Guides

Ensure GKE Clusters use specific purpose-designed networks instead of the default network

Checks for Google Kubernetes Engine (GKE) clusters that are configured to use the default network. It is recommended not to use the default network on GKE.

Suggest Edits

Risk Level: High
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.NET.17
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

GkeCluster should not have network = 'default'

REMEDIATION

Note: The network for an existing cluster cannot be changed.
To reconfigure the cluster to use purpose-built networks, you must create a new cluster with a custom network that meets your requirements, then migrate the cluster data from the reported cluster to this new GKE cluster, and then delete the old cluster.

To create new Kubernetes engine cluster with the custom network:
From Portal

  1. Navigate to the 'Kubernetes Engine', and select 'Clusters'
  2. Create cluster
  3. Set the new cluster parameters as per your requirement and ensure 'Network' is not set to 'default' under Networking section

From TF
Set the 'disable-legacy-endpoints' to be 'true':

resource "google_container_cluster" "primary" {
	name               = NAME
	location           = LOCATION
	initial_node_count = 3
	network       = NETWORK_NAME
	subnetwork    = SUBNETWORK

From Command Line
Run

gcloud container clusters create CLUSTER_NAME --zone COMPUTE_ZONE --network=NETWORK --subnetwork=SUBNETWORK

To delete Kubernetes engine cluster:
From Portal

  1. Go to the Google Kubernetes Engine page in Cloud Console. https://console.cloud.google.com/kubernetes/list
  2. Next to the cluster you want to delete, click 'Actions', then click 'Delete'.
  3. When prompted to confirm, click Delete again.

From Command Line
Run

gcloud container clusters delete CLUSTER_NAME

References

  1. https://cloud.google.com/sdk/gcloud/reference/container/clusters/create
  2. https://cloud.google.com/kubernetes-engine/docs/how-to/deleting-a-cluster#gcloud
  3. https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/latest/submodules/private-cluster

Kubernetes Cluster

Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.

Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5

Updated about 1 year ago