Skip to main content

lacework-global-762

Prefer using dedicated GCP Service Accounts and Workload Identity (Automated)

Description

Kubernetes workloads should not use cluster node service accounts to authenticate to Google Cloud APIs. Provision a dedicated Service account for each Kubernetes Workload that needs to authenticate to other Google services using Cloud Identity and Access Management (IAM). Enabling Workload Identity manages the distribution and rotation of Service account keys for the workloads to use.

Remediation

Using Google Cloud Console:

  1. Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
  2. From the list of clusters, select the cluster with Workload Identity disabled.
  3. Within the Details pane, under the Security section, click the pencil icon named Edit workload identity.
  4. Enable Workload Identity and set the workload pool to the namespace of the Cloud project containing the cluster, for example: <project_id>.svc.id.goog.
  5. Click Save Changes and wait for the cluster to update.
  6. Once the cluster has updated, select each Node pool within the cluster Details page.
  7. For each Node pool, select Edit within the Node pool Details page.
  8. Within the Edit node pool pane, select the Enable Google Kubernetes Engine (GKE) Metadata Server checkbox and click Save.

Using Command Line:

gcloud container clusters update <cluster_name> --zone <cluster_zone> --workload-pool <project_id>.svc.id.goog

Note that this does not affect existing Node pools. New Node pools default to --workload-metadata=GKE_METADATA.

Then, modify existing Node pools to enable GKE_METADATA:

gcloud container node-pools update <node_pool_name> --cluster <cluster_name> --zone <cluster_zone> --workload-metadata=GKE_METADATA

You may need to modify workloads in order for them to use Workload Identity as described within: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity.

Also consider the effects on the availability of hosted workloads during update of Node pools. It may be more appropriate to create new Node Pools.

References

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture

Last updated on