Logo of Trend Micro

Enable Cloud Monitor for ACK Clusters

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-ACK-005

Ensure that Cloud Monitor is enabled for your Container Service for Kubernetes (ACK) clusters. Cloud Monitor relies on a specialized agent for accessing extra system resources and application services within virtual machine instances. The agent allows monitoring of metrics such as CPU utilization, specific disk traffic metrics, network traffic, and disk IO information. These metrics play a crucial role in observing signals and facilitating operational activities within your Kubernetes Engine clusters.

Security

Enabling CloudMonitor installation provides access to both system metrics and custom metrics. System metrics encompass measurements related to the cluster's infrastructure, such as CPU or memory usage. To capture these system metrics, a monitoring agent is installed, which periodically connects to each node for collecting data. It collects metrics pertaining to Pods and containers on each node and subsequently sends these metrics to the CloudMonitor server. The collected metrics include information on CPU usage, memory utilization, evictable memory, non-evictable memory, and disk usage.

Audit

To determine if Cloud Monitor is enabled for your ACK clusters, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

03 In the left navigation panel, under Overview, choose Clusters.

04 Click on the name (link) of the ACK cluster that you want to examine, listed in the Cluster Name/ID column.

05 In the ACK resource navigation panel, under Nodes, choose Node Pools.

06 Click on the name (link) of the node pool that you want to examine, listed in the Name column.

07 Select the Overview tab and check the Cloud Monitor attribute value available in the Node Configurations section. If the Cloud Monitor value is set to Not Enabled, the Cloud Monitor service is not enabled for the selected ACK cluster.

08 Repeat steps no. 6 and 7 for each node pool provisioned for the selected ACK) cluster.

09 Repeat steps no. 4 – 8 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run GET /clusters command (OSX/Linux/UNIX) to describe the configuration details for each Container Service for Kubernetes (ACK) cluster provisioned in your Alibaba Cloud account: 

aliyun cs GET /clusters
  --header "Content-Type=application/json;"
  --body "{}"

02 The command output should return the configuration information available for each available ACK cluster (including the cluster ID): 

[
	{
		"cluster_id": "abcd1234abcd1234abcd1234abcd1234a",
		"cluster_spec": "ack.standard",
		"cluster_type": "ManagedKubernetes",
		"created": "2024-02-05T17:44:26+08:00",
		"current_version": "1.28.3-aliyun.1",
		"deletion_protection": false,
		"init_version": "1.28.3-aliyun.1",
		"profile": "Default",
		"region_id": "eu-west-1",
		"size": 1,
		"state": "running",
		"updated": "2024-02-05T17:46:49+08:00",
		"zone_id": "eu-west-1a"
	},

	...

	{
		"cluster_id": "1234abcd1234abcd1234abcd1234abcd1",
		"cluster_spec": "ack.standard",
		"cluster_type": "ManagedKubernetes",
		"created": "2024-02-05T16:40:31+08:00",
		"current_version": "1.28.3-aliyun.1",
		"deletion_protection": false,
		"init_version": "1.28.3-aliyun.1",
		"profile": "Default",
		"region_id": "eu-west-1",
		"size": 1,
		"state": "running",
		"subnet_cidr": "10.65.0.0/16",
		"updated": "2024-02-05T16:42:53+08:00",
		"zone_id": "eu-west-1a"
	}
]

03 Run GET /clusters/[cluster_id]/nodepools command (OSX/Linux/UNIX) with the ID of the ACK cluster that you want to examine as the identifier parameter, to describe the configuration details for each node pool provisioned for the selected cluster: 

aliyun cs GET /clusters/abcd1234abcd1234abcd1234abcd1234a/nodepools
  --header "Content-Type=application/json;"
  --body "{}"

04 The command output should return the configuration information available for each cluster node pool: 

{
	"NextToken": "",
	"TotalCount": 1,
	"nodepools": [
		{
			"nodepool_info": {
			"created": "2024-02-05T16:42:49.730878691+08:00",
			"is_default": false,
			"name": "tm-default-nodepool",
			"nodepool_id": "np1234abcd123abcd1234abcd1234abcd1",
			"region_id": "eu-west-1",
			"type": "ess",
			"updated": "2024-02-05T19:45:31+08:00"
			},
			"kubernetes_config": {
			"cms_enabled": false,
			"cpu_policy": "none",
			"labels": [],
			"node_name_mode": "nodeip",
			"overwrite_hostname": false,
			"pre_user_data": "",
			"runtime": "containerd",
			"runtime_version": "1.6.28",
			"taints": null,
			"unschedulable": false,
			"user_data": ""
			},
			"node_config": {
			"kubelet_configuration": null,
			"node_os_config": null
			},
			"status": {
			"desired_nodes": 1,
			"failed_nodes": 0,
			"healthy_nodes": 1,
			"initial_nodes": 0,
			"offline_nodes": 0,
			"removing_nodes": 0,
			"removing_wait_nodes": 0,
			"serving_nodes": 1,
			"spot_nodes": 0,
			"state": "active",
			"total_nodes": 1
			}
		}
	],
	"request_id": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

Check the "nodepools.kubernetes_config.cms_enabled" attribute value to determine if the Cloud Monitor agent is installed on the ECS nodes within each cluster node pool. If "nodepools.kubernetes_config.cms_enabled" is set to false, as shown in the output example above, the Cloud Monitor service is not enabled for the selected ACK cluster.

Remediation / Resolution

To enable the Cloud Monitor service for your ACK clusters, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

03 In the left navigation panel, under Overview, choose Clusters.

04 Click on the name (link) of the ACK cluster that you want to configure, listed in the Cluster Name/ID column.

05 In the ACK resource navigation panel, under Nodes, choose Node Pools.

06 Choose the cluster node pool that you want to modify and select Edit.

07 On the node pool configuration page, in the CloudMonitor Agent section, select the Install the CloudMonitor Agent on ECS Nodes checkbox to install the monitoring agent on the cluster nodes and enable the Cloud Monitor service for the selected node pool. Choose Confirm to apply the changes. After the monitoring agent is installed on the cluster nodes, you can view monitoring information about your nodes in the Cloud Monitor console.

08 Repeat steps no. 6 and 7 for each node pool provisioned for the selected ACK cluster.

09 Repeat steps no. 4 – 8 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run PUT /clusters/[cluster_id]]/nodepools/[node_pool_id] command (OSX/Linux/UNIX) to modify the specified cluster node pool in order to enable the Cloud Monitor service. Set "cms_enabled" parameter to true, as shown in the example below, to install the Cloud Monitor agent on the ECS nodes running within the selected cluster node pool: 

aliyun cs PUT /clusters/abcd1234abcd1234abcd1234abcd1234a/nodepools/np1234abcd123abcd1234abcd1234abcd1
  --header "Content-Type=application/json;"
  --body "{\"kubernetes_config\":{\"cms_enabled\":true}}"

02 The output should return the ID of the modified ACK cluster resource, e.g.: 

{
	"cluster_id": "1234abcd1234abcd1234abcd1234abcd1",
	"instanceId": "ad1234abcd123abcd1234abcd1234abcd1",
	"request_id": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"task_id": "T-abcdabcdabcdabcdabcdabcd"
}

03 Repeat steps no. 1 and 2 for each node pool provisioned for the selected ACK cluster.

04 Repeat steps no. 1 - 3 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

References

Publication date Feb 21, 2024

Related AlibabaCloud-ACK rules