Cluster Should Have Limited Service Account Access

More Info:

Ensures Kubernetes clusters are created with limited service account access scopes. Kubernetes service accounts should be limited in scope to the services necessary to operate the clusters.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Cluster Should Have Limited Service Account Access” for GCP using GCP CLI, you can follow the below steps:Step 1: Open the Cloud Shell from the GCP console or install the GCP CLI on your local machine.Step 2: Authenticate with your GCP account using the below command:

gcloud auth login

Step 3: Set the project where the cluster is located using the below command:

gcloud config set project [PROJECT_ID]

Step 4: Get the name of the cluster that needs to be remediated using the below command:

gcloud container clusters list

Step 5: Fetch the current IAM policy for the cluster using the below command:

gcloud container clusters get-iam-policy [CLUSTER_NAME] --zone [ZONE]

Step 6: Identify the service accounts that have access to the cluster and need to be removed from the IAM policy.Step 7: Remove the service accounts from the IAM policy using the below command:

gcloud container clusters set-iam-policy [CLUSTER_NAME] --zone [ZONE] --remove-service-account [SERVICE_ACCOUNT_EMAIL_1],[SERVICE_ACCOUNT_EMAIL_2],...

Step 8: Verify the changes by fetching the updated IAM policy using the below command:

gcloud container clusters get-iam-policy [CLUSTER_NAME] --zone [ZONE]

By following these steps, you can remediate the misconfiguration “Cluster Should Have Limited Service Account Access” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Cluster Should Have Limited Service Account Access” for GCP using Python, follow these steps:

Install the required libraries:

pip install google-auth google-auth-oauthlib google-auth-httplib2 google-cloud-container google-cloud-logging

Authenticate to GCP:

from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_file>')

Retrieve the cluster object:

from google.cloud import container_v1
client = container_v1.ClusterManagerClient(credentials=credentials)
project_id = '<your_project_id>'
zone = '<your_zone>'
cluster_id = '<your_cluster_id>'
cluster = client.get_cluster(project_id, zone, cluster_id)

Update the cluster’s master_auth field to limit service account access:

cluster.master_auth.cluster_ca_certificate = '<your_cluster_ca_certificate>'
cluster.master_auth.username = '<your_username>'
cluster.master_auth.password = '<your_password>'
cluster.master_auth.client_certificate = '<your_client_certificate>'
cluster.master_auth.client_key = '<your_client_key>'
cluster.master_auth.client_certificate_config = {
    'issue_client_certificate': False,
}
cluster.master_auth.client_certificate_config.allowed_client_certificates = [
    '<your_allowed_client_certificate_1>',
    '<your_allowed_client_certificate_2>',
]
update_mask = {
    'paths': [
        'master_auth.cluster_ca_certificate',
        'master_auth.username',
        'master_auth.password',
        'master_auth.client_certificate',
        'master_auth.client_key',
        'master_auth.client_certificate_config.issue_client_certificate',
        'master_auth.client_certificate_config.allowed_client_certificates',
    ]
}
operation = client.update_cluster(project_id, zone, cluster_id, cluster, update_mask)

Verify that the update was successful:
```
operation.result()
```

Note: The above steps assume that you have a GCP service account with sufficient permissions to access the cluster. Replace the placeholders (<...>) with your own values.

Additional Reading:

https://cloud.google.com/compute/docs/access/service-accounts

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Cluster Should Have Limited Service Account Access

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: