Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - GKE 1.2.0 > Managed Services >

Cluster Networking

N/A
Source
Kube Bench
ID
5.6
Version
gke-1.2.0

5.6 Cluster Networking

5.6.1 Enable VPC Flow Logs and Intranode Visibility (Automated)

Using Command Line: To enable intranode visibility on an existing cluster, run the following command:

gcloud beta container clusters update [CLUSTER_NAME] \
  --enable-intra-node-visibility

5.6.2 Ensure use of VPC-native clusters (Automated)

Using Command Line: To enable Alias IP on a new cluster, run the following command:

gcloud container clusters create [CLUSTER_NAME] \
  --zone [COMPUTE_ZONE] \
  --enable-ip-alias

5.6.3 Ensure Master Authorized Networks is Enabled (Manual)

Using Command Line: To check Master Authorized Networks status for an existing cluster, run the following command;

gcloud container clusters describe [CLUSTER_NAME] \
  --zone [COMPUTE_ZONE] \
  --format json | jq '.masterAuthorizedNetworksConfig'

The output should return

{
  "enabled": true
}

if Master Authorized Networks is enabled.

If Master Authorized Networks is disabled, the above command will return null ( { } ).

5.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)

Using Command Line: Create a cluster with a Private Endpoint enabled and Public Access disabled by including the –enable-private-endpoint flag within the cluster create command:

gcloud container clusters create [CLUSTER_NAME] \
  --enable-private-endpoint

Setting this flag also requires the setting of –enable-private-nodes , –enable-ip-alias and –master-ipv4-cidr=[MASTER_CIDR_RANGE] .

5.6.5 Ensure clusters are created with Private Nodes (Manual)

Using Command Line: To create a cluster with Private Nodes enabled, include the –enable-private-nodes flag within the cluster create command:

gcloud container clusters create [CLUSTER_NAME] \
  --enable-private-nodes

Setting this flag also requires the setting of –enable-ip-alias and –master-ipv4- cidr=[MASTER_CIDR_RANGE] .

5.6.6 Consider firewalling GKE worker nodes (Manual)

Using Command Line: Use the following command to generate firewall rules, setting the variables as appropriate. You may want to use the target [TAG] and [SERVICE_ACCOUNT] previously identified.

gcloud compute firewall-rules create FIREWALL_RULE_NAME \
  --network [NETWORK] \
  --priority [PRIORITY] \
  --direction [DIRECTION] \
  --action [ACTION] \
  --target-tags [TAG] \
  --target-service-accounts [SERVICE_ACCOUNT] \
  --source-ranges [SOURCE_CIDR-RANGE] \
  --source-tags [SOURCE_TAGS] \
  --source-service-accounts=[SOURCE_SERVICE_ACCOUNT] \
  --destination-ranges [DESTINATION_CIDR_RANGE] \
  --rules [RULES]

5.6.7 Ensure Network Policy is Enabled and set as appropriate (Manual)

Using Command Line: To enable Network Policy for an existing cluster, firstly enable the Network Policy add-on:

gcloud container clusters update [CLUSTER_NAME] \
  --zone [COMPUTE_ZONE] \
  --update-addons NetworkPolicy=ENABLED

Then, enable Network Policy:

gcloud container clusters update [CLUSTER_NAME] \
  --zone [COMPUTE_ZONE] \
  --enable-network-policy

5.6.8 Ensure use of Google-managed SSL Certificates (Manual)

If services of type:LoadBalancer are discovered, consider replacing the Service with an Ingress.

To configure the Ingress and use Google-managed SSL certificates, follow the instructions as listed at https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs.

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use