More Info:

Ensure that “Disable Workload Identity Cluster Creation” policy is enforced at the GCP organization level in order to require that any new Google Kubernetes Engine (GKE) clusters have the Workload Identity feature disabled at the time of their creation. This constraint policy is useful when you want to tightly control service account access in your organization by disabling Workload Identity in addition to service account creation and service account key creation.

Risk Level

Medium

Address

Security, Reliability

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of disabling workload identity at cluster creation on GCP using GCP console, you can follow these step-by-step instructions:
  1. Open the GCP console and navigate to the Kubernetes Engine page.
  2. Select the cluster on which you want to enable workload identity.
  3. Click on the “Edit” button at the top of the page.
  4. Scroll down to the “Workload Identity” section.
  5. Click on the “Enable” button to turn on workload identity for the cluster.
  6. Click on the “Save” button at the bottom of the page to apply the changes.
After completing these steps, workload identity will be enabled for your cluster, and you will be able to use it to securely authenticate your applications and services running on GCP.

To remediate the misconfiguration of disabling Workload Identity at Cluster Creation in GCP using GCP CLI, you can follow the below steps:Step 1: Open the Cloud Shell from the GCP Console.Step 2: Run the following command to check if Workload Identity is enabled or not:
gcloud container clusters describe [CLUSTER_NAME] --zone [ZONE] | grep workloadIdentityConfig
Step 3: If the output shows workloadIdentityConfig: {}, then Workload Identity is not enabled for the cluster.Step 4: To enable Workload Identity for the cluster, run the following command:
gcloud container clusters update [CLUSTER_NAME] --zone [ZONE] --workload-pool=[PROJECT_ID].svc.id.goog
Note: Replace [CLUSTER_NAME], [ZONE], and [PROJECT_ID] with the appropriate values.Step 5: Verify that Workload Identity is enabled for the cluster by running the following command:
gcloud container clusters describe [CLUSTER_NAME] --zone [ZONE] | grep workloadIdentityConfig
Step 6: If the output shows workloadIdentityConfig: workloadPool: [PROJECT_ID].svc.id.goog, then Workload Identity is enabled for the cluster.By following these steps, you can remediate the misconfiguration of disabling Workload Identity at Cluster Creation in GCP using GCP CLI.
To remediate the “Disable Workload Identity at Cluster Creation” misconfiguration in GCP using Python, you can follow the below steps:
  1. Install the Google Cloud SDK by following the instructions provided in the GCP documentation.
  2. Once the SDK is installed, authenticate with your GCP account using the following command:
gcloud auth login
  1. Create a Python script to enable Workload Identity at Cluster Creation. You can use the following code as a starting point:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

# Set the project ID and zone
project_id = 'YOUR_PROJECT_ID'
zone = 'YOUR_ZONE'

# Authenticate with GCP
credentials = GoogleCredentials.get_application_default()
service = discovery.build('container', 'v1', credentials=credentials)

# Set the cluster name
cluster_name = 'YOUR_CLUSTER_NAME'

# Get the current cluster configuration
cluster = service.projects().zones().clusters().get(projectId=project_id, zone=zone, clusterId=cluster_name).execute()

# Enable Workload Identity
cluster['workloadIdentityConfig'] = {'enabled': True}

# Update the cluster configuration
response = service.projects().zones().clusters().update(projectId=project_id, zone=zone, clusterId=cluster_name, body=cluster).execute()

# Print the response
print(response)
  1. Replace the placeholders with your own project ID, zone, and cluster name.
  2. Run the Python script using the following command:
python script.py
  1. Verify that Workload Identity has been enabled for the cluster by checking the cluster configuration in the GCP Console or using the following command:
gcloud container clusters describe YOUR_CLUSTER_NAME --zone YOUR_ZONE --project YOUR_PROJECT_ID
Note: Make sure you have the necessary permissions to make changes to the GCP resources before running the script.