Ensure Use Of VPC-Native Clusters

More Info:

Create Alias IPs for the node network CIDR range in order to subsequently configure IPbased policies and firewalling for pods. A cluster that uses Alias IPs is called a ‘VPC-native’ cluster

Risk Level

Medium

Address

Security, Reliability, Operational Excellence, Performance Efficiency

Compliance Standards

CISGKE

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Ensure Use Of VPC-Native Clusters” for GCP using GCP CLI, follow the below steps:

Open the GCP Cloud Shell.
Run the following command to enable VPC-native clusters for the default network:

gcloud container clusters update [CLUSTER_NAME] --zone [ZONE] --enable-ip-alias

Replace [CLUSTER_NAME] with the name of the cluster that you want to update and [ZONE] with the zone in which the cluster is located.

Run the following command to verify that the VPC-native clusters are enabled:

gcloud container clusters describe [CLUSTER_NAME] --zone [ZONE] | grep -i ipallocationpolicy

This command will display the IP allocation policy for the cluster. If the IP allocation policy is “Use IP aliases”, then VPC-native clusters are enabled.

Repeat the above steps for all the GCP clusters in your environment.

By following the above steps, you can ensure the use of VPC-native clusters in GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Ensure Use Of VPC-Native Clusters” for GCP using Python, you can follow the below steps:

Install the necessary Python libraries:

pip install google-auth google-auth-oauthlib google-auth-httplib2 google-cloud-container google-cloud-storage

Authenticate with GCP using a service account:

from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('path/to/service_account.json')

Import the necessary libraries:

from google.cloud import container_v1
from google.cloud.container_v1.types import Cluster

client = container_v1.ClusterManagerClient(credentials=credentials)

Get the list of existing clusters in the project:

project_id = 'your-project-id'
zone = 'your-zone'

cluster_list = client.list_clusters(project_id, zone)

Check if each cluster is VPC-native or not:

for cluster in cluster_list.clusters:
    if not cluster.ip_allocation_policy.use_ip_aliases:
        # Update the cluster to use VPC-native
        cluster.ip_allocation_policy.use_ip_aliases = True
        update_request = Cluster(name=cluster.name, ip_allocation_policy=cluster.ip_allocation_policy)
        operation = client.update_cluster(project_id, zone, update_request)
        operation.result()

After running the script, all the clusters that are not VPC-native would be updated to use VPC-native.

Note: Make sure to replace ‘your-project-id’ and ‘your-zone’ with the actual project ID and zone where your GKE clusters are located. Also, make sure to have the necessary permissions to update the clusters.

Additional Reading:

https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Ensure Use Of VPC-Native Clusters

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: