Risk Level: Medium
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.NET.21
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

GkeCluster should have ipAllocationPolicy.useIpAliases=true

REMEDIATION

Note: Remediation is only possible by creation of a new cluster with VPC native (using alias IP) Enabled.
From Portal 1. Go to Kubernetes GCP Console by visiting https://console.cloud.google.com/kubernetes/list 2. Click on CREATE CLUSTER 3. From the navigation pane, under Cluster, click Networking. 4. In the Network drop-down list, select a VPC. 5. In the Node subnet drop-down list, select a subnet for the cluster. 6. Ensure the Enable VPC-native traffic routing (uses alias IP) checkbox is selected. 7. Select the Automatically create secondary ranges checkbox if you want the secondary range assignment method to be managed by GKE. Clear this checkbox if you have already created secondary ranges for the chosen subnet and would like the secondary range assignment method to be user-managed. 8. In the Pod address range field, enter a pod range, such as 10.0.0.0/14. 9. In the Service address range field, enter a service range, such as 10.4.0.0/19. 10. Configure your cluster. 11. Click Create.

From TF Set the 'networking_mode' to be 'VPC_NATIVE' and add the block 'ip_allocation_policy':

resource "google_container_cluster" "primary" { 
  name               = "NAME" 
  location           = "LOCATION" 
  initial_node_count = 3 
  network            = "NETWORK" 
  subnetwork         = "SUBNETWORK" 
  networking_mode    = "VPC_NATIVE" 
  ... 
  ip_allocation_policy { 
    cluster_ipv4_cidr_block = "cluster_ipv4_cidr_block" 
    services_ipv4_cidr_block = "services_ipv4_cidr_block" 
  } 
  ... 
}

From Command Line To use a secondary range assignment method of managed by GKE:

gcloud container clusters create CLUSTER_NAME --region=COMPUTE_REGION --enable-ip-alias --subnetwork=SUBNET_NAME --cluster-ipv4-cidr=POD_IP_RANGE --services-ipv4-cidr=SERVICES_IP_RANGE

To use a secondary range assignment method of user-managed:

gcloud container clusters create CLUSTER_NAME --region=COMPUTE_REGION --enable-ip-alias --subnetwork=SUBNET_NAME --cluster-secondary-range-name=SECONDARY_RANGE_PODS --services-secondary-range-name=SECONDARY_RANGE_SERVICES

References 1. https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips 2. https://cloud.google.com/vpc/docs/alias-ip

Kubernetes Cluster

Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.

Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CIS Foundations v. 1.0.0
GCP CloudGuard Best Practices
GCP CloudGuard CheckUp
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 5