More Info:

Cluster Administrators should leverage G Suite Groups and Cloud IAM to assign Kubernetes user roles to a collection of users, instead of to individual emails using only Cloud IAM.

Risk Level

Low

Address

Security, Reliability, Operational Excellence, Performance Efficiency

Compliance Standards

SOC2, CISGKE

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Manage Kubernetes RBAC Users With Google Groups” in GCP using GCP console, follow the below steps:
  1. Go to the GCP console and navigate to the Kubernetes Engine section.
  2. Select the cluster for which you want to manage RBAC users.
  3. Click on the “Security” tab and then select “Identity and Access Management”.
  4. In the “Identity and Access Management” section, click on the “Add” button.
  5. Add the Google group that you want to use for managing RBAC users.
  6. Click on the “Role” drop-down and select the appropriate role that you want to assign to the group.
  7. Click on the “Save” button to save the changes.
By following these steps, you have remediated the “Manage Kubernetes RBAC Users With Google Groups” misconfiguration in GCP using GCP console. Now, the RBAC users will be managed through the Google group that you have added and assigned the appropriate role.

The misconfiguration is related to managing Kubernetes RBAC Users with Google Groups. To remediate this issue, follow the below steps:
  1. Open the Google Cloud Console and navigate to the Kubernetes Engine.
  2. Select the cluster for which you want to manage the Kubernetes RBAC users.
  3. Click on the “Edit” button to edit the cluster.
  4. In the “Security” tab, select the “Security” option.
  5. In the “Security” section, click on the “Edit” button to edit the security settings.
  6. In the “Edit Security” section, scroll down to the “Kubernetes RBAC” section.
  7. Under the “Kubernetes RBAC” section, select the “Google Groups” option.
  8. Enter the name of the Google Group you want to use to manage the Kubernetes RBAC users.
  9. Click on the “Save” button to save the changes.
  10. Now, all the users in the Google Group will have the same access as the Kubernetes RBAC users.
To remediate this issue using the GCP CLI, follow the below steps:
  1. Open the GCP CLI and navigate to the Kubernetes Engine.
  2. Run the following command to set the Kubernetes RBAC users with Google Groups: 
$ gcloud container clusters update [CLUSTER_NAME] --zone=[ZONE] --update-addons=HorizontalPodAutoscaling,HttpLoadBalancing --enable-rbac --no-enable-basic-auth --google-groups=[GOOGLE_GROUP_NAME]
  1. Replace [CLUSTER_NAME] with the name of your cluster, [ZONE] with the zone where your cluster is located, and [GOOGLE_GROUP_NAME] with the name of the Google Group you want to use to manage the Kubernetes RBAC users.
  2. Once the command is executed successfully, all the users in the Google Group will have the same access as the Kubernetes RBAC users.
To remediate the misconfiguration “Manage Kubernetes RBAC Users With Google Groups” for GCP using Python, you can follow the below steps:
  1. Install the required libraries:
pip install google-auth google-auth-oauthlib google-auth-httplib2 google-api-python-client
  1. Set up authentication by creating a service account and downloading the JSON key file.
  2. Create a Python script with the following code: 
from google.oauth2 import service_account
from googleapiclient.discovery import build

# Set the required variables
project_id = '<PROJECT_ID>'
zone = '<ZONE>'
cluster_name = '<CLUSTER_NAME>'
group_email = '<GROUP_EMAIL>'

# Set up credentials
credentials = service_account.Credentials.from_service_account_file('<PATH_TO_JSON_KEY_FILE>')

# Create the Kubernetes API client
container_service = build('container', 'v1', credentials=credentials)

# Get the cluster's endpoint
response = container_service.projects().zones().clusters().get(projectId=project_id, zone=zone, clusterId=cluster_name).execute()
cluster_endpoint = response['endpoint']

# Create the Kubernetes API client with the endpoint
kube_service = build('container', 'v1', credentials=credentials, endpoint=cluster_endpoint)

# Get the cluster's current RBAC configuration
rbac = kube_service.projects().zones().clusters().get(projectId=project_id, zone=zone, clusterId=cluster_name).execute()['masterAuth']['rbacConfig']

# Add the group to the RBAC configuration
rbac['groups'].append(group_email)

# Update the cluster's RBAC configuration
kube_service.projects().zones().clusters().update(projectId=project_id, zone=zone, clusterId=cluster_name, updateMask='masterAuth.rbacConfig', body={'masterAuth': {'rbacConfig': rbac}}).execute()
  1. Replace the placeholders <PROJECT_ID>, <ZONE>, <CLUSTER_NAME>, <GROUP_EMAIL>, and <PATH_TO_JSON_KEY_FILE> with the appropriate values.
  2. Run the Python script to add the Google group to the Kubernetes RBAC configuration.
This will remediate the misconfiguration “Manage Kubernetes RBAC Users With Google Groups” for GCP using Python.

Additional Reading: