lacework-global-770

Ensure use of Virtual Private Cloud (VPC) native clusters (Automated)

Description

Create Alias IPs for the node network Classless Inter-Domain Routing (CIDR) range to subsequently configure IP-based policies and firewalling for pods. A cluster that uses Alias IPs is a VPC-native cluster.

Remediation

Note: Lacework does not support Autopilot mode clusters, so the remediation only considers the standard mode cluster option.

It is not possible to enable Alias IPs on an existing cluster.

To create a new cluster using Alias IPs, follow the instructions below.

Using Google Cloud Console:

To create a new cluster:

Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
Click CREATE CLUSTER, and choose CONFIGURE for the Standard mode cluster.
Configure the cluster as desired, then, click Networking under CLUSTER in the navigation pane.
Click Enable VPC-native traffic routing (uses alias IP).
Click CREATE.

Using Command Line:

To enable Alias IP on a new cluster, run the following command:

gcloud container clusters create <cluster_name> --zone <compute_zone> --enable-ip-alias

References

https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips
https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips

Ensure use of Virtual Private Cloud (VPC) native clusters (Automated)​

Description​

Remediation​

References​

Ensure use of Virtual Private Cloud (VPC) native clusters (Automated)

Description

Remediation

References