GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Network Policy Should Be Enabled
More Info:
Ensures all Kubernetes clusters have network policy enabled. Kubernetes network policy creates isolation between cluster pods, this creates a more secure environment with only specified connections allowed.
Risk Level
Medium
Address
Security
Compliance Standards
NISTCSF
Triage and Remediation
Remediation
To remediate the misconfiguration of “Network Policy Should Be Enabled” in GCP using GCP console, please follow the below steps:
- Login to your GCP console.
- Navigate to the VPC Network page.
- Click on the VPC network that you want to remediate.
- Click on the Firewall rules tab.
- Click on the Create Firewall Rule button.
- Enter a name for the firewall rule.
- In the Targets section, select the network that you want to apply the firewall rule to.
- In the Source filter section, select the IP ranges that you want to allow or block.
- In the Protocols and ports section, specify the protocols and ports that you want to allow or block.
- In the Action section, select the action that you want to take on the traffic that matches the firewall rule.
- Click on the Create button to create the firewall rule.
By following the above steps, you will be able to remediate the misconfiguration of “Network Policy Should Be Enabled” in GCP using GCP console.
To remediate the “Network Policy Should Be Enabled” misconfiguration in GCP using GCP CLI, follow the below steps:
- Open the GCP Cloud Shell from the GCP console.
- Run the following command to enable the Network Policy for the default network in your GCP project:
gcloud compute networks update default --update-policy=ENABLE_NETWORK_POLICY - This command will update the default network with the Network Policy enabled.
Once the Network Policy is enabled, you can create and apply the necessary firewall rules to control traffic between your VM instances. You can also create a custom network with the Network Policy enabled and use it for your VM instances.
To remediate the misconfiguration “Network Policy Should Be Enabled” in GCP using Python, you can follow the below steps:
- Import the required libraries:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
- Set the project ID and the zone where the cluster is located:
project_id = 'your-project-id'
zone = 'us-central1-a'
- Get the credentials to access the GCP API:
credentials = GoogleCredentials.get_application_default()
- Create a client object for the Kubernetes API:
container_api = discovery.build('container', 'v1', credentials=credentials)
- Get the list of clusters in the project:
clusters = container_api.projects().zones().clusters().list(projectId=project_id, zone=zone).execute()
- Loop through the clusters and enable network policy:
for cluster in clusters['clusters']:
# Get the cluster name
cluster_name = cluster['name']
# Get the current cluster configuration
cluster_config = container_api.projects().zones().clusters().get(projectId=project_id, zone=zone, clusterId=cluster_name).execute()
# Check if network policy is already enabled
if cluster_config['networkPolicy']['enabled']:
print(f"Network policy is already enabled for cluster {cluster_name}")
else:
# Enable network policy
cluster_config['networkPolicy']['enabled'] = True
# Update the cluster configuration
update_op = container_api.projects().zones().clusters().update(projectId=project_id, zone=zone, clusterId=cluster_name, body=cluster_config).execute()
print(f"Network policy is enabled for cluster {cluster_name}")
This code will loop through all the clusters in the specified project and zone, and enable network policy for each cluster that does not already have it enabled.