🛡️ Google GKE Cluster Alias IP is disabled🟢

• Contextual name: 🛡️ Cluster Alias IP is disabled🟢
• ID: /ce/ca/google/gke/cluster-ip-alias
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google GKE Cluster
  • 🔌 Google GKE Cluster - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies Google GKE Clusters where Alias IP ranges are disabled. Enabling Alias IPs makes the cluster VPC-native, meaning Pod IP addresses are allocated from a CIDR range within the VPC network and are natively routable.

Rationale

Enabling Alias IPs provides several key benefits:

• Pod IPs are reserved within the VPC network in advance, avoiding conflicts with other compute resources.
• The networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs.
• Firewall rules for Pods can be managed independently of their nodes.
• Alias IPs allow Pods to access hosted services directly without requiring a NAT gateway.

Impact

Existing clusters that use routes for Pod networking cannot be migrated to use Alias IPs.

Cluster IPs for internal services remain accessible only within the cluster. To access a Kubernetes Service from the VPC but outside the cluster, an internal load balancer must be used.

Audit

This policy flags a Google GKE Cluster as INCOMPLIANT if Use IP Aliases is not set to Enabled.

... see more

Remediation

Open File

Remediation

Alias IPs cannot be enabled on an existing cluster. To use Alias IPs, you must create a new cluster with the feature enabled.

Create a New Cluster with Alias IPs Enabled

From gcloud CLI

1. Run the following command to create a new GKE cluster with the --enable-ip-alias flag

   gcloud container clusters create {{new-cluster-name}} \
       --location {{location}} \
       --enable-ip-alias

   Adjust other flags (e.g., region, node pool size, network settings) to match your workload requirements.

2. Migrate workloads to the new cluster

   Reconfigure your deployments and services to target the newly created cluster. Update your kubeconfig to point to the new cluster.

3. Validate workloads and configurations

   • Ensure applications are running as expected in the new cluster.
   • Confirm monitoring, logging, and networking rules are correctly applied.
   • Perform backups of workloads and configurations before decommissioning the old cluster.

4. Delete the old cluster

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GKE v1.8.0 → 💼 5.6.2 Ensure use of VPC-native clusters (Automated)			1		no data
💼 Cloudaware Framework → 💼 System Configuration			45		no data
💼 PCI DSS v3.2.1 → 💼 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.			7		no data
💼 PCI DSS v3.2.1 → 💼 1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties.			1		no data
💼 PCI DSS v4.0.1 → 💼 1.4.5 The disclosure of internal IP addresses and routing information is limited to only authorized parties.			1		no data
💼 PCI DSS v4.0 → 💼 1.4.5 The disclosure of internal IP addresses and routing information is limited to only authorized parties.			1		no data