Remediation

Configure GKE Node Pools with a Least-Privilege Service Account

From gcloud CLI

Create a minimally privileged service account

gcloud iam service-accounts create {{node-sa-name}} \
    --display-name "GKE Node Service Account"

Capture the service account email

export NODE_SA_EMAIL=$(gcloud iam service-accounts list \
    --format='value(email)' \
    --filter='displayName:GKE Node Service Account')

Capture the project ID

export PROJECT_ID=$(gcloud config get-value project)

Grant the required roles to the service account

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member serviceAccount:$NODE_SA_EMAIL \
    --role roles/monitoring.metricWriter

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member serviceAccount:$NODE_SA_EMAIL \
    --role roles/monitoring.viewer

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member serviceAccount:$NODE_SA_EMAIL \
    --role roles/logging.logWriter

Create a new node pool using the service account

gcloud container node-pools create {{node-pool}} \
    --service-account=$NODE_SA_EMAIL \
    --cluster={{cluster-name}} \
    --zone {{compute-zone}}

Note: After creating the new node pool, workloads should be migrated to it. The old node pools configured with the default service account should then be deleted to complete the remediation.

Configure GKE Node Pools with a Least-Privilege Service Account​

From gcloud CLI​

Configure GKE Node Pools with a Least-Privilege Service Account

From gcloud CLI