Ensure network policy is enabled on Google Container Cluster

HIGH

Description

GKE network policies can be used to manage the communication between cluster workloads such as Pods and Services. The network policy can be considered a pod-level firewall. For more information on GKE network policies, see the GCP documentation.
References:
https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy

Remediation

In GCP Console -

  1. Open the GCP Portal and Go to the Google Kubernetes Engine (GKE).
  2. Select the cluster you want to edit.
  3. Click details,Under Networking in Network policy click on edit Network policy.
  4. Select the Enable network policy for master and Enable network policy for nodes checkbox (One at a time).
  5. Click Save Changes.

In Terraform -

  1. In the google_container_cluster resource, ensure that in the network_policy block enabled is set to true.

References:
https://registry.terraform.io/providers/hashicorp/google/3.78.0/docs/resources/container_cluster

Policy Details

Rule Reference ID: AC_GCP_0026
CSP: GCP
Remediation Available: Yes
Resource Category: Compute

Frameworks