Use Dedicated GCP Service Accounts And Workload Identity For Clusters

More Info:

Kubernetes workloads should not use cluster node service accounts to authenticate to Google Cloud APIs. Each Kubernetes Workload that needs to authenticate to other Google services using Cloud IAM should be provisioned a dedicated Service account. Enabling Workload Identity manages the distribution and rotation of Service account keys for the workloads to use.

Risk Level

Medium

Address

Security, Operational Excellence, Best Practice

Compliance Standards

CISGKE

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of using Dedicated GCP Service Accounts and Workload Identity for Clusters in GCP, follow these steps:

Open the GCP Console and navigate to the Kubernetes Engine.
Select the cluster for which you want to remediate the misconfiguration.
Click on the “Edit” button at the top of the page.
Under the “Security” section, select “Workload Identity.”
Select the checkbox “Enable Workload Identity.”
In the “Service Account” field, enter the name of the dedicated service account that you want to use for the cluster.
Click on the “Save” button to apply the changes.
Once the changes are applied, verify that the dedicated service account is being used for the cluster by running the following command in the Cloud Shell:

kubectl get pods --namespace kube-system -o=jsonpath='{.items[*].spec.serviceAccountName}'

This command will return the name of the service account being used by the pods in the kube-system namespace. Verify that it matches the dedicated service account that you specified in step 6.By following these steps, you have successfully remediated the misconfiguration of using Dedicated GCP Service Accounts and Workload Identity for Clusters in GCP.

Using CLI

To remediate the misconfiguration “Use Dedicated GCP Service Accounts And Workload Identity For Clusters” for GCP using GCP CLI, you can follow the below steps:

Create a dedicated service account for your cluster:

gcloud iam service-accounts create [SA-NAME] --display-name [SA-DISPLAY-NAME]

Replace [SA-NAME] with the name of the service account you want to create and [SA-DISPLAY-NAME] with the display name of the service account.

Grant the necessary permissions to the service account:

gcloud projects add-iam-policy-binding [PROJECT-ID] --member=serviceAccount:[SA-NAME]@[PROJECT-ID].iam.gserviceaccount.com --role=[ROLE]

Replace [PROJECT-ID] with the ID of the project where the cluster is located, [SA-NAME] with the name of the service account you created in step 1, and [ROLE] with the necessary role to access the resources required by the cluster.

Enable workload identity for your cluster:

gcloud container clusters update [CLUSTER-NAME] --workload-pool=[PROJECT-ID].svc.id.goog

Replace [CLUSTER-NAME] with the name of the cluster and [PROJECT-ID] with the ID of the project where the cluster is located.

Associate the service account with the cluster:

gcloud iam service-accounts add-iam-policy-binding [SA-NAME]@[PROJECT-ID].iam.gserviceaccount.com --member="serviceAccount:[PROJECT-ID].svc.id.goog[NAMESPACE]/[SA-NAME]" --role="roles/iam.workloadIdentityUser"

Replace [SA-NAME] with the name of the service account you created in step 1, [PROJECT-ID] with the ID of the project where the cluster is located, and [NAMESPACE] with the namespace of the cluster.By following these steps, you will have remediated the misconfiguration “Use Dedicated GCP Service Accounts And Workload Identity For Clusters” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Use Dedicated GCP Service Accounts And Workload Identity For Clusters” in GCP using Python, follow the below steps:

Create a dedicated GCP service account for the cluster. You can use the below Python code to create a service account:

from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file(
    '/path/to/service_account_key.json')

Assign the required IAM roles to the service account based on the cluster’s requirements. You can use the below Python code to grant IAM roles to the service account:

from google.cloud import iam

client = iam.IAMClient(credentials=credentials)

policy = client.get_policy(request={"resource": "projects/{project_id}"})

bindings = policy.bindings

for binding in bindings:
    if binding.role == "roles/editor":
        binding.members.append("serviceAccount:{service_account_email}")
        break

policy.bindings = bindings

client.set_iam_policy(request={"resource": "projects/{project_id}", "policy": policy})

Enable Workload Identity for the cluster. You can use the below Python code to enable Workload Identity:

from google.cloud import container_v1

client = container_v1.ClusterManagerClient(credentials=credentials)

cluster = client.get_cluster(request={"name": "projects/{project_id}/locations/{location}/clusters/{cluster_name}"})

cluster.workload_identity_config = {
    "workload_pool": "projects/{project_id}/locations/{location}/workloadPools/{pool_name}"
}

update_mask = {"paths": ["workload_identity_config"]}

client.update_cluster(request={"update_mask": update_mask, "cluster": cluster})

Associate the service account with the cluster. You can use the below Python code to associate the service account with the cluster:

from google.cloud import container_v1

client = container_v1.ClusterManagerClient(credentials=credentials)

cluster = client.get_cluster(request={"name": "projects/{project_id}/locations/{location}/clusters/{cluster_name}"})

cluster.master_auth.workload_identity_config = {
    "identity_namespace": "projects/{project_id}.svc.id.goog",
    "identity_provider": "google"
}

update_mask = {"paths": ["master_auth.workload_identity_config"]}

client.update_cluster(request={"update_mask": update_mask, "cluster": cluster})

By following these steps, you can remediate the misconfiguration “Use Dedicated GCP Service Accounts And Workload Identity For Clusters” in GCP using Python.

Additional Reading:

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Use Dedicated GCP Service Accounts And Workload Identity For Clusters

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: