10. E. Logging with Stackdriver
Export to LogSink for future usage
Support below LogSink:
- On-prem LogStore
- Cloud Pub/Sub
- GCS
- BigQuery
2. GCP Best Practice (Logging & Monitoring)
11. 2. GCP Best Practice (Logging & Monitoring)
F. Monitoring with Stackdriver
Metrics Exposure
Alerting Rules based on Metrics
12. 2. GCP Best Practice (Logging & Monitoring)
J. Audit Logging
Answer 4W question: What Who When Where
13. Types of Audit Trail Log entries for GCP Usage IAM FOR VIEWING
Admin Activity + API calls
+ Other administrative actions [that
modify the configuration or metadata of
resources]
- Enable by default
- Can not disable
- Free
- Project viewer
- Logging / Log Viewer
Data Access + API calls [ that read the configuration /
metadata of resources ]
+ user-driven API calls [ make changes
to user-provided resource data ]
• Disable by default
• Charged by
Google
• Project/Owner
• Logging/Private Logs
Viewer
System Event + Google Cloud administrative actions [
that modify the configuration of
resources ]
(( generated by Google systems; they
are not driven by direct user action ))
- Enable by default
- Can not disable
- Free
- Project viewer
- Logging / Log Viewer
2. GCP Best Practice (Logging & Monitoring)
J. Audit Logging
14. Type Target Applied Level
Identity and Accessiblity
Management (IAM)
All identities in GCP
- User
- Group
- ServiceAccount
Projects
Orgranization Policy GCP Resources Orgranization
Projects
2. GCP Best Practice (IAM & Policies)
15. 2. GCP Best Practice (IAM & Policies)
Identities and Accessibility Management
- Assign only limited access to resources
- Assign users into different group => then assign group with IAM
- NOT allow any bucket-level access, only access by object-level
16. 2. GCP Best Practice (IAM & Policies)
Organization Policies
- providing the ability to set restrictions on specific resources to determine how
they can be configured and used.
Vietnamese Translate
- Áp constraints lên các resource (VM, CloudFunction, GCS,..)
- Để: quy định các resource này ĐƯỢC configure & sử dụng ntn bởi user
Example:
● Define a constraint to restrict virtual machine instances from having an
external IP address.
● Define a constraint to allow cloud function could use ingress setting (from
user)
17. ● Enforce MFA on employee's account
● Use Cloud Identity / GSuite to manage account for organization
2. GCP Best Practice (Security)
18. ● Private IP Cluster
● Different NodePool for different types of Application
● Enable Stackdriver Logging & Monitoring for service observalibilty
● Security
+ Avoid running as Root (instead using SecurityContext)
+ Enable NetworkPolicy (Ingress/Egress/From/To) for each NS
● Isolation application (in each namespaces) if possible
+ Apply security
+ Enable Quota for Resources (per Namespace)
maxpod * limit CPU/Memory
=> Each application don’t starve out resources of other apps
=> cost control
3. GCP Best Practice (GKE Operation)
19. ● Report based on current GCP’s resources of Mudah
● Recommendation given by GCP experts
● Follow GCP best practices from Google for cloud operation.
4. Sample Organization Report