Ensure GKE Clusters use specific purpose-designed networks instead of the default network
Checks for Google Kubernetes Engine (GKE) clusters that are configured to use the default network. It is recommended not to use the default network on GKE.
Risk Level: High
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.NET.17
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
GkeCluster should not have network = 'default'
REMEDIATION
Note: The network for an existing cluster cannot be changed.
To reconfigure the cluster to use purpose-built networks, you must create a new cluster with a custom network that meets your requirements, then migrate the cluster data from the reported cluster to this new GKE cluster, and then delete the old cluster.
To create new Kubernetes engine cluster with the custom network:
From Portal
- Navigate to the 'Kubernetes Engine', and select 'Clusters'
- Create cluster
- Set the new cluster parameters as per your requirement and ensure 'Network' is not set to 'default' under Networking section
From TF
Set the 'disable-legacy-endpoints' to be 'true':
resource "google_container_cluster" "primary" {
name = NAME
location = LOCATION
initial_node_count = 3
network = NETWORK_NAME
subnetwork = SUBNETWORK
From Command Line
Run
gcloud container clusters create CLUSTER_NAME --zone COMPUTE_ZONE --network=NETWORK --subnetwork=SUBNETWORK
To delete Kubernetes engine cluster:
From Portal
- Go to the Google Kubernetes Engine page in Cloud Console. https://console.cloud.google.com/kubernetes/list
- Next to the cluster you want to delete, click 'Actions', then click 'Delete'.
- When prompted to confirm, click Delete again.
From Command Line
Run
gcloud container clusters delete CLUSTER_NAME
References
- https://cloud.google.com/sdk/gcloud/reference/container/clusters/create
- https://cloud.google.com/kubernetes-engine/docs/how-to/deleting-a-cluster#gcloud
- https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/latest/submodules/private-cluster
Kubernetes Cluster
Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.
Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CloudGuard Best Practices
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
Updated over 1 year ago