Ensure Kubernetes Clusters are configured with Labels

A cluster label is a key-value pair that helps you organize your Google Cloud Platform resources, such as clusters. You can attach a label to each resource, then filter the resources based on their labels. Information about labels is forwarded to the billing system, so you can break down your billing charges by the label.

Risk Level: Low
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.OPE.01
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

GkeCluster should have tags length()!=0

REMEDIATION

From Portal

  1. Go to Kubernetes GCP Console by visiting https://console.cloud.google.com/kubernetes/list?
  2. In the cluster list, select the checkboxes for one or more clusters that you want to modify.
  3. Click on Edit icon next to the Labels filed.
  4. Add or update labels as desired.
  5. Click Save.

From TF
Add to the cluster the filed 'resource_labels' with key and label:

resource "google_container_cluster" "primary" {
	name               = CLUSTER_NAME
	location           = LOCTION
	initial_node_count = 3
resource_labels = tomap({"KEY"="VALUE"})
	...
}

From Command Line
To Update existing cluster with labels:

gcloud container clusters update CLUSTER_NAME --region COMPUTE_REGION | --zone COMPUTE_ZONE --update-labels KEY=VALUE

References

  1. https://cloud.google.com/kubernetes-engine/docs/how-to/creating-managing-labels#gcloud_1
  2. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster

Kubernetes Cluster

Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.

Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Foundations v. 1.0.0
  • GCP CloudGuard Best Practices
  • GCP NIST 800-53 Rev 5