Ensure GKE Cluster HTTP load balancing is enabled

Checks for GCP Kubernetes Engine Clusters that have HTTP load balancing disabled. When this is enabled, the Kubernetes Engine can terminate unauthorized HTTP/HTTPS requests and make better context-aware load balancing decisions.

Risk Level: Medium
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.NET.15
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

GkeCluster should have addonsConfig.httpLoadBalancing.disabled=false

REMEDIATION

From Portal

  1. Navigate to the 'Kubernetes Engine' Clusters
  2. Select the clusters to be modified
  3. Click Edit
  4. In the 'Networking' section set 'HTTP load balancing' to Enabled

From TF
Set the http_load_balancing argument to 'true':

module "gke" {
	...
	http_load_balancing = true
	...
}

From Command Line
Run

gcloud container clusters update CLUSTER_NAME --update-addons=[HttpLoadBalancing=ENABLED]

References

  1. https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/latest
  2. https://cloud.google.com/sdk/gcloud/reference/container/clusters/update#--enable-network-policy
  3. https://cloud.google.com/kubernetes-engine/docs/concepts/ingress

Kubernetes Cluster

Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.

Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CloudGuard Best Practices
  • GCP CloudGuard CheckUp
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5