Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable and Configure Cluster Monitoring

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Cloud Monitoring is enabled for your Google Kubernetes Engine (GKE) clusters in order to collect metrics emitted by your Kubernetes applications and the GKE infrastructure that runs your applications.

Security
Reliability
Performance
efficiency
Cost
optimisation

Cloud Monitoring is a Google Kubernetes Engine (GKE) addon that collects metrics produced by your applications and their GKE infrastructure. Without monitoring, it is difficult to identify and address performance bottlenecks, security threats, and potential failures in your GKE clusters, making it challenging to maintain reliability and troubleshoot effectively. For example, if system metric collection is disabled, basic information such as CPU usage, memory usage, and disk usage is not available for your GKE cluster when viewing observability metrics. Enabling monitoring for GKE clusters provides valuable insights into cluster health, application reliability, and performance. It simplifies troubleshooting, facilitates proactive maintenance, and ensures compliance with industry standards.

Audit

To determine if monitoring is enabled for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters provisioned for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Features section, check the Cloud Monitoring attribute value to determine the monitoring feature status. If Cloud Monitoring is set to Disabled, Cloud Monitoring is not enabled for the selected Google Kubernetes Engine (GKE) cluster.

08 Repeat steps no. 5 – 7 for each GKE cluster provisioned within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS: 

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run container clusters list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each GKE cluster provisioned for the selected project: 

gcloud container clusters list
	--project cc-web-project-123123
	--format="table(NAME,ZONE)"

04 The command output should return the requested cluster names and their regions: 

NAME: cc-gke-backend-cluster
ZONE: us-central1

NAME: cc-gke-frontend-cluster
ZONE: us-central1

05 Run container clusters describe command (Windows/macOS/Linux) with the name of the GKE cluster that you want to examine as the identifier parameter and custom output filters to determine if Cloud Monitoring is enabled for the selected GKE cluster: 

gcloud container clusters describe cc-gke-backend-cluster
	--region=us-central1
	--format="json(monitoringService)"

06 The command output should return the name of the monitoring service configured for the selected Kubernetes cluster (i.e. "monitoring.googleapis.com/kubernetes"): 

{
	"monitoringService": "none"
}

If the container clusters describe command output returns "none" for the "monitoringService" configuration attribute value, as shown in the example above, Cloud Monitoring is not enabled for the selected Google Kubernetes Engine (GKE) cluster.

07 Repeat steps no. 5 and 6 for each GKE cluster provisioned for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable and configure monitoring for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters deployed for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to configure.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Features section, click on the Edit Cloud Monitoring button (i.e., pencil icon) available next to Cloud Monitoring to modify the monitoring feature settings.

08 Inside the Edit Cloud Monitoring configuration box, check the Enable Cloud Monitoring setting checkbox, and choose the cluster components to be monitored from the Components dropdown list. For additional information on these components, refer to the official documentation. To monitor all components, choose Select all and click OK. Select SAVE CHANGES to apply the changes.

09 Repeat steps no. 5 – 8 for each GKE cluster that you want to configure, created for the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run container clusters update command (Windows/macOS/Linux) with the name of the Google Kubernetes Engine (GKE) cluster that you want to configure as the identifier parameter, to enable and configure Cloud Monitoring for the selected GKE cluster. Use the --monitoring parameter to specify the cluster components to be monitored. Valid component values are: SYSTEM, API_SERVER, SCHEDULER, CONTROLLER_MANAGER, DAEMONSET, DEPLOYMENT, HPA, POD, STATEFULSET, STORAGE, CADVISOR, KUBELET, and DCGM. For additional information on the cluster components to be monitored, refer to the official documentation. As an example, the following command enables monitoring for all the supported components: 

gcloud container clusters update cc-gke-backend-cluster
	--region=us-central1
	--monitoring=SYSTEM,API_SERVER,SCHEDULER,CONTROLLER_MANAGER,DAEMONSET,DEPLOYMENT,HPA,POD,STATEFULSET,STORAGE,CADVISOR,KUBELET,DCGM

02 The command output should return the full URL of the modified GKE cluster: 

Updating cc-gke-backend-cluster... done.
Updated [https://container.googleapis.com/v1/projects/cc-web-project-123123/zones/us-central1/clusters/cc-gke-backend-cluster].

03 Repeat steps no. 1 and 2 for each GKE cluster that you want to configure, available within the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Jan 10, 2025

Related GKE rules