More Info:

GKE cluster should have Network Policies or Dataplane V2 enabled

Risk Level

High

Address

Performance Efficiency, Operational Excellence, Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Clusters should have network policies or dataplane v2 enabled” in GCP using the GCP console, you can follow the below steps:
  1. Login to GCP console (https://console.cloud.google.com/).
  2. Navigate to the Kubernetes Engine section in the left-hand menu.
  3. Select the cluster that needs to be remediated.
  4. Click on the Edit button at the top of the page.
  5. Scroll down to the Networking section and click on the checkbox next to “Enable Network Policy Enforcement”.
  6. If you want to enable Dataplane V2, click on the checkbox next to “Enable Dataplane V2”.
  7. Click on the Save button at the bottom of the page.
  8. Wait for the changes to take effect. It may take a few minutes for the changes to propagate across the cluster.
Once the above steps are completed, the misconfiguration “Clusters should have network policies or dataplane v2 enabled” will be remediated in GCP.

To remediate the misconfiguration “Clusters Should Have Network Policies Or Dataplane V2 Enabled” for GCP using GCP CLI, you can follow the below steps:
  1. Open the GCP Cloud Shell.
  2. Run the following command to enable the Dataplane V2 API: 
gcloud beta container clusters update CLUSTER_NAME --zone=ZONE --update-addons=NetworkPolicy=ENABLED --enable-dataplane-v2
Replace CLUSTER_NAME with the name of your GCP cluster and ZONE with the zone in which the cluster is located.
  1. After the command executes successfully, verify that the Dataplane V2 API is enabled by running the following command:
gcloud beta container clusters describe CLUSTER_NAME --zone=ZONE | grep -i dataplane
This command should return the output “dataplaneV2Enabled: true”.
  1. To enable network policies for the cluster, run the following command:
gcloud beta container clusters update CLUSTER_NAME --zone=ZONE --update-addons=NetworkPolicy=ENABLED
  1. Verify that network policies are enabled by running the following command:
gcloud beta container clusters describe CLUSTER_NAME --zone=ZONE | grep -i networkpolicy
This command should return the output “networkPolicyConfig: enabled: true”.After following these steps, the misconfiguration “Clusters Should Have Network Policies Or Dataplane V2 Enabled” should be remediated for your GCP cluster.
To remediate the misconfiguration “Clusters Should Have Network Policies Or Dataplane V2 Enabled” in GCP using python, you can follow the below steps:
  1. First, you need to authenticate to GCP using a service account. You can create a service account and download the key file from the GCP console.
from google.oauth2 import service_account
from google.cloud import container_v1

credentials = service_account.Credentials.from_service_account_file(
    'path/to/key.json')
client = container_v1.ClusterManagerClient(credentials=credentials)
  1. Next, you need to get the list of clusters in the project.
project_id = 'your-project-id'
zone = 'us-central1-a' # replace with your desired zone
clusters = client.list_clusters(project_id, zone)
  1. For each cluster, you need to check if network policies or dataplane v2 is enabled. If not, you need to enable it.
for cluster in clusters:
    name = cluster.name
    network_policy = cluster.network_policy
    datapath_provider = cluster.datapath_provider
    
    if not network_policy or datapath_provider != 'DATAPLANE_V2':
        # update the cluster
        update = container_v1.types.ClusterUpdate()
        update.name = name
        update.network_policy = container_v1.types.NetworkPolicy(enabled=True)
        update.datapath_provider = 'DATAPLANE_V2'
        operation = client.update_cluster(project_id, zone, name, update)
        print(f"Updated cluster {name}. Operation: {operation.operation_id}")
  1. Finally, you can run the python script to remediate the misconfiguration.
Note: You need to have the necessary permissions to update the clusters in the project.