5.6.6 Consider firewalling GKE worker nodes

Information

Reduce the network attack surface of GKE nodes by using Firewalls to restrict ingress and egress traffic.

Rationale:

Utilizing stringent ingress and egress firewall rules minimizes the ports and services exposed to an network-based attacker, whilst also restricting egress routes within or out of the cluster in the event that a compromised component attempts to form an outbound connection.

Impact:

All instances targeted by a firewall rule, either using a tag or a service account will be affected. Ensure there are no adverse effects on other instances using the target tag or service account before implementing the firewall rule.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Using Google Cloud Console

Go to Firewall Rules by visiting https://console.cloud.google.com/networking/firewalls/list

Click CREATE FIREWALL RULE

Configure the firewall rule as required. Ensure the firewall targets your nodes correctly, either selecting the nodes using tags (under 'Targets', select 'Specified target tags', and set 'Target tags' to [TAG]), or using the Service account associated with node (under 'Targets', select 'Specified service account', set 'Service account scope' as appropriate, and 'Target service account' to [SERVICE_ACCOUNT])

Click CREATE.

Using Command Line
Use the following command to generate firewall rules, setting the variables as appropriate. You may want to use the target [TAG] and [SERVICE_ACCOUNT] previously identified.

gcloud compute firewall-rules create FIREWALL_RULE_NAME \
--network [NETWORK] \
--priority [PRIORITY] \
--direction [DIRECTION] \
--action [ACTION] \
--target-tags [TAG] \
--target-service-accounts [SERVICE_ACCOUNT] \
--source-ranges [SOURCE_CIDR-RANGE] \
--source-tags [SOURCE_TAGS] \
--source-service-accounts=[SOURCE_SERVICE_ACCOUNT] \
--destination-ranges [DESTINATION_CIDR_RANGE] \
--rules [RULES]

Default Value:

Every VPC network has two implied firewall rules. These rules exist, but are not shown in the Cloud Console:

The implied allow egress rule: An egress rule whose action is allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any instance send traffic to any destination, except for traffic blocked by GCP. Outbound access may be restricted by a higher priority firewall rule. Internet access is allowed if no other firewall rules deny outbound traffic and if the instance has an external IP address or uses a NAT instance.

The implied deny ingress rule: An ingress rule whose action is deny, source is 0.0.0.0/0, and priority is the lowest possible (65535) protects all instances by blocking incoming traffic to them. Incoming access may be allowed by a higher priority rule. Note that the default network includes some additional rules that override this one, allowing certain types of incoming traffic.

The implied rules cannot be removed, but they have the lowest possible priorities.

See Also

https://workbench.cisecurity.org/files/4135