5.6.6 Consider firewalling GKE worker nodes

Information

Reduce the network attack surface of GKE nodes by using Firewalls to restrict ingress and egress traffic.

Utilizing stringent ingress and egress firewall rules minimizes the ports and services exposed to an network-based attacker, whilst also restricting egress routes within or out of the cluster in the event that a compromised component attempts to form an outbound connection.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Using Google Cloud Console:

- Go to Firewall Rules by visiting:

https://console.cloud.google.com/networking/firewalls/list

- Click CREATE FIREWALL RULE.
- Configure the firewall rule as required. Ensure the firewall targets the nodes correctly, either selecting the nodes using tags (under Targets, select Specified target tags, and set Target tags to <tag> ), or using the Service account associated with node (under Targets, select Specified service account, set Service account scope as appropriate, and Target service account to <service_account> ).
- Click CREATE

Using Command Line:

Use the following command to generate firewall rules, setting the variables as appropriate:

gcloud compute firewall-rules create <firewall_rule_name> --network <network> --priority <priority> --direction <direction> --action <action> --target-tags <tag> --target-service-accounts <service_account> --source-ranges <source_cidr_range> --source-tags <source_tags> --source-service-accounts <source_service_account> --destination-ranges <destination_cidr_range> --rules <rules>

Impact:

All instances targeted by a firewall rule, either using a tag or a service account will be affected. Ensure there are no adverse effects on other instances using the target tag or service account before implementing the firewall rule.

See Also

https://workbench.cisecurity.org/benchmarks/19166

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.5

Plugin: GCP

Control ID: 98eb1b9aeb819be3229d035321b5a80bd5eaee86dab17630b28a19bb7a690d6d