Ensure GKE Clusters Are Not Using Default Service Account

More Info:

Create and use minimally privileged Service accounts to run GKE cluster nodes instead of using the Compute Engine default Service account. Unnecessary permissions could be abused in the case of a node compromise.

Risk Level

Critical

Address

Security, Operational Excellence, Best Practice

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Ensure GKE Clusters Are Not Using Default Service Account” for GCP using GCP CLI, follow the below steps:

Open the Cloud Shell from the GCP console.
Run the following command to list all the GKE clusters in your project:
```
gcloud container clusters list
```
Identify the GKE cluster that is using the default service account.
Run the following command to get the details of the GKE cluster:
```
gcloud container clusters describe [CLUSTER_NAME]
```
Replace [CLUSTER_NAME] with the name of the GKE cluster that you identified in step 3.
Check the output for the field serviceAccount under nodePools. If the value is default, then the GKE cluster is using the default service account.
To remediate this misconfiguration, you need to create a new service account and then assign it to the GKE cluster. Run the following command to create a new service account:
```
gcloud iam service-accounts create [SA-NAME] --display-name [SA-DISPLAY-NAME]
```
Replace [SA-NAME] with the name of the new service account and [SA-DISPLAY-NAME] with a display name for the service account.
Run the following command to assign the new service account to the GKE cluster:
```
gcloud container clusters update [CLUSTER_NAME] --zone [ZONE] --service-account [SA-EMAIL]
```
Replace [CLUSTER_NAME] with the name of the GKE cluster, [ZONE] with the zone in which the cluster is located, and [SA-EMAIL] with the email address of the new service account.
Verify that the new service account is assigned to the GKE cluster by running the command in step 4 again and checking the value of the serviceAccount field.

By following these steps, you can remediate the misconfiguration “Ensure GKE Clusters Are Not Using Default Service Account” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Ensure GKE Clusters Are Not Using Default Service Account” in GCP, you can follow these steps using Python:

Install the necessary Python packages: google-auth and google-api-python-client.
Authenticate with the GCP API using a service account that has the necessary permissions to manage GKE clusters. You can create a service account and download its credentials in JSON format from the GCP console.

from google.oauth2 import service_account
from googleapiclient.discovery import build

credentials = service_account.Credentials.from_service_account_file(
    'path/to/credentials.json',
    scopes=['https://www.googleapis.com/auth/cloud-platform']
)

gke_service = build('container', 'v1', credentials=credentials)

List all GKE clusters in the project and check if any of them are using the default service account.

project_id = 'my-project-id'
clusters = gke_service.projects().locations().clusters().list(parent=f"projects/{project_id}/locations/-").execute()

for cluster in clusters.get('clusters', []):
    if cluster.get('nodeConfig', {}).get('serviceAccount', '') == 'default':
        # The cluster is using the default service account
        # Remediation steps go here

To remediate the misconfiguration, you can create a new service account and assign it to the GKE cluster.

from googleapiclient.errors import HttpError

new_service_account = '[email protected]'

cluster_name = 'my-cluster'
zone = 'us-central1-c'

try:
    gke_service.projects().zones().clusters().update(
        name=f"projects/{project_id}/locations/{zone}/clusters/{cluster_name}",
        body={
            'nodeConfig': {
                'serviceAccount': new_service_account
            }
        }
    ).execute()
    print(f"Updated service account for cluster {cluster_name}")
except HttpError as error:
    print(f"Error updating service account for cluster {cluster_name}: {error}")

Note: You will need to have the necessary IAM permissions to create and assign service accounts to GKE clusters.

Additional Reading:

https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_default_service_account

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Ensure GKE Clusters Are Not Using Default Service Account

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: