5.2.1 Ensure GKE clusters are not running using the Compute Engine default service account

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Create and use minimally privileged Service accounts to run GKE cluster nodes instead of using the Compute Engine default Service account. Unnecessary permissions could be abused in the case of a node compromise.

Rationale:

A GCP service account (as distinct from a Kubernetes ServiceAccount) is an identity that an instance or an application can use to run GCP API requests on your behalf. This identity is used to identify virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes use the Compute Engine default service account. This account has broad access by default, as defined by access scopes, making it useful to a wide variety of applications on the VM, but it has more permissions than are required to run your Kubernetes Engine cluster.

You should create and use a minimally privileged service account to run your Kubernetes Engine cluster instead of using the Compute Engine default service account, and create separate service accounts for each Kubernetes Workload (See Recommendation 6.2.2).

Kubernetes Engine requires, at a minimum, the node service account to have the monitoring.viewer, monitoring.metricWriter, and logging.logWriter roles. Additional roles may need to be added for the nodes to pull images from GCR.

Solution

Using Google Cloud Console

Firstly, create a minimally privileged service account.

Go to Service Accounts by visiting https://console.cloud.google.com/iam-admin/serviceaccounts

Click on CREATE SERVICE ACCOUNT

Enter Service Account Details

Click CREATE

Within Service Account permissions add the following roles:

Logs Writer

Monitoring Metric Writer

Monitoring Viewer

Click CONTINUE

Grant users access to this service account and create keys as required

Click DONE.

To create a Node pool to use the Service account:

Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list

Click on the cluster name within which the Node pool will be launched

Click on ADD NODE POOL

Within the Node Pool options select the minimally privileged service account from the Service Account drop down under the 'Security' heading

Click SAVE to launch the Node pool.

You will need to migrate your workloads to the new Node pool, and delete Node pools that use the default service account to complete the remediation.

Using Command Line

Firstly, create a minimally privileged service account:

gcloud iam service-accounts create [SA_NAME] \
--display-name 'GKE Node Service Account'
export NODE_SA_EMAIL='gcloud iam service-accounts list \
--format='value(email)' \
--filter='displayName:GKE Node Service Account''

Grant the following roles to the service account:

export PROJECT_ID='gcloud config get-value project'
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:$NODE_SA_EMAIL \
--role roles/monitoring.metricWriter
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:$NODE_SA_EMAIL \
--role roles/monitoring.viewer
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:$NODE_SA_EMAIL \
--role roles/logging.logWriter

To create a new Node pool using the Service account, run the following command:

gcloud container node-pools create [NODE_POOL] \
--service-account=[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com \
--cluster=[CLUSTER_NAME] --zone [COMPUTE_ZONE]

You will need to migrate your workloads to the new Node pool, and delete Node pools that use the default service account to complete the remediation.

Impact:

Instances are automatically granted the https://www.googleapis.com/auth/cloud-platform scope to allow full access to all Google Cloud APIs. This is so that the IAM permissions of the instance are completely determined by the IAM roles of the Service account. Thus if Kubernetes workloads were using cluster access scopes to perform actions using Google APIs, they may no longer be able to, if not permitted by the permissions of the Service account. To remediate, follow Recommendation 6.2.2.

The Service account roles listed here are the minimum required to run the cluster. Additional roles may be required to pull from a private instance of Google Container Registry (GCR).

Default Value:

By default, nodes use the Compute Engine default service account when you create a new cluster.

See Also

https://workbench.cisecurity.org/files/2764