Ensure integrity monitoring for shielded GKE nodes is enabled

Error: Integrity monitoring for shielded GKE nodes is not enabled

Bridgecrew Policy ID: BC_GCP_KUBERNETES_25
Checkov Check ID: CKV_GCP_72
Severity: MEDIUM

Integrity monitoring for shielded GKE nodes is not enabled

Description

Enable Integrity Monitoring for Shielded GKE Nodes to be notified of inconsistencies during the node boot sequence.
Integrity Monitoring provides active alerting for Shielded GKE nodes which allows administrators to respond to integrity failures and prevent compromised nodes from being deployed into the cluster.

Fix - Buildtime

Terraform

  • Resource: google_container_cluster / google_container_node_pool
  • Argument: node_config.shielded_instance_config.enable_integrity_monitoring
resource "google_container_cluster" "fail" {
  name               = var.name
  location           = var.location
  initial_node_count = 1
  project            = data.google_project.project.name

  node_config {

    shielded_instance_config {
-     enable_integrity_monitoring = false
    }
  }