Skip to main content

๐Ÿ›ก๏ธ Google GKE Cluster Node Pool uses default Service account๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Cluster Node Pool uses default Service account๐ŸŸข
  • ID: /ce/ca/google/gke/node-pool-service-account
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Descriptionโ€‹

Open File

Descriptionโ€‹

This policy identifies Google GKE Cluster Node Pools that are configured to use the default Compute Engine service account instead of dedicated, least-privilege IAM service accounts.

Rationaleโ€‹

By default, GKE nodes use the Compute Engine default service account, which has broad permissions that often exceed the requirements of a GKE cluster.

To follow the principle of least privilege, a dedicated service account should be created and used to run the GKE cluster. In addition, separate service accounts should be created for individual Kubernetes workloads as needed.

At a minimum, the node service account requires the following roles:

  • monitoring.viewer
  • monitoring.metricWriter
  • logging.logWriter

Additional roles may be required for specific use cases, such as pulling images from Google Container Registry (GCR).

Impactโ€‹

Instances using the default service account are automatically granted the https://www.googleapis.com/auth/cloud-platform, which allows unrestricted access to all Google Cloud APIs.This means that IAM permissions are determined entirely by the roles assigned to the service account.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

Configure GKE Node Pools with a Least-Privilege Service Accountโ€‹

From gcloud CLIโ€‹

  1. Create a minimally privileged service account

    gcloud iam service-accounts create {{node-sa-name}} \
        --display-name "GKE Node Service Account"

  2. Capture the service account email

    export {{node-sa-email}}=$(gcloud iam service-accounts list \
        --format='value(email)' \
        --filter='displayName:GKE Node Service Account')

  3. Capture the project ID

    export {{project-id}}=$(gcloud config get-value project)

  4. Grant the required roles to the service account

    gcloud projects add-iam-policy-binding ${{project-id}} \
        --member serviceAccount:${{node-sa-email}} \
        --role roles/monitoring.metricWriter

    gcloud projects add-iam-policy-binding ${{project-id}} \
        --member serviceAccount:${{node-sa-email}} \
        --role roles/monitoring.viewer

    gcloud projects add-iam-policy-binding ${{project-id}} \
        --member serviceAccount:${{node-sa-email}} \

... see more

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ CIS GKE v1.8.0 โ†’ ๐Ÿ’ผ 5.2.1 Ensure GKE clusters are not running using the Compute Engine default service account (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Role-Based Access Control (RBAC) Management28no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.9.2.3 Management of privileged access rights312no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.CM-1: The network is monitored to detect potential cybersecurity events1863no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)1044no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.DS-5: Protections against data leaks are implemented4791no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.PT-4: Communications and control networks are protected1044no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-01: Networks and network services are monitored to find potentially adverse events185no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization47no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties138no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk44no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected188no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected160no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected190no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.IR-01: Networks and environments are protected from unauthorized logical access and usage128no data
๐Ÿ’ผ NIST SP 800-53 Revision 4 โ†’ ๐Ÿ’ผ AC-6 LEAST PRIVILEGE1027no data
๐Ÿ’ผ NIST SP 800-53 Revision 4 โ†’ ๐Ÿ’ผ SC-7 BOUNDARY PROTECTION23531no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.111no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.5no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 7.1.3 Assign access based on individual personnel's job classification and function.5no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 2.2.2 Vendor default accounts are managed.11no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 7.2.2 Access is assigned to users, including privileged users, based on job classification, function, and least privileges.5no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 2.2.2 Vendor default accounts are managed.11no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 7.2.2 Access is assigned to users, including privileged users, based on job classification, function, and least privileges.5no data