GCP Kubernetes Engine Clusters have Cloud Logging disabled
Description
Stackdriver is the default logging solution for clusters deployed on GKE. Stackdriver logging is deployed to a new cluster by default, explicitly set to opt-out. Stackdriver logging collects only the container's standard output and standard error streams. To ingest logs, Stackdriver logging agent must be deployed to each node in the cluster. Stackdriver provides a single-pane-of-glass view of metrics, logs, and traces through Kubernetes Engine clusters and workloads. We recommend you use Stackdriver logging as a unified data logging solution for GKE workloads unless additional observability tooling is already in place.
Code Example
go
resource "google_container_cluster" "primary" {
name = "my-gke-cluster"
location = "us-central1"
remove_default_node_pool = true
initial_node_count = 1
logging_service = "logging.googleapis.com/kubernetes"
}Remediation
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0862 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_1 |