Skip to main content

πŸ›‘οΈ Google GKE Cluster Node Pool uses default Service account🟒

  • Contextual name: πŸ›‘οΈ Cluster Node Pool uses default Service account🟒
  • ID: /ce/ca/google/gke/node-pool-service-account
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Description​

Open File

Description​

This policy identifies Google GKE Cluster Node Pools that are configured to use the default Compute Engine service account instead of dedicated, least-privilege IAM service accounts.

Rationale​

By default, GKE nodes use the Compute Engine default service account, which has broad permissions that often exceed the requirements of a GKE cluster.

To follow the principle of least privilege, a dedicated service account should be created and used to run the GKE cluster. In addition, separate service accounts should be created for individual Kubernetes workloads as needed.

At a minimum, the node service account requires the following roles:

  • monitoring.viewer
  • monitoring.metricWriter
  • logging.logWriter

Additional roles may be required for specific use cases, such as pulling images from Google Container Registry (GCR).

Impact​

Instances using the default service account are automatically granted the https://www.googleapis.com/auth/cloud-platform, which allows unrestricted access to all Google Cloud APIs.This means that IAM permissions are determined entirely by the roles assigned to the service account.

... see more

Remediation​

Open File

Remediation​

Configure GKE Node Pools with a Least-Privilege Service Account​

From gcloud CLI​

  1. Create a minimally privileged service account

    gcloud iam service-accounts create {{node-sa-name}} \
        --display-name "GKE Node Service Account"

  2. Capture the service account email

    export NODE_SA_EMAIL=$(gcloud iam service-accounts list \
        --format='value(email)' \
        --filter='displayName:GKE Node Service Account')

  3. Capture the project ID

    export PROJECT_ID=$(gcloud config get-value project)

  4. Grant the required roles to the service account

    gcloud projects add-iam-policy-binding $PROJECT_ID \
        --member serviceAccount:$NODE_SA_EMAIL \
        --role roles/monitoring.metricWriter

    gcloud projects add-iam-policy-binding $PROJECT_ID \
        --member serviceAccount:$NODE_SA_EMAIL \
        --role roles/monitoring.viewer

    gcloud projects add-iam-policy-binding $PROJECT_ID \
        --member serviceAccount:$NODE_SA_EMAIL \

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS GKE v1.8.0 β†’ πŸ’Ό 5.2.1 Ensure GKE clusters are not running using the Compute Engine default service account (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access57no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.3 Management of privileged access rights312no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1863no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)1044no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4791no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-4: Communications and control networks are protected1044no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events145no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization42no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties116no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk44no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected125no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected142no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage95no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-6 LEAST PRIVILEGE1027no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-7 BOUNDARY PROTECTION23531no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.19no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 7.1.3 Assign access based on individual personnel's job classification and function.5no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.2 Vendor default accounts are managed.9no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 7.2.2 Access is assigned to users, including privileged users, based on job classification, function, and least privileges.5no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.2 Vendor default accounts are managed.9no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 7.2.2 Access is assigned to users, including privileged users, based on job classification, function, and least privileges.5no data