K8s workload identity remediation

Using Console

Using CLI

To remediate the misconfiguration “Workload Identity Should Be Enabled” in GCP using GCP CLI, follow the below steps:

Open the Cloud Shell in GCP console.
Run the following command to enable the Workload Identity API:

gcloud services enable iamcredentials.googleapis.com

Create a Kubernetes service account:

gcloud iam service-accounts create [SA-NAME] --description "[SA-DESCRIPTION]" --display-name "[SA-DISPLAY-NAME]"

Replace the [SA-NAME], [SA-DESCRIPTION], and [SA-DISPLAY-NAME] with the desired values.

Bind the Kubernetes service account to the GCP service account:

gcloud iam service-accounts add-iam-policy-binding [SA-NAME] --member "serviceAccount:[PROJECT-ID].svc.id.goog[namespace/[NAMESPACE]/sa/[SA-NAME]]" --role "roles/iam.workloadIdentityUser"

Replace the [SA-NAME], [PROJECT-ID], and [NAMESPACE] with the desired values.

Annotate the Kubernetes service account to use the GCP service account:

kubectl annotate serviceaccount --namespace [NAMESPACE] [SA-NAME] iam.gke.io/gcp-service-account=[SA-NAME]@[PROJECT-ID].iam.gserviceaccount.com

Replace the [NAMESPACE], [SA-NAME], and [PROJECT-ID] with the desired values.

Verify that the workload identity is enabled by running the following command:

kubectl run --rm -i --tty workload-identity-test --image google/cloud-sdk --restart Never -- /bin/bash

Run the following command to authenticate using the Kubernetes service account:

gcloud auth activate-service-account --key-file=/var/run/secrets/kubernetes.io/serviceaccount/token

Run the following command to verify that the authentication was successful:

gcloud auth list

If the authentication was successful, you should see the Kubernetes service account listed.These steps should remediate the misconfiguration “Workload Identity Should Be Enabled” for GCP using GCP CLI.

Using Python

To remediate the “Workload Identity Should Be Enabled” misconfiguration in GCP using Python, follow these steps:

Install the necessary libraries:

pip install google-auth google-auth-httplib2 google-auth-oauthlib google-cloud-storage

Set up an authentication method for your GCP account. You can either use a service account or your own user credentials.

Create a Python script that will enable Workload Identity for your GCP project. Here’s an example script that you can modify according to your needs:

from google.oauth2 import service_account
from googleapiclient.discovery import build

# Set up authentication
credentials = service_account.Credentials.from_service_account_file(
    'path/to/service_account.json')

# Set up the Cloud IAM API client
service = build('iam', 'v1', credentials=credentials)

# Set up the request body
body = {
    'projectId': 'your-project-id',
    'enabled': True
}

# Send the request to enable Workload Identity
response = service.projects().setWorkloadIdentityPoolConfig(
    name='projects/your-project-id',
    body=body
).execute()

# Print the response
print(response)

Replace 'path/to/service_account.json' with the path to your service account file.
Replace 'your-project-id' with the ID of the GCP project that you want to enable Workload Identity for.
Save the Python script and run it using the command python script_name.py.
Verify that Workload Identity has been enabled for your GCP project by checking the Cloud IAM page in the GCP console.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

K8s workload identity remediation

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​Triage and Remediation

​Remediation

Triage and Remediation

Remediation