Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
2Dashboards
163Benchmarks
65Queries
2Variables
GitHub

Control: 7.2 Ensure CloudMonitor is set to Enabled on Kubernetes Engine Clusters

Description

The monitoring service in Kubernetes Engine clusters depends on the Alibaba Cloud CloudMonitor agent to access additional system resources and application services in virtual machine instances. The monitor can access metrics about CPU utilization, some disk traffic metrics, network traffic, and disk IO information, which help to monitor signals and build operations in your Kubernetes Engine clusters.

Remediation

Using the management console:

  1. Logon to ACK console.
  2. Click the Create Kubernetes Cluster button and set CloudMonitor Agent to Enabled under creation options.

Default Value:

By default, CloudMonitor Agent installation is disabled when you create a new cluster using console.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v200_7_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v200_7_2 --share

SQL

This control uses a named query:

with cluster_nodes as (
  select
    c.arn,
    c.cluster_id,
    c.title as cluster_name,
    n.instance_id,
    c.tags,
    c.region,
    c.account_id,
    c._ctx
  from
    alicloud_cs_kubernetes_cluster as c
    join alicloud_cs_kubernetes_cluster_node as n on c.cluster_id = n.cluster_id
),nodes_with_monitor as (
  select
    cn.arn,
    cn.cluster_id,
    cn.cluster_name,
    cn.account_id,
    cn._ctx,
    cn.tags,
    cn.region,
    count(*) as total_nodes,
    count(m.instance_id) as monitored_nodes
  from
    cluster_nodes cn
    left join alicloud_cms_monitor_host m on cn.instance_id = m.instance_id
  group by
    cn.cluster_id,
    cn.cluster_name,
    cn.arn,
    cn.tags,
    cn._ctx,
    cn.account_id,
    cn.region
) select
  arn as resource,
  case
    when total_nodes = 0 then 'skip'
    when monitored_nodes = 0 then 'alarm'
    when monitored_nodes < total_nodes then 'alarm'
    else 'ok'
  end as status,
  case
    when total_nodes = 0 then cluster_name || ' has no nodes.'
    when monitored_nodes = 0 then cluster_name || ' cloud monitor not enabled on any node.'
    when monitored_nodes < total_nodes then cluster_name || ' cloud monitor enabled on ' || monitored_nodes || ' out of ' ||  total_nodes || '.'
    else cluster_name || ' cloud monitor enabled on all nodes.'
  end as reason
  
  , account_id as account_id, region as region
from
  nodes_with_monitor cn;

Tags

category = Compliance
cis = true
cis_item_id = 7.2
cis_level = 1
cis_section_id = 7
cis_type = automated
cis_version = v2.0.0
plugin = alicloud
service = AliCloud/ACK