Google Compute Network should not use default firewall rule

ID

gcp_compute_network_using_default_firewall_rule

Severity

low

Vendor

GCP

Resource

AIM

Tags

reachable

Description

use_ip_aliases should be enabled for ip_allocation_policy on google cloud container clusters to improve network performance and security.

To fix it, you must configure the ip_allocation_policy.use_ip_aliases property to true.

Learn more about this topic at Create a VPC-native cluster.

Examples

---
- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: cluster
    initial_node_count: 1
    master_auth:
      username: cluster_root
      password: secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    ip_allocation_policy:
      create_subnetwork: no
      use_ip_aliases: no

Mitigation / Fix

---
- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: cluster
    initial_node_count: 1
    master_auth:
      username: cluster_root
      password: secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    ip_allocation_policy:
      create_subnetwork: no
      use_ip_aliases: yes