Information
Cluster Administrators should leverage G Suite Groups and Cloud IAM to assign Kubernetes user roles to a collection of users, instead of to individual emails using only Cloud IAM.
On- and off-boarding users is often difficult to automate and prone to error. Using a single source of truth for user permissions via G Suite Groups reduces the number of locations that an individual must be off-boarded from, and prevents users gaining unique permissions sets that increase the cost of audit.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Follow the G Suite Groups instructions at:
https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control#google-groups-for-gke
Then, create a cluster with:
gcloud container clusters create <cluster_name> --security-group <security_group_name>
Finally create Roles ClusterRoles RoleBindings and ClusterRoleBindings that reference the G Suite Groups.
Impact:
When migrating to using security groups, an audit of RoleBindings and ClusterRoleBindings is required to ensure all users of the cluster are managed using the new groups and not individually.
When managing RoleBindings and ClusterRoleBindings be wary of inadvertently removing bindings required by service accounts.