Ensure Kubernetes Cluster is created with Alias IP ranges enabled

Google Cloud Platform Alias IP Ranges lets you assign ranges of internal IP addresses as aliases to a virtual machine's network interfaces. This is useful if you have multiple services running on a VM and you want to assign each service a different IP address.

Risk Level: Medium
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.NET.21
Covered by Spectral: Yes
Category: Compute


GkeCluster should have ipAllocationPolicy.useIpAliases=true


Note: Remediation is only possible by creation of a new cluster with VPC native (using alias IP) Enabled.
From Portal 1. Go to Kubernetes GCP Console by visiting https://console.cloud.google.com/kubernetes/list? 2. Click on CREATE CLUSTER 3. From the navigation pane, under Cluster, click Networking. 4. In the Network drop-down list, select a VPC. 5. In the Node subnet drop-down list, select a subnet for the cluster. 6. Ensure the Enable VPC-native traffic routing (uses alias IP) checkbox is selected. 7.Select the Automatically create secondary ranges checkbox if you want the secondary range assignment method to be managed by GKE. Clear this checkbox if you have already created secondary ranges for the chosen subnet and would like the secondary range assignment method to be user-managed. 8. In the Pod address range field, enter a pod range, such as 9. In the Service address range field, enter a service range, such as 10. Configure your cluster. 11. Click Create.

From TF Set the 'networking_mode' to be 'VPC_NATIVE' and add the block 'ip_allocation_policy':

From Command Line To use a secondary range assignment method of managed by GKE:

``` To use a secondary range assignment method of user-managed: 
```bash Terminalgcloud container clusters create CLUSTER_NAME --region=COMPUTE_REGION --enable-ip-alias --subnetwork=SUBNET_NAME --cluster-secondary-range-name=SECONDARY_RANGE_PODS --services-secondary-range-name=SECONDARY_RANGE_SERVICES

References 1. https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips 2. https://cloud.google.com/vpc/docs/alias-ip

Kubernetes Cluster

Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.

Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Foundations v. 1.0.0
  • GCP CloudGuard Best Practices
  • GCP CloudGuard CheckUp
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5