Detections
Analytics
5.6.2 Ensure use of VPC-native clusters
Information
Create Alias IPs for the node network CIDR range in order to subsequently configure IP-based policies and firewalling for pods. A cluster that uses Alias IPs is called a VPC-native cluster.Rationale:
Using Alias IPs has several benefits:
Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources.
The networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs.
Firewall controls for Pods can be applied separately from their nodes.
Alias IPs allow Pods to directly access hosted services without using a NAT gateway.
Impact:
You cannot currently migrate an existing cluster that uses routes for Pod routing to a cluster that uses Alias IPs.
Cluster IPs for internal services remain only available from within the cluster. If you want to access a Kubernetes Service from within the VPC, but from outside of the cluster, use an internal load balancer.
Solution
Alias IPs cannot be enabled on an existing cluster. To create a new cluster using Alias IPs, follow the instructions below.Using Google Cloud Console:
If using Standard configuration mode:
Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list
Click CREATE CLUSTER, and select Standard configuration mode.
Configure your cluster as desired , then, click Networking under CLUSTER in the navigation pane.
In the 'VPC-native' section, leave 'Enable VPC-native (using alias IP)' selected
Click CREATE.
If using Autopilot configuration mode:
Note that this is VPC-native only and cannot be disable:
Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
Click CREATE CLUSTER, and select Autopilot configuration mode.
Configure your cluster as required
Click CREATE.
Using Command Line
To enable Alias IP on a new cluster, run the following command:
gcloud container clusters create <cluster_name> --zone <compute_zone> --enable-ip-alias
If using Autopilot configuration mode:
gcloud container clusters create-auto <cluster_name> --zone <compute_zone>
Default Value:
By default, VPC-native (using alias IP) is enabled when you create a new cluster in the Google Cloud Console, however this is disabled when creating a new cluster using the gcloud CLI, unless the --enable-ip-alias argument is specified.
See Also
Item Details
Audit Name: CIS Google Kubernetes Engine (GKE) v1.5.0 L1
Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|CA-9, 800-53|SC-7, CSCv7|11, CSCv7|14.1
Plugin: GCP
Control ID: 58ef9921716869d2aa621e97604874e1797f9267bdbb861aab6f6d89894c4301