GCP Kubernetes Engine Clusters Have Alias IP Disabled

This policy identifies Kubernetes Engine Clusters which have disabled Alias IP. Alias IP allows the networking layer to perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs. By enabling Alias IPs, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities.

Policy Details

Policy Subtype
Run, Build
Severity
Low
Template Type
Terraform

Build Rules

GCP Kubernetes Engine Clusters have Alias IP disabled.
JSON Query:
$.resource[*].google_container_cluster exists and $.resource[*].google_container_cluster[*].*.*.ip_allocation_policy does not exist
Recommendation:
Recommended solution to enable Alias IP for Kubernetes Engine Clusters.
Ensure that GCP Kubernetes Engine Clusters have Alias IP enabled. Please make sure that the template have "ip_allocation_policy" defined.
For example:
"ip_allocation_policy": [ { "cluster_secondary_range_name": "foo", "services_secondary_range_name": "foobar" } ]

Run Rule Recommendation

GCP Kubernetes Clusters Alias IP can be enabled only at the time of creation of clusters. So to fix this alert, create a new cluster with Alias IP enabled and then migrate all required cluster data or containers from the reported cluster to this new cluster.
To create the cluster with Alias IP enabled, perform following steps:.
  1. Login to GCP Portal.
  2. Go to Kubernetes Engine (Left Panel).
  3. Select Kubernetes clusters.
  4. Click on 'CREATE CLUSTER' button.
  5. Configure your cluster and click on 'More'.
  6. From the 'VPC-native (using alias IP)' drop-down menu, select 'Enabled'. New menu items appear.
  7. From 'Automatically create secondary ranges' drop-down menu, select 'Enabled'.
  8. Configure the 'Network', 'Node subnet', 'Node address range', 'Container address range', and 'Service address range' as needed.
  9. Click on Create.

Compliance

There are 11 standards that are applicable to this policy:
  • PCI DSS v3.2
  • NIST CSF
  • GDPR
  • CSA CCM v3.0.1
  • SOC 2
  • CIS v1.0.0 (GCP)
  • PIPEDA
  • ISO 27001:2013
  • HITRUST CSF v9.3
  • CCPA 2018
  • NIST 800-53 Rev4

Recommended For You