GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Web Dashboard Should Be Disabled
More Info:
Ensures all Kubernetes clusters have the web dashboard disabled. It is recommended to disable the web dashboard because it is backed by a highly privileged service account.
Risk Level
High
Address
Security
Compliance Standards
CISGKE
Triage and Remediation
Remediation
To remediate the “Web Dashboard Should Be Disabled” misconfiguration in GCP using the GCP console, follow these steps:
-
Log in to the GCP Console.
-
Navigate to the GCP project that has the misconfiguration.
-
In the left-hand menu, select “IAM & Admin” and then click on “Dashboard.”
-
In the “Dashboard” page, you will see the “Web Dashboard” option. Click on the three dots on the right-hand side of the “Web Dashboard” option and select “Disable.”
-
A confirmation message will appear. Click on “Disable” to confirm.
-
Once the “Web Dashboard” has been disabled, you will no longer be able to access it from the GCP Console.
-
Verify that the “Web Dashboard” has been disabled by going back to the “Dashboard” page and confirming that the “Web Dashboard” option is no longer available.
By following these steps, you have successfully remediated the “Web Dashboard Should Be Disabled” misconfiguration in GCP using the GCP console.
To remediate the “Web Dashboard Should Be Disabled” misconfiguration in GCP using GCP CLI, you can follow these steps:
- Open the Cloud Shell in your GCP console.
- Run the following command to disable the web dashboard:
gcloud container clusters update [CLUSTER_NAME] --update-addons=KubernetesDashboard=DISABLED
Replace [CLUSTER_NAME] with the name of your GCP cluster.
- Verify that the web dashboard is disabled by running the following command:
kubectl get pods -n kube-system
You should not see any pods with the name kubernetes-dashboard in the output.
- (Optional) If you want to completely remove the web dashboard, run the following command:
kubectl delete deployment kubernetes-dashboard -n kube-system
This will delete the kubernetes-dashboard deployment from the kube-system namespace.
By following these steps, you can remediate the “Web Dashboard Should Be Disabled” misconfiguration in GCP using GCP CLI.
To remediate the misconfiguration “Web Dashboard Should Be Disabled” in GCP using Python, you can follow these steps:
- Import the necessary libraries:
from google.oauth2 import service_account
from googleapiclient import discovery
- Set up the credentials and the API client:
credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_file>')
service = discovery.build('cloudresourcemanager', 'v1', credentials=credentials)
- Get the project ID:
project_id = '<your_project_id>'
- Get the project IAM policy:
policy = service.projects().getIamPolicy(resource=project_id).execute()
- Check if the “roles/viewer” role is granted to “allUsers” or “allAuthenticatedUsers”:
for binding in policy['bindings']:
if binding['role'] == 'roles/viewer':
if 'allUsers' in binding['members'] or 'allAuthenticatedUsers' in binding['members']:
print('Web Dashboard is enabled for all users')
- Remove the “roles/viewer” role from “allUsers” or “allAuthenticatedUsers”:
for binding in policy['bindings']:
if binding['role'] == 'roles/viewer':
if 'allUsers' in binding['members'] or 'allAuthenticatedUsers' in binding['members']:
binding['members'].remove('allUsers')
binding['members'].remove('allAuthenticatedUsers')
policy = service.projects().setIamPolicy(resource=project_id, body={'policy': policy}).execute()
print('Web Dashboard has been disabled for all users')
Note: Make sure to replace <path_to_service_account_file> and <your_project_id> with the actual values. Also, ensure that the service account used has the necessary permissions to modify IAM policies.