Detections
Analytics
5.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity
Information
Kubernetes workloads should not use cluster node service accounts to authenticate to Google Cloud APIs. Each Kubernetes Workload that needs to authenticate to other Google services using Cloud IAM should be provisioned a dedicated Service account. Enabling Workload Identity manages the distribution and rotation of Service account keys for the workloads to use.Rationale:
Manual approaches for authenticating Kubernetes workloads running on GKE against Google Cloud APIs are: storing service account keys as a Kubernetes secret (which introduces manual key rotation and potential for key compromise); or use of the underlying nodes' IAM Service account, which violates the principle of least privilege on a multitenanted node, when one pod needs to have access to a service, but every other pod on the node that uses the Service account does not.
Once a relationship between a Kubernetes Service account and a GCP Service account has been configured, any workload running as the Kubernetes Service account automatically authenticates as the mapped GCP Service account when accessing Google Cloud APIs on a cluster with Workload Identity enabled.
Impact:
Workload Identity replaces the need to use Metadata Concealment and as such, the two approaches are incompatible. The sensitive metadata protected by Metadata Concealment is also protected by Workload Identity.
When Workload Identity is enabled, the Compute Engine default Service account can not be used. Correspondingly, Workload Identity can't be used with Pods running in the host network. Workloads may also need to be modified in order for them to use Workload Identity, as described within: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
GKE infrastructure pods such as Stackdriver will continue to use the Node's Service account.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Using Google Cloud Console:Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
From the list of clusters, select the cluster for which Workload Identity is disabled.
Within the Details pane, under the Security section, click on the pencil icon named Edit workload identity.
Enable Workload Identity and set the workload pool to the namespace of the Cloud project containing the cluster, for example: <project_id>.svc.id.goog.
Click SAVE CHANGES and wait for the cluster to update.
Once the cluster has updated, select each Node pool within the cluster Details page.
For each Node pool, select EDIT within the Node pool Details page
Within the Edit node pool pane, check the 'Enable GKE Metadata Server' checkbox and click SAVE.
Using Command Line:
gcloud container clusters update <cluster_name> --zone <cluster_zone> --workload-pool <project_id>.svc.id.goog
Note that existing Node pools are unaffected. New Node pools default to --workload-metadata-from-node=GKE_METADATA_SERVER.
Then, modify existing Node pools to enable GKE_METADATA_SERVER:
gcloud container node-pools update <node_pool_name> --cluster <cluster_name> --zone <cluster_zone> --workload-metadata=GKE_METADATA
Workloads may need to be modified in order for them to use Workload Identity as described within: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity. Also consider the effects on the availability of hosted workloads as Node pools are updated. It may be more appropriate to create new Node Pools.
Default Value:
By default, Workload Identity is disabled.
See Also
Item Details
Audit Name: CIS Google Kubernetes Engine (GKE) v1.5.0 L1
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-5, CSCv7|4.3
Plugin: GCP
Control ID: ca0171571036c81190992a77a795be9f68da101a6cd9f98c529f7f59f27c53a4