Skip to main content

lacework-global-798

Consider firewalling Google Kubernetes Engine (GKE) worker nodes (Manual)

Description

Reduce the network attack surface of GKE nodes by using Firewalls to restrict ingress and egress traffic.

Remediation

Using Google Cloud Console:

  1. Go to Firewall Rules by visiting: https://console.cloud.google.com/networking/firewalls/list.
  2. Click Create Firewall Rule.
  3. Configure the firewall rule as required. Ensure the firewall targets the nodes correctly, either selecting the nodes using tags (under Targets, select Specified target tags, and set Target tags to <tag>), or using the Service account associated with node (under Targets, select Specified service account, set Service account scope as appropriate, and Target service account to <service_account>).
  4. Click Create.

Using Command Line:

Use the following command to generate firewall rules, setting the variables as appropriate:

gcloud compute firewall-rules create <firewall_rule_name> --network <network> --priority <priority> --direction <direction> --action <action> --target-tags <tag> --target-service-accounts <service_account> --source-ranges <source_cidr_range> --source-tags <source_tags> --source-service-accounts <source_service_account> --destination-ranges <destination_cidr_range> --rules <rules>

References

https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture
https://cloud.google.com/vpc/docs/using-firewalls

Last updated on