Skip to main content

lacework-global-761

Ensure Google Kubernetes Engine (GKE) clusters are not running using the Compute Engine default service account (Automated)

Description

Create and use minimally privileged Service accounts to run GKE cluster nodes instead of using the Compute Engine default Service account. It is possible to abuse unnecessary permissions in the case of a node compromise.

Remediation

Using Google Cloud Console:

To create a minimally privileged service account:

  1. Go to Service Accounts by visiting: https://console.cloud.google.com/iam-admin/serviceaccounts.
  2. Click Create Service Account.
  3. Enter Service Account Details.
  4. Click Create and Continue.
  5. Within Service Account permissions add the following roles:
    • Logs Writer.
    • Monitoring Metric Writer.
    • Monitoring Viewer.
  6. Click CONTINUE.
  7. Grant users access to this service account and create keys as required.
  8. Click Done.

To create a Node pool to use the Service account:

  1. Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
  2. Select a cluster to launch the Node pool into and click the cluster name.
  3. Click Add Node Pool.
  4. Within the Node Pool details, select the Security subheading, and under Identity defaults, select the minimally privileged service account from the Service Account drop-down.
  5. Click CREATE to launch the Node pool.

Note: You must migrate the workloads to the new Node pool, and you should delete the old node pools that use the default service account to complete the remediation.

Using Command Line:

To create a minimally privileged service account:

gcloud iam service-accounts create <node_sa_name> --display-name "GKE Node Service Account"
export NODE_SA_EMAIL=gcloud iam service-accounts list --format='value(email)' --filter='displayName:GKE Node Service Account'

Grant the following roles to the service account:

export PROJECT_ID=gcloud config get-value project
gcloud projects add-iam-policy-binding <project_id> --member serviceAccount:<node_sa_email> --role roles/monitoring.metricWriter
gcloud projects add-iam-policy-binding <project_id> --member serviceAccount:<node_sa_email> --role roles/monitoring.viewer
gcloud projects add-iam-policy-binding <project_id> --member serviceAccount:<node_sa_email> --role roles/logging.logWriter

To create a new Node pool using the Service account, run the following command:

gcloud container node-pools create <node_pool> --service-account=<sa_name>@<project_id>.iam.gserviceaccount.com--cluster=<cluster_name> --zone <compute_zone>

Note: You must migrate the workloads to the new Node pool, and you should delete the old node pools that use the default service account to complete the remediation.

References

https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_default_service_account

Last updated on