Ensure default Service account is not used for Project access in Kubernetes Clusters

A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster.

Risk Level: High
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.IAM.13
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

GkeCluster should not have nodePools contain [ config.isDefaultServiceAccount=true ]

REMEDIATION

From Portal
Note: There is no functionality that allows you to change the existing service account, you need to create a new cluster and remove the non-compliant cluster.

Create New Cluster:

  1. Go to Kubernetes GCP Console by visiting https://console.cloud.google.com/kubernetes/list?
  2. Click on CREATE CLUSTER
  3. Choose required name/value for cluster fields
  4. Click on NODE POOLS
  5. Choose Service account which has the least privilege under Security section, Instead of default Compute Engine default service account
  6. Click on 'CREATE'

Remove existing Cluster:

  1. Go to Kubernetes GCP Console by visiting https://console.cloud.google.com/kubernetes/list?
  2. Select the non-compliant cluster
  3. Click on 'DELETE'

From TF
Set the service account email to non default service account:

resource "google_container_node_pool" "primary_preemptible_nodes" {
	...
	node_config {
		
		# Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
		service_account = SERVICE_ACCOUNT_EMAIL
		...
	}
}

From Command Line

  1. To create a new cluster ,Run:
gcloud container clusters create CLUSTER_NAME --release-channel CHANNEL --zone COMPUTE_ZONE --service-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
  1. To delete an existing cluster ,Run:
gcloud container clusters delete CLUSTER_NAME --zone=ZONE

References

  1. https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_default_service_account
  2. https://cloud.google.com/sdk/gcloud/reference/container/clusters/create
  3. https://cloud.google.com/sdk/gcloud/reference/container/clusters/delete
  4. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster

Kubernetes Cluster

Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.

Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Foundations v. 1.0.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5