More Info:

Ensures Kubernetes clusters are created with limited service account access scopes. Kubernetes service accounts should be limited in scope to the services necessary to operate the clusters.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Cluster Should Have Limited Service Account Access” for GCP using GCP console, follow these steps:
  1. Open the Google Kubernetes Engine (GKE) console.
  2. Select the cluster that needs to be remediated.
  3. Click on the “Security” tab.
  4. Scroll down to the “Service Accounts” section.
  5. Click on the “Edit” button.
  6. In the “Service Accounts” section, select the option “Limit service account access to this cluster”.
  7. Select the service account that needs access to the cluster.
  8. Click on the “Save” button to save the changes.
By following these steps, the cluster will have limited service account access and only the selected service account will have access to the cluster.

To remediate the misconfiguration “Cluster Should Have Limited Service Account Access” for GCP using GCP CLI, you can follow the below steps:Step 1: Open the Cloud Shell from the GCP console or install the GCP CLI on your local machine.Step 2: Authenticate with your GCP account using the below command:
gcloud auth login
Step 3: Set the project where the cluster is located using the below command:
gcloud config set project [PROJECT_ID]
Step 4: Get the name of the cluster that needs to be remediated using the below command:
gcloud container clusters list
Step 5: Fetch the current IAM policy for the cluster using the below command:
gcloud container clusters get-iam-policy [CLUSTER_NAME] --zone [ZONE]
Step 6: Identify the service accounts that have access to the cluster and need to be removed from the IAM policy.Step 7: Remove the service accounts from the IAM policy using the below command:
gcloud container clusters set-iam-policy [CLUSTER_NAME] --zone [ZONE] --remove-service-account [SERVICE_ACCOUNT_EMAIL_1],[SERVICE_ACCOUNT_EMAIL_2],...
Step 8: Verify the changes by fetching the updated IAM policy using the below command:
gcloud container clusters get-iam-policy [CLUSTER_NAME] --zone [ZONE]
By following these steps, you can remediate the misconfiguration “Cluster Should Have Limited Service Account Access” for GCP using GCP CLI.
To remediate the misconfiguration “Cluster Should Have Limited Service Account Access” for GCP using Python, follow these steps:
  1. Install the required libraries: 
    pip install google-auth google-auth-oauthlib google-auth-httplib2 google-cloud-container google-cloud-logging
  2. Authenticate to GCP: 
    from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_file>')
  3. Retrieve the cluster object: 
    from google.cloud import container_v1
client = container_v1.ClusterManagerClient(credentials=credentials)
project_id = '<your_project_id>'
zone = '<your_zone>'
cluster_id = '<your_cluster_id>'
cluster = client.get_cluster(project_id, zone, cluster_id)
  4. Update the cluster’s master_auth field to limit service account access: 
    cluster.master_auth.cluster_ca_certificate = '<your_cluster_ca_certificate>'
cluster.master_auth.username = '<your_username>'
cluster.master_auth.password = '<your_password>'
cluster.master_auth.client_certificate = '<your_client_certificate>'
cluster.master_auth.client_key = '<your_client_key>'
cluster.master_auth.client_certificate_config = {
    'issue_client_certificate': False,
}
cluster.master_auth.client_certificate_config.allowed_client_certificates = [
    '<your_allowed_client_certificate_1>',
    '<your_allowed_client_certificate_2>',
]
update_mask = {
    'paths': [
        'master_auth.cluster_ca_certificate',
        'master_auth.username',
        'master_auth.password',
        'master_auth.client_certificate',
        'master_auth.client_key',
        'master_auth.client_certificate_config.issue_client_certificate',
        'master_auth.client_certificate_config.allowed_client_certificates',
    ]
}
operation = client.update_cluster(project_id, zone, cluster_id, cluster, update_mask)
  5. Verify that the update was successful: 
    operation.result()
Note: The above steps assume that you have a GCP service account with sufficient permissions to access the cluster. Replace the placeholders (<...>) with your own values.

Additional Reading: