GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Use Dedicated GCP Service Accounts And Workload Identity For Clusters
More Info:
Kubernetes workloads should not use cluster node service accounts to authenticate to Google Cloud APIs. Each Kubernetes Workload that needs to authenticate to other Google services using Cloud IAM should be provisioned a dedicated Service account. Enabling Workload Identity manages the distribution and rotation of Service account keys for the workloads to use.
Risk Level
Medium
Address
Security, Operational Excellence, Best Practice
Compliance Standards
CISGKE
Triage and Remediation
Remediation
To remediate the misconfiguration of using Dedicated GCP Service Accounts and Workload Identity for Clusters in GCP, follow these steps:
-
Open the GCP Console and navigate to the Kubernetes Engine.
-
Select the cluster for which you want to remediate the misconfiguration.
-
Click on the “Edit” button at the top of the page.
-
Under the “Security” section, select “Workload Identity.”
-
Select the checkbox “Enable Workload Identity.”
-
In the “Service Account” field, enter the name of the dedicated service account that you want to use for the cluster.
-
Click on the “Save” button to apply the changes.
-
Once the changes are applied, verify that the dedicated service account is being used for the cluster by running the following command in the Cloud Shell:
kubectl get pods --namespace kube-system -o=jsonpath='{.items[*].spec.serviceAccountName}'
This command will return the name of the service account being used by the pods in the kube-system namespace. Verify that it matches the dedicated service account that you specified in step 6.
By following these steps, you have successfully remediated the misconfiguration of using Dedicated GCP Service Accounts and Workload Identity for Clusters in GCP.
To remediate the misconfiguration “Use Dedicated GCP Service Accounts And Workload Identity For Clusters” for GCP using GCP CLI, you can follow the below steps:
- Create a dedicated service account for your cluster:
gcloud iam service-accounts create [SA-NAME] --display-name [SA-DISPLAY-NAME]
Replace [SA-NAME] with the name of the service account you want to create and [SA-DISPLAY-NAME] with the display name of the service account.
- Grant the necessary permissions to the service account:
gcloud projects add-iam-policy-binding [PROJECT-ID] --member=serviceAccount:[SA-NAME]@[PROJECT-ID].iam.gserviceaccount.com --role=[ROLE]
Replace [PROJECT-ID] with the ID of the project where the cluster is located, [SA-NAME] with the name of the service account you created in step 1, and [ROLE] with the necessary role to access the resources required by the cluster.
- Enable workload identity for your cluster:
gcloud container clusters update [CLUSTER-NAME] --workload-pool=[PROJECT-ID].svc.id.goog
Replace [CLUSTER-NAME] with the name of the cluster and [PROJECT-ID] with the ID of the project where the cluster is located.
- Associate the service account with the cluster:
gcloud iam service-accounts add-iam-policy-binding [SA-NAME]@[PROJECT-ID].iam.gserviceaccount.com --member="serviceAccount:[PROJECT-ID].svc.id.goog[NAMESPACE]/[SA-NAME]" --role="roles/iam.workloadIdentityUser"
Replace [SA-NAME] with the name of the service account you created in step 1, [PROJECT-ID] with the ID of the project where the cluster is located, and [NAMESPACE] with the namespace of the cluster.
By following these steps, you will have remediated the misconfiguration “Use Dedicated GCP Service Accounts And Workload Identity For Clusters” for GCP using GCP CLI.
To remediate the misconfiguration “Use Dedicated GCP Service Accounts And Workload Identity For Clusters” in GCP using Python, follow the below steps:
- Create a dedicated GCP service account for the cluster. You can use the below Python code to create a service account:
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file(
'/path/to/service_account_key.json')
- Assign the required IAM roles to the service account based on the cluster’s requirements. You can use the below Python code to grant IAM roles to the service account:
from google.cloud import iam
client = iam.IAMClient(credentials=credentials)
policy = client.get_policy(request={"resource": "projects/{project_id}"})
bindings = policy.bindings
for binding in bindings:
if binding.role == "roles/editor":
binding.members.append("serviceAccount:{service_account_email}")
break
policy.bindings = bindings
client.set_iam_policy(request={"resource": "projects/{project_id}", "policy": policy})
- Enable Workload Identity for the cluster. You can use the below Python code to enable Workload Identity:
from google.cloud import container_v1
client = container_v1.ClusterManagerClient(credentials=credentials)
cluster = client.get_cluster(request={"name": "projects/{project_id}/locations/{location}/clusters/{cluster_name}"})
cluster.workload_identity_config = {
"workload_pool": "projects/{project_id}/locations/{location}/workloadPools/{pool_name}"
}
update_mask = {"paths": ["workload_identity_config"]}
client.update_cluster(request={"update_mask": update_mask, "cluster": cluster})
- Associate the service account with the cluster. You can use the below Python code to associate the service account with the cluster:
from google.cloud import container_v1
client = container_v1.ClusterManagerClient(credentials=credentials)
cluster = client.get_cluster(request={"name": "projects/{project_id}/locations/{location}/clusters/{cluster_name}"})
cluster.master_auth.workload_identity_config = {
"identity_namespace": "projects/{project_id}.svc.id.goog",
"identity_provider": "google"
}
update_mask = {"paths": ["master_auth.workload_identity_config"]}
client.update_cluster(request={"update_mask": update_mask, "cluster": cluster})
By following these steps, you can remediate the misconfiguration “Use Dedicated GCP Service Accounts And Workload Identity For Clusters” in GCP using Python.