Kubernetes GKE
Overview
Visualize and monitor Kubernetes resources within Google Kubernetes Engine (GKE), such as deployments, pods, services, storage, and configmaps. Gain insights into cluster performance, workload efficiency, and resource utilization, while ensuring governance and visibility across Kubernetes environments. The blueprint helps identify potential risks, improve configurations, streamline workflows, enable real-time monitoring, and integrate with other tools for enhanced orchestration and operational efficiency.
Configurations
| Configuration | Description |
|---|---|
| Blueprint Account Name | A human-readable name for your account that will be used to identify this account across the application. |
| Project ID | GCP Project ID that contains the Kubernetes cluster. |
| Private Key | GCP Private Key with access to the Kubernetes Cluster. |
| ClientEmail | Client email associated with the service account. |
| Region | The GCP region where your Kubernetes cluster is hosted. |
| Cluster Name | The name of your Kubernetes cluster to be monitored. |
| Enable CISKubernetes Benchmark | Enable this to run automated checks against the CIS Kubernetes Benchmark for security best practices. |
| Data Crawl Frequency | The frequency at which Kscope should scan the cluster for resources (like pods, services, etc.). |
| Event Crawl Frequency | The frequency at which Kscope will crawl the account to monitor the cluster for events (like deployments, scaling, etc.). |
Permissions
Kubernetes Resources
read:namespacesread:servicesread:serviceaccountsread:podsread:replicasetsread:deploymentsread:daemonsetsread:configmapsread:nodesread:persistentvolumes
Kubernetes RBAC
read:clusterrolesread:clusterrolebindingsread:clusterroles
KubeBench
read:namespacesread:servicesread:serviceaccountsread:podsread:replicasetsread:deploymentsread:daemonsetsread:configmapsread:nodesread:persistentvolumes
For more details on the Kubernetes permissions, you can refer to the following documentation: Using RBAC Authorization
Schema Model
| Resources | Source Entity | Normalized Entity | Description |
|---|---|---|---|
| kubernetes.cluster | kubernetes.cluster | Cluster | Represents the overall Kubernetes cluster. |
| kubernetes.cluster.Cluster | kubernetes.cluster | Cluster | Represents specific cluster information. |
| kubernetes.cluster.ConfigMap | kubernetes.cluster | ConfigMap | Stores configuration data in key-value pairs. |
| kubernetes.cluster.Container | kubernetes.cluster | Container | Represents a running container in a Kubernetes pod. |
| kubernetes.cluster.DaemonSet | kubernetes.cluster | DaemonSet | Ensures a copy of a pod runs on all or some nodes. |
| kubernetes.cluster.Deployment | kubernetes.cluster | Deployment | Manages the deployment of replicas and rollout updates. |
| kubernetes.cluster.Namespace | kubernetes.cluster | Namespace | Provides a mechanism for isolating groups of resources. |
| kubernetes.cluster.Node | kubernetes.cluster | Node | Represents a worker machine in Kubernetes. |
| kubernetes.cluster.PersistentVolume | kubernetes.cluster | PersistentVolume | Represents a piece of storage in the cluster. |
| kubernetes.cluster.PersistentVolumeClaim | kubernetes.cluster | PersistentVolumeClaim | Represents a request for storage by a user. |
| kubernetes.cluster.Pod | kubernetes.cluster | Pod | The smallest deployable unit of computing in Kubernetes. |
| kubernetes.cluster.ReplicaSet | kubernetes.cluster | ReplicaSet | Ensures a specified number of pod replicas are running. |
| kubernetes.cluster.Service | kubernetes.cluster | Service | Exposes a set of pods as a network service. |
| kubernetes.cluster.ServiceAccount | kubernetes.cluster | ServiceAccount | Provides an identity for processes running in a pod. |
| kubernetes.kubebench | kubernetes.kubebench | KubeBench | Represents the Kube-bench tool for security benchmarking. |
| kubernetes.kubebench.Output | kubernetes.kubebench | Output | Stores the output results of the Kube-bench scans. |
| kubernetes.kubebench.Controls | kubernetes.kubebench | Controls | Represents control checks performed by Kube-bench. |
| kubernetes.kubebench.Group | kubernetes.kubebench | Group | Groups related checks in Kube-bench. |
| kubernetes.kubebench.Check | kubernetes.kubebench | Check | Represents individual security checks performed by Kube-bench. |
Events
| Event | Description |
|---|---|
| DNSRecordProvisioningSucceeded | Indicates successful provisioning of a DNS record. |
| Unhealthy | Indicates that a component is unhealthy. |
| Scheduled | A pod has been scheduled to a node. |
| Created | A new resource has been created. |
| Killing | A pod is being terminated. |
| Pulled | A container image has been successfully pulled. |
| Pulling | A container image is being pulled. |
| SuccessfulCreate | Indicates the successful creation of a resource. |
| Started | A container or pod has started running. |
| FailedMount | Indicates a failure in mounting a volume to a pod. |
| SuccessfulDelete | Indicates the successful deletion of a resource. |
| ScalingReplicaSet | A replica set is scaling up or down. |
| NetworkNotReady | Indicates that the network is not ready. |
| NodeNotReady | A node is marked as not ready. |
| NodeNotSchedulable | A node is marked as unschedulable. |
| NodeHasSufficientPID | A node has sufficient PIDs available. |
| ImageStreaming | Indicates that a container image is being streamed. |
| RemovingNode | A node is being removed from the cluster. |
| DeletingNode | A node is being deleted. |
| NodeAllocatableEnforced | Node allocatable resources have been enforced. |
| NodeHasSufficientMemory | A node has sufficient memory available. |
| NodeHasNoDiskPressure | A node has no disk pressure issues. |
| NodeReady | A node is marked as ready. |
| EvictionThresholdMet | An eviction threshold has been reached. |
| FailedGetResourceMetric | A failure occurred while retrieving resource metrics. |
| RegisteredNode | A node has been successfully registered. |
| Synced | Resources have been synchronized successfully. |
| NodeRegistrationCheckerStart | The node registration checker has started. |
| Completed | Indicates successful completion of an operation. |
| ADD | An addition event occurred. |
| NodeRegistrationCheckerDidNotRunChecks | Node registration checks did not run. |
| NodeSysctlChange | Indicates a change in sysctl configuration on a node. |
| LeaderElection | An event related to Kubernetes leader election. |
| FailedCreatePodSandBox | Failure in creating a pod sandbox. |
| FailedCreate | Indicates a failure in creating a resource. |
| Starting | Indicates that a process is starting. |
| InvalidDiskCapacity | Indicates invalid disk capacity settings. |
| NodeHasInsufficientMemory | A node has insufficient memory available. |
| FailedDaemonPod | A failure occurred while running a DaemonSet pod. |
| Evicted | A pod has been evicted. |