More Info:

GKE cluster should use node local DNS cache

Risk Level

Low

Address

Performance Efficiency, Operational Excellence, Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Cluster Should Use Node Local DNS Cache” for GCP using GCP console, please follow the below steps:
  1. Open the Google Cloud Console and select your project.
  2. Go to the Kubernetes Engine section of the console.
  3. Select the cluster you want to remediate.
  4. Click on the “Edit” button at the top of the page.
  5. In the “Node pools” section, click on the name of the node pool you want to remediate.
  6. Scroll down to the “Node image” section and click on the “Change” button.
  7. Select the latest version of the node image that includes the node local DNS cache feature.
  8. Click on the “Save” button to save the changes.
  9. Wait for the nodes in the node pool to be updated with the new node image.
  10. Verify that the node local DNS cache feature is enabled by running a test pod and checking its DNS resolution.
By following these steps, you can remediate the misconfiguration “Cluster Should Use Node Local DNS Cache” for GCP using GCP console.

To remediate the misconfiguration “Cluster Should Use Node Local DNS Cache” in GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell in GCP Console.
  2. Run the following command to get the list of clusters in your project:
gcloud container clusters list
  1. Identify the cluster that needs to be remediated and run the following command to get the cluster’s credentials:
gcloud container clusters get-credentials <cluster-name> --zone <zone> --project <project-id>
  1. Once you have the credentials, run the following command to update the cluster configuration:
gcloud container clusters update <cluster-name> --zone <zone> --project <project-id> --enable-dns-cache
This command enables the node local DNS cache for the specified cluster.
  1. Verify that the configuration has been updated by running the following command:
gcloud container clusters describe <cluster-name> --zone <zone> --project <project-id> | grep dnsCacheConfig
This command should return the following output, indicating that the node local DNS cache is enabled:
dnsCacheConfig:
  enabled: true
By following these steps, you have successfully remediated the misconfiguration “Cluster Should Use Node Local DNS Cache” for your GCP cluster using GCP CLI.
To remediate the misconfiguration “Cluster Should Use Node Local DNS Cache” in GCP using Python, you can follow the below steps:Step 1: Install the necessary Python packages - google-auth and google-api-python-client.
pip install google-auth google-auth-oauthlib google-auth-httplib2 google-api-python-client
Step 2: Authenticate with GCP using a service account key file.
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_key_file>')
Step 3: Enable the “Cloud DNS API” for the project.
from googleapiclient.discovery import build

dns_service = build('dns', 'v1', credentials=credentials)

project_id = '<your_project_id>' # Replace with your GCP project ID

dns_service.projects().get(project=project_id).execute()
Step 4: Create a new DNS policy with node-local caching enabled.
policy_body = {
    "alternativeNameServerConfig": {
      "kind": "dns#policyAlternativeNameServerConfig",
      "targetNameServers": [
        {
          "forwardingPath": "default",
          "ipv4Address": "127.0.0.1",
          "kind": "dns#policyAlternativeNameServerConfigTargetNameServer",
          "networkUrl": "https://www.googleapis.com/compute/v1/projects/<your_project_id>/global/networks/default"
        }
      ]
    },
    "description": "Node-local DNS caching enabled policy",
    "enableInboundForwarding": False,
    "enableLogging": False,
    "id": "<your_policy_id>", # Replace with a unique ID for the policy
    "kind": "dns#policy",
    "name": "node-local-dns-caching-policy",
    "networks": [
      {
        "kind": "dns#policyNetwork",
        "networkUrl": "https://www.googleapis.com/compute/v1/projects/<your_project_id>/global/networks/default"
      }
    ],
    "rules": [
      {
        "action": "allow",
        "description": "Allow all DNS queries",
        "kind": "dns#policyRule",
        "match": {
          "kind": "dns#policyRuleCriteriaMatch",
          "queryNamePattern": ".*"
        }
      }
    ],
    "targetNameServers": [
      {
        "forwardingPath": "default",
        "ipv4Address": "8.8.8.8",
        "kind": "dns#policyAlternativeNameServerConfigTargetNameServer",
        "networkUrl": "https://www.googleapis.com/compute/v1/projects/<your_project_id>/global/networks/default"
      }
    ],
    "visibility": "private"
}

policy = dns_service.policies().create(project=project_id, body=policy_body).execute()
Step 5: Assign the newly created DNS policy to the cluster.
from googleapiclient.errors import HttpError

cluster_name = '<your_cluster_name>' # Replace with the name of your GKE cluster
zone = '<your_zone>' # Replace with the zone in which your GKE cluster is located

try:
    cluster = container_service.projects().zones().clusters().get(project=project_id, zone=zone, clusterId=cluster_name).execute()
    cluster['nodeConfig']['dnsPolicy'] = 'Policy'
    cluster['nodeConfig']['dnsConfig']['nameServerConfig']['networks'] = [
        {
          "kind": "dns#policyNetwork",
          "policy": policy['id']
        }
    ]
    update_cluster = container_service.projects().zones().clusters().update(project=project_id, zone=zone, clusterId=cluster_name, body=cluster).execute()
    print(f"DNS policy with node-local caching enabled has been successfully assigned to the cluster: {cluster_name}")
except HttpError as e:
    print(f"An error occurred while assigning DNS policy to the cluster: {cluster_name}. Error message: {e}")
With these steps, the misconfiguration “Cluster Should Use Node Local DNS Cache” has been remediated for GCP using Python.