Kubernetes Engine Clusters must have Network Policy enabled
ID |
gcp_network_policy_disabled |
Severity |
high |
Vendor |
GCP |
Resource |
NETWORK |
Tags |
reachable |
Description
Google Cloud network policies let control communication between Pods and Services in a cluster. They can help to improve security and isolation of applications.
To enable network policy enforcement for an existing cluster it’s needed to run two commands: one to enable the add-on and another to enable network policy enforcement on your cluster.
Network policy config under addons_config parameter should never disable because it will disable the add-on and remove any existing network policies from your cluster. This can expose your applications to unwanted traffic or vulnerabilities.
To fix it, you must configure at least following parameters:
-
network_policy:-
enabled: true
-
-
addons_config:-
network_policy_config:-
disabled: false
-
-
Learn more about this topic at Configure network policies for applications.
Examples
---
- name: create a cluster
google.cloud.gcp_container_cluster:
name: cluster
initial_node_count: 2
master_auth:
username: cluster_root
password: secret-password
node_config:
machine_type: n1-standard-4
disk_size_gb: 500
location: us-central1-a
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
network_policy:
enabled: false
addons_config:
network_policy_config:
disabled: trueMitigation / Fix
---
- name: create a cluster
google.cloud.gcp_container_cluster:
name: cluster
initial_node_count: 2
master_auth:
username: cluster_root
password: secret-password
node_config:
machine_type: n1-standard-4
disk_size_gb: 500
location: us-central1-a
project: test_project
auth_kind: serviceaccount
service_account_file: /tmp/auth.pem
state: present
network_policy:
enabled: true
addons_config:
network_policy_config:
disabled: false