Logo of Trend Micro

Cluster Check

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-ACK-002

Ensure that the Cluster Check feature is triggered at least once per week to guarantee proactive health monitoring for your ACK clusters, minimizing downtime and optimizing the reliability of your containerized applications. By default, Cluster Check is not automatically triggered, the cluster inspection can be started using the Container Service for Kubernetes (ACK) console.

Security

Enabling the Cluster Check monitoring feature in Container Service for Kubernetes (ACK) ensures automated health checks on the ACK cluster, proactively identifying and resolving issues. This enhances overall cluster stability and reliability, minimizing downtime and optimizing the performance of containerized applications.

Audit

To determine if Cluster Check is triggered at least once per week, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

03 In the left navigation panel, under Overview, choose Clusters.

04 Click on the name (link) of the ACK cluster that you want to examine, listed in the Cluster Name/ID column.

05 In the ACK resource navigation panel, under Operations, choose Cluster Check.

06 In the left navigation panel, under Container Intelligence Service, choose Overview.

07 In the Cluster section, verify the Last check attribute status. If the Last check status is set to Unknown, the Cluster Check monitoring feature was not triggered for the selected ACK cluster. If the Last check status is different than Unknown, check the feature information section to determine the most recent execution of Cluster Check. If the Cluster Check feature has not been triggered at least once within the last week, it could indicate potential issues with the selected ACK cluster's health.

08 Repeat steps no. 4 – 7 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run GET /clusters command (OSX/Linux/UNIX) to describe the configuration details for each Container Service for Kubernetes (ACK) cluster provisioned in your Alibaba Cloud account: 

aliyun cs GET /clusters
  --header "Content-Type=application/json;"
  --body "{}"

02 The command output should return the configuration information available for each available ACK cluster (including the cluster ID): 

[
	{
		"cluster_id": "abcd1234abcd1234abcd1234abcd1234a",
		"cluster_spec": "ack.standard",
		"cluster_type": "ManagedKubernetes",
		"created": "2024-02-05T17:44:26+08:00",
		"current_version": "1.28.3-aliyun.1",
		"deletion_protection": false,
		"init_version": "1.28.3-aliyun.1",
		"profile": "Default",
		"region_id": "eu-west-1",
		"size": 1,
		"state": "running",
		"updated": "2024-02-05T17:46:49+08:00",
		"zone_id": "eu-west-1a"
	},

	...

	{
		"cluster_id": "1234abcd1234abcd1234abcd1234abcd1",
		"cluster_spec": "ack.standard",
		"cluster_type": "ManagedKubernetes",
		"created": "2024-02-05T16:40:31+08:00",
		"current_version": "1.28.3-aliyun.1",
		"deletion_protection": false,
		"init_version": "1.28.3-aliyun.1",
		"profile": "Default",
		"region_id": "eu-west-1",
		"size": 1,
		"state": "running",
		"subnet_cidr": "10.65.0.0/16",
		"updated": "2024-02-05T16:42:53+08:00",
		"zone_id": "eu-west-1a"
	}
]

03 Run GET /clusters/[cluster_id]/checks command (OSX/Linux/UNIX) with the ID of the ACK cluster that you want to examine as the identifier parameter, to describe the cluster checks performed on the selected cluster: 

aliyun cs GET /clusters/abcd1234abcd1234abcd1234abcd1234a/checks
  --header "Content-Type=application/json;"
  --body "{}"

04 The command output should return the configuration information available for each cluster check: 

{
	"checks": [
		{
			"check_id": "1234abcd1234abcd1234-1234abcd1234abcd1234abcd1234abcd1-clustercheck-duxen",
			"type": "ClusterUpgrade",
			"status": "Succeeded",
			"message": "",
			"created_at": "2024-02-12T08:30:00.292030566Z",
			"finished_at": "2024-02-12T08:35:30.292030566Z"
		}
	]
}

Check the "finished_at" attribute value (the time when the check task was completed) for each cluster check with the "status" set to "Succeeded", to determine the most recent execution of Cluster Check. If the Cluster Check feature has not been triggered at least once within the last week, it could indicate potential issues with the selected ACK cluster's health.

Remediation / Resolution

To ensure that Cluster Check is triggered periodically for your ACK clusters, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

03 In the left navigation panel, under Overview, choose Clusters.

04 Click on the name (link) of the ACK cluster that you want to check, listed in the Cluster Name/ID column.

05 In the ACK resource navigation panel, under Operations, choose Cluster Check.

06 In the left navigation panel, under Cluster Check, choose Upgrade Check. Choose Start, select the I know and agree checkbox, and choose again Start to begin the checking process. Repeat this step for Component Check, Migration Check, and Nodepool Check. Once the checking process is completed, you can address any identified issues by following the suggestions provided in the generated report.

07 Repeat steps no. 4 – 6 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run POST /clusters/[cluster_id]/checks command (OSX/Linux/UNIX) to run a cluster check, such as cluster update precheck. To set the check method, use the "type" parameter, as shown in the example below: 

aliyun cs POST /clusters/abcd1234abcd1234abcd1234abcd1234a/checks
  --header "Content-Type=application/json;"
  --body "{\"type\":\"ClusterUpgrade\"}"

02 The command output should return the request ID: 

{
	"check_id": "1234abcd1234abcd1234-1234abcd1234abcd1234abcd1234abcd1-clustercheck-budem",
	"request_id": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

03 Repeat steps no. 1 and 2 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

References

Publication date Feb 21, 2024

Related AlibabaCloud-ACK rules