5.10.1 Ensure Kubernetes Web UI is Disabled

Information

The Kubernetes Web UI (Dashboard) has been a historical source of vulnerability and should only be deployed when necessary.

Rationale:

You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI is backed by a highly privileged Kubernetes Service Account.

The Google Cloud Console provides all the required functionality of the Kubernetes Web UI and leverages Cloud IAM to restrict user access to sensitive cluster controls and settings.

Solution

Using Google Cloud Console

Go to Kubernetes GCP Engine by visiting https://console.cloud.google.com/kubernetes/list

Select the Kubernetes cluster for which the web UI is enabled

Click EDIT

Click on the 'Add-ons' heading to expand, and set 'Kubernetes dashboard' to 'Disabled'

Click SAVE.

Using Command Line

To disable the Kubernetes Dashboard on an existing cluster, run the following command:

gcloud container clusters update [CLUSTER_NAME] \
--zone [ZONE] \
--update-addons=KubernetesDashboard=DISABLED

Impact:

Users will be required to manage cluster resources using the Google Cloud Console or the command line. These require appropriate permissions. To use the command line, this requires the installation of the command line client, kubectl, on the user's device (this is already included in Cloud Shell) and knowledge of command line operations.

Default Value:

The Kubernetes web UI (Dashboard) does not have admin access by default in GKE 1.7 and higher. The Kubernetes web UI is disabled by default in GKE 1.10 and higher. In GKE 1.15 and higher, the Kubernetes web UI add-on KubernetesDashboard is no longer supported as a managed add-on.

See Also

https://workbench.cisecurity.org/files/2764