GCP Kubernetes Cluster IstioConfig Not Enabled

Istio is an open service mesh that provides a uniform way to connect, manage, and secure microservices. It supports managing traffic flows between services, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code. This policy checks your cluster for the Istio add-on feature and alerts if it is not enabled.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

GCP Kubernetes cluster istioConfig not enabled.
JSON Query:
$.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster.*[*].*.addons_config anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config[*] anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config[*].disabled anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config[*].disabled anyTrue)
Recommendation:
Recommended solution to enable istioConfig in GCP Kubernetes cluster.
Ensure that GCP Kubernetes cluster have istioConfig enabled. Please make sure that the template have "addons_config" defined and "istio_config" under that is not disabled.
For example:
"google_container_cluster": [ { "<container_cluster_name>": [ { "addons_config": [ { "istio_config": [ { "auth": "AUTH_MUTUAL_TLS", "disabled": false } ] } ] } ] } ]

Run Rule Recommendation

Add Istio to your existing cluster.
If you want to update a cluster with the add-on, you may need to first resize your cluster to ensure that you have enough resources for Istio. As when creating a new cluster, we suggest at least a 4 node cluster with the 2 vCPU machine type.
Your cluster must also be running a supported cluster master version to use the add-on.
  1. Go to the Kubernetes clusters page in the GCP Console and select the cluster you want to update.
  2. Select Edit.
  3. Select Add-ons to display possible add-ons, including Istio on GKE.
  4. Select Enabled under Istio.
  5. Select the mTLS security mode you want to use for your cluster from the drop-down.
  6. Click Save to update your cluster.

Recommended For You