Manage Kubernetes RBAC Users With Google Groups

More Info:

Cluster Administrators should leverage G Suite Groups and Cloud IAM to assign Kubernetes user roles to a collection of users, instead of to individual emails using only Cloud IAM.

Risk Level

Low

Address

Security, Reliability, Operational Excellence, Performance Efficiency

Compliance Standards

SOC2, CISGKE

Triage and Remediation

Remediation

Using Console

Using CLI

The misconfiguration is related to managing Kubernetes RBAC Users with Google Groups. To remediate this issue, follow the below steps:

Open the Google Cloud Console and navigate to the Kubernetes Engine.
Select the cluster for which you want to manage the Kubernetes RBAC users.
Click on the “Edit” button to edit the cluster.
In the “Security” tab, select the “Security” option.
In the “Security” section, click on the “Edit” button to edit the security settings.
In the “Edit Security” section, scroll down to the “Kubernetes RBAC” section.
Under the “Kubernetes RBAC” section, select the “Google Groups” option.
Enter the name of the Google Group you want to use to manage the Kubernetes RBAC users.
Click on the “Save” button to save the changes.
Now, all the users in the Google Group will have the same access as the Kubernetes RBAC users.

To remediate this issue using the GCP CLI, follow the below steps:

Open the GCP CLI and navigate to the Kubernetes Engine.
Run the following command to set the Kubernetes RBAC users with Google Groups:

$ gcloud container clusters update [CLUSTER_NAME] --zone=[ZONE] --update-addons=HorizontalPodAutoscaling,HttpLoadBalancing --enable-rbac --no-enable-basic-auth --google-groups=[GOOGLE_GROUP_NAME]

Replace [CLUSTER_NAME] with the name of your cluster, [ZONE] with the zone where your cluster is located, and [GOOGLE_GROUP_NAME] with the name of the Google Group you want to use to manage the Kubernetes RBAC users.
Once the command is executed successfully, all the users in the Google Group will have the same access as the Kubernetes RBAC users.

Using Python

To remediate the misconfiguration “Manage Kubernetes RBAC Users With Google Groups” for GCP using Python, you can follow the below steps:

Install the required libraries:

pip install google-auth google-auth-oauthlib google-auth-httplib2 google-api-python-client

Set up authentication by creating a service account and downloading the JSON key file.
Create a Python script with the following code:

from google.oauth2 import service_account
from googleapiclient.discovery import build

# Set the required variables
project_id = '<PROJECT_ID>'
zone = '<ZONE>'
cluster_name = '<CLUSTER_NAME>'
group_email = '<GROUP_EMAIL>'

# Set up credentials
credentials = service_account.Credentials.from_service_account_file('<PATH_TO_JSON_KEY_FILE>')

# Create the Kubernetes API client
container_service = build('container', 'v1', credentials=credentials)

# Get the cluster's endpoint
response = container_service.projects().zones().clusters().get(projectId=project_id, zone=zone, clusterId=cluster_name).execute()
cluster_endpoint = response['endpoint']

# Create the Kubernetes API client with the endpoint
kube_service = build('container', 'v1', credentials=credentials, endpoint=cluster_endpoint)

# Get the cluster's current RBAC configuration
rbac = kube_service.projects().zones().clusters().get(projectId=project_id, zone=zone, clusterId=cluster_name).execute()['masterAuth']['rbacConfig']

# Add the group to the RBAC configuration
rbac['groups'].append(group_email)

# Update the cluster's RBAC configuration
kube_service.projects().zones().clusters().update(projectId=project_id, zone=zone, clusterId=cluster_name, updateMask='masterAuth.rbacConfig', body={'masterAuth': {'rbacConfig': rbac}}).execute()

Replace the placeholders <PROJECT_ID>, <ZONE>, <CLUSTER_NAME>, <GROUP_EMAIL>, and <PATH_TO_JSON_KEY_FILE> with the appropriate values.
Run the Python script to add the Google group to the Kubernetes RBAC configuration.

This will remediate the misconfiguration “Manage Kubernetes RBAC Users With Google Groups” for GCP using Python.

Additional Reading:

https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control#google-groups-for-gke

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Manage Kubernetes RBAC Users With Google Groups

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: