5.6.2 Ensure use of VPC-native clusters

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Create Alias IPs for the node network CIDR range in order to subsequently configure IP-based policies and firewalling for pods. A cluster that uses Alias IPs is called a 'VPC-native' cluster.

Rationale:

Using Alias IPs has several benefits:

Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources.

The networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs.

Firewall controls for Pods can be applied separately from their nodes.

Alias IPs allow Pods to directly access hosted services without using a NAT gateway.

Solution

Use of Alias IPs cannot be enabled on an existing cluster. To create a new cluster using Alias IPs, follow the instructions below.

Using Google Cloud Console

Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list

Click CREATE CLUSTER

Configure your cluster as desired. Then, click 'Availability, networking, security, and additional features'

In the 'VPC-native' section, leave 'Enable VPC-native (using alias IP)' selected

Click CREATE.

Using Command Line

To enable Alias IP on a new cluster, run the following command:

gcloud container clusters create [CLUSTER_NAME] \
--zone [COMPUTE_ZONE] \
--enable-ip-alias

Impact:

You cannot currently migrate an existing cluster that uses routes for Pod routing to a cluster that uses Alias IPs.

Cluster IPs for internal services remain only available from within the cluster. If you want to access a Kubernetes Service from within the VPC, but from outside of the cluster, use an internal load balancer.

Default Value:

By default, VPC-native (using alias IP) is enabled when you create a new cluster in the Google Cloud Console, however this is disabled when creating a new cluster using the gcloud CLI, unless the --enable-ip-alias argument is specified.

See Also

https://workbench.cisecurity.org/files/2764