lacework-global-798
Consider firewalling Google Kubernetes Engine (GKE) worker nodes (Manual)
Description
Reduce the network attack surface of GKE nodes by using Firewalls to restrict ingress and egress traffic.
Remediation
Using Google Cloud Console:
- Go to Firewall Rules by visiting: https://console.cloud.google.com/networking/firewalls/list.
- Click
Create Firewall Rule
. - Configure the firewall rule as required. Ensure the firewall targets the nodes correctly, either selecting the nodes using tags (under
Targets
, selectSpecified target tags
, and set Target tags to<tag>
), or using theService account
associated with node (underTargets
, selectSpecified service account
, set Service account scope as appropriate, andTarget service account
to<service_account>
). - Click
Create
.
Using Command Line:
Use the following command to generate firewall rules, setting the variables as appropriate:
gcloud compute firewall-rules create <firewall_rule_name> --network <network> --priority <priority> --direction <direction> --action <action> --target-tags <tag> --target-service-accounts <service_account> --source-ranges <source_cidr_range> --source-tags <source_tags> --source-service-accounts <source_service_account> --destination-ranges <destination_cidr_range> --rules <rules>
References
https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture
https://cloud.google.com/vpc/docs/using-firewalls