Web Dashboard Should Be Disabled

More Info:

Ensures all Kubernetes clusters have the web dashboard disabled. It is recommended to disable the web dashboard because it is backed by a highly privileged service account.

Risk Level

High

Address

Security

Compliance Standards

CISGKE

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “Web Dashboard Should Be Disabled” misconfiguration in GCP using GCP CLI, you can follow these steps:

Open the Cloud Shell in your GCP console.
Run the following command to disable the web dashboard:

gcloud container clusters update [CLUSTER_NAME] --update-addons=KubernetesDashboard=DISABLED

Replace [CLUSTER_NAME] with the name of your GCP cluster.

Verify that the web dashboard is disabled by running the following command:

kubectl get pods -n kube-system

You should not see any pods with the name kubernetes-dashboard in the output.

(Optional) If you want to completely remove the web dashboard, run the following command:

kubectl delete deployment kubernetes-dashboard -n kube-system

This will delete the kubernetes-dashboard deployment from the kube-system namespace.By following these steps, you can remediate the “Web Dashboard Should Be Disabled” misconfiguration in GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Web Dashboard Should Be Disabled” in GCP using Python, you can follow these steps:

Import the necessary libraries:

from google.oauth2 import service_account
from googleapiclient import discovery

Set up the credentials and the API client:

credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_file>')
service = discovery.build('cloudresourcemanager', 'v1', credentials=credentials)

Get the project ID:

project_id = '<your_project_id>'

Get the project IAM policy:

policy = service.projects().getIamPolicy(resource=project_id).execute()

Check if the “roles/viewer” role is granted to “allUsers” or “allAuthenticatedUsers”:

for binding in policy['bindings']:
    if binding['role'] == 'roles/viewer':
        if 'allUsers' in binding['members'] or 'allAuthenticatedUsers' in binding['members']:
            print('Web Dashboard is enabled for all users')

Remove the “roles/viewer” role from “allUsers” or “allAuthenticatedUsers”:

for binding in policy['bindings']:
    if binding['role'] == 'roles/viewer':
        if 'allUsers' in binding['members'] or 'allAuthenticatedUsers' in binding['members']:
            binding['members'].remove('allUsers')
            binding['members'].remove('allAuthenticatedUsers')
            policy = service.projects().setIamPolicy(resource=project_id, body={'policy': policy}).execute()
            print('Web Dashboard has been disabled for all users')

Note: Make sure to replace <path_to_service_account_file> and <your_project_id> with the actual values. Also, ensure that the service account used has the necessary permissions to modify IAM policies.

Additional Reading:

https://cloud.google.com/kubernetes-engine/docs/concepts/dashboards

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Web Dashboard Should Be Disabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: