoring enabled, run the following command:

gcloud container node-pools create <node_pool_name> --cluster <cluster_name> --zone <compute_zone> --shielded-integrity-monitoring

You must migrate workloads from existing non-conforming Node pools to the newly created Node pool, then delete the non-conforming pools.

References

https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes
https://cloud.google.com/compute/shielded-vm/docs/integrity-monitoring

Last updated on