Disable Workload Identity at Cluster Creation
More Info:
Ensure that “Disable Workload Identity Cluster Creation” policy is enforced at the GCP organization level in order to require that any new Google Kubernetes Engine (GKE) clusters have the Workload Identity feature disabled at the time of their creation. This constraint policy is useful when you want to tightly control service account access in your organization by disabling Workload Identity in addition to service account creation and service account key creation.Risk Level
MediumAddress
Security, ReliabilityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of disabling workload identity at cluster creation on GCP using GCP console, you can follow these step-by-step instructions:
- Open the GCP console and navigate to the Kubernetes Engine page.
- Select the cluster on which you want to enable workload identity.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Workload Identity” section.
- Click on the “Enable” button to turn on workload identity for the cluster.
- Click on the “Save” button at the bottom of the page to apply the changes.
Using CLI
Using CLI
To remediate the misconfiguration of disabling Workload Identity at Cluster Creation in GCP using GCP CLI, you can follow the below steps:Step 1: Open the Cloud Shell from the GCP Console.Step 2: Run the following command to check if Workload Identity is enabled or not:Step 3: If the output shows Note: Replace Step 6: If the output shows
workloadIdentityConfig: {}, then Workload Identity is not enabled for the cluster.Step 4: To enable Workload Identity for the cluster, run the following command:[CLUSTER_NAME], [ZONE], and [PROJECT_ID] with the appropriate values.Step 5: Verify that Workload Identity is enabled for the cluster by running the following command:workloadIdentityConfig: workloadPool: [PROJECT_ID].svc.id.goog, then Workload Identity is enabled for the cluster.By following these steps, you can remediate the misconfiguration of disabling Workload Identity at Cluster Creation in GCP using GCP CLI.Using Python
Using Python
To remediate the “Disable Workload Identity at Cluster Creation” misconfiguration in GCP using Python, you can follow the below steps:Note: Make sure you have the necessary permissions to make changes to the GCP resources before running the script.
- Install the Google Cloud SDK by following the instructions provided in the GCP documentation.
- Once the SDK is installed, authenticate with your GCP account using the following command:
- Create a Python script to enable Workload Identity at Cluster Creation. You can use the following code as a starting point:
- Replace the placeholders with your own project ID, zone, and cluster name.
- Run the Python script using the following command:
- Verify that Workload Identity has been enabled for the cluster by checking the cluster configuration in the GCP Console or using the following command: