More Info:

Create Alias IPs for the node network CIDR range in order to subsequently configure IPbased policies and firewalling for pods. A cluster that uses Alias IPs is called a ‘VPC-native’ cluster

Risk Level

Medium

Address

Security, Reliability, Operational Excellence, Performance Efficiency

Compliance Standards

CISGKE

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of not using VPC-Native Clusters in GCP, you can follow the below steps using the GCP console:
  1. Open the GCP console and navigate to the Kubernetes Engine page.
  2. Select your cluster that you want to make VPC-native.
  3. Click on the “Edit” button at the top of the page.
  4. Scroll down to the “Networking” section and click on “Enable VPC-native (using alias IP)”.
  5. Select the VPC network that you want to use for your cluster.
  6. Select the subnet that you want to use for your cluster.
  7. Click on the “Save” button at the bottom of the page to apply the changes.
  8. Verify that the VPC-native configuration is applied by checking the “Networking” section of your cluster details page.
By following these steps, you will be able to remediate the misconfiguration of not using VPC-Native Clusters in GCP and ensure that your cluster is using VPC-native networking.

To remediate the misconfiguration “Ensure Use Of VPC-Native Clusters” for GCP using GCP CLI, follow the below steps:
  1. Open the GCP Cloud Shell.
  2. Run the following command to enable VPC-native clusters for the default network: 
gcloud container clusters update [CLUSTER_NAME] --zone [ZONE] --enable-ip-alias
Replace [CLUSTER_NAME] with the name of the cluster that you want to update and [ZONE] with the zone in which the cluster is located.
  1. Run the following command to verify that the VPC-native clusters are enabled:
gcloud container clusters describe [CLUSTER_NAME] --zone [ZONE] | grep -i ipallocationpolicy
This command will display the IP allocation policy for the cluster. If the IP allocation policy is “Use IP aliases”, then VPC-native clusters are enabled.
  1. Repeat the above steps for all the GCP clusters in your environment.
By following the above steps, you can ensure the use of VPC-native clusters in GCP using GCP CLI.
To remediate the misconfiguration “Ensure Use Of VPC-Native Clusters” for GCP using Python, you can follow the below steps:
  1. Install the necessary Python libraries:
pip install google-auth google-auth-oauthlib google-auth-httplib2 google-cloud-container google-cloud-storage
  1. Authenticate with GCP using a service account:
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('path/to/service_account.json')
  1. Import the necessary libraries:
from google.cloud import container_v1
from google.cloud.container_v1.types import Cluster

client = container_v1.ClusterManagerClient(credentials=credentials)
  1. Get the list of existing clusters in the project:
project_id = 'your-project-id'
zone = 'your-zone'

cluster_list = client.list_clusters(project_id, zone)
  1. Check if each cluster is VPC-native or not:
for cluster in cluster_list.clusters:
    if not cluster.ip_allocation_policy.use_ip_aliases:
        # Update the cluster to use VPC-native
        cluster.ip_allocation_policy.use_ip_aliases = True
        update_request = Cluster(name=cluster.name, ip_allocation_policy=cluster.ip_allocation_policy)
        operation = client.update_cluster(project_id, zone, update_request)
        operation.result()
  1. After running the script, all the clusters that are not VPC-native would be updated to use VPC-native.
Note: Make sure to replace ‘your-project-id’ and ‘your-zone’ with the actual project ID and zone where your GKE clusters are located. Also, make sure to have the necessary permissions to update the clusters.

Additional Reading: