GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Shielded Nodes Should Be Used For Kubernetes Cluster
More Info:
Ensure that shielded nodes are used in node pools
Risk Level
Medium
Address
Security, Reliability, Operational Excellence
Compliance Standards
CISGKE
Triage and Remediation
Remediation
To remediate the misconfiguration of not using Shielded Nodes for a Kubernetes Cluster in GCP, you can follow the below steps using GCP console:
- Go to the GCP Console and select the Kubernetes Engine from the navigation menu.
- Select the Kubernetes Cluster for which you want to enable Shielded Nodes.
- Click on the Edit button at the top of the page.
- Scroll down to the Node Pools section and click on the node pool name for which you want to enable Shielded Nodes.
- In the Node Pool edit page, scroll down to the Security section and enable the Shielded Nodes option.
- Click on the Save button to save the changes.
After completing these steps, Shielded Nodes will be enabled for the selected node pool in your Kubernetes Cluster. You can repeat these steps for all the node pools in your cluster to ensure that all nodes are using Shielded Nodes.
To remediate the misconfiguration of using shielded nodes for a Kubernetes cluster on GCP using GCP CLI, you can follow the below steps:
- First, you need to check if the Kubernetes cluster is using shielded nodes or not. To check this, run the following command:
gcloud container clusters describe [CLUSTER-NAME] --zone [ZONE] | grep -i shielded
- If the output of the above command shows that shielded nodes are not enabled, then you can enable it by running the following command:
gcloud beta container clusters update [CLUSTER-NAME] --zone [ZONE] --update-shielded-nodes
- If the output of the above command shows an error message saying that the beta component is not enabled, then you need to enable it by running the following command:
gcloud components install beta
-
Once the beta component is installed, you can run the previous command again to enable the shielded nodes.
-
After enabling the shielded nodes, you can verify it by running the first command again. The output should show that shielded nodes are enabled for the Kubernetes cluster.
By following the above steps, you can remediate the misconfiguration of not using shielded nodes for a Kubernetes cluster on GCP using GCP CLI.
To remediate the misconfiguration of not using shielded nodes for a Kubernetes cluster in GCP using Python, follow these steps:
- Install the Google Cloud SDK and Python client library using the following commands:
curl https://sdk.cloud.google.com | bash
exec -l $SHELL
gcloud init
pip install google-cloud
-
Create a new GCP project or select an existing project to work with.
-
Enable the necessary APIs for the project using the following command:
gcloud services enable container.googleapis.com
- Authenticate the SDK using the following command:
gcloud auth login
- Create a new Kubernetes cluster using the following command:
gcloud container clusters create [CLUSTER_NAME] --shielded-secure-boot --shielded-integrity-monitoring
- Verify that the shielded nodes are enabled for the cluster using the following command:
gcloud container clusters describe [CLUSTER_NAME] --format='get(shieldedNodes.enabled)'
This command should return “True” indicating that the shielded nodes are enabled for the cluster.
- If you have an existing cluster, you can update the cluster to enable shielded nodes using the following command:
gcloud container clusters update [CLUSTER_NAME] --shielded-secure-boot --shielded-integrity-monitoring
This command will update the existing cluster to enable shielded nodes.
By following these steps, the misconfiguration of not using shielded nodes for a Kubernetes cluster in GCP can be remediated using Python.