Google Cloud Platform Security Checklist : Part 5/7 — Google Kubernetes Engine (GKE)
Welcome to the fifth article of our Google Cloud Platform (GCP) security best practices journey! So far, We’ve navigated through topics such as Identity and Access Management (IAM), Key Management System (KMS), Network Security, and Compute Engine, each providing unique insights into securing different aspects of GCP. Today, we’ll delve into the world of containerization with Google Kubernetes Engine (GKE).
Definition
Google Kubernetes Engine (GKE) is a managed service provided by Google Cloud that allows you to run your applications shipped as containers within a managed Kubernetes clusters. Kubernetes is an open-source platform designed to automate deploying, scaling, and operating application containers.
Best Practices
1. Leverage VPC-native clusters
By using Alias IPs, GKE clusters can benefits from natively routable pod IP addresses within the Google Cloud network, separate firewall controls for pods and nodes, and increased anti-spoofing security. This reduces the risk of IP address conflicts and enhances overall network security.
2. Limit Control Plane exposure
In GKE, ensure the control plane is configured for private access only. This configuration means that the Kubernetes API server has only internal IP addresses, limiting access to internal network sources and reducing potential points of ingress for attacks.
3. Limit Access to Kubernetes API
Restrict access to the Kubernetes API server by using Master Authorized Networks. This configuration allows you to specify the particular IP ranges that are permitted to access the API server, thus, combined with the private cluster config, enhancing the security of your cluster. This is especially important when using shared VPC in production, as many projects will be using the same network and only the software factory should be granted access to the Kubernetes API.
4. Adopt VPC flow logging
Enable intranode visibility to capture pod-to-pod network traffic on the same host using standard VPC flow logging mechanisms. This improves network security monitoring and troubleshooting capabilities.
5. Disable Legacy Authentication Methods
Use Google Cloud IAM for authentication and disable basic authentication and client certificate authentication. These older authentication methods, including x509 certificates and static passwords, present a larger attack surface for cluster compromise and cannot be rotated or revoked easily.
6. Use Custom Service Account
Every Google Cloud project comes with a default service account that has broad access to Cloud APIs. It’s best practice to avoid using this service account for cluster instances, and instead create and use specific service accounts with the least privileges necessary for the operation of the instance. This follows the principle of least privilege, reducing the potential impact if a service account gets compromised.
7. Upgrade Your Cluster
Keep your node pools updated with the latest security patches and Kubernetes features by enabling automatic upgrades. This not only reduces manual overhead but also ensures that your clusters are secure and up to date.
8. Don’t use Kubernetes Secrets
Kubernetes stores secrets in etcd as base 64 encrypted data, which is not highly secure. So it is recommended to use Secret Manager for storing sensitive data, and use Identity workload to authorize pod access to these elements. This enhances security by protecting sensitive data in transit and at rest.
9. Implement Private Google Access
Enable Private Google Access (PSC) on subnets where GKE is deployed to allow your pods to access Google Cloud APIs and services using their internal IP addresses. This reduces the need for an external IP address and enhances the security of your data in transit.
10. Use Container Optimized OS
Opt for the Container-Optimized OS with containerd as the node image for GKE clusters. This OS is designed to enhance node security and provides automatic updates, reducing potential attack surfaces and improving overall cluster security.
11. Send Logs to Cloud Logging
Ensure your GKE clusters send logs to Cloud Logging for better observability, troubleshooting, and security monitoring.
Conclusion
Securing Google Kubernetes Engine (GKE) is very important to safeguarding your cloud environment. This article has highlighted key GKE security measures that fortify your GCP’s overall security posture. As we progress through this series, we will continue to explore further crucial security aspects. The upcoming article will focus on data security, including services like Cloud SQL, Cloud Storage, and BigQuery.
