Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Kubernetes Dashboard for GKE Clusters

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Kubernetes Dashboard (Web UI) is disabled for your Google Kubernetes Engine (GKE) clusters in order to enhance cluster security and prevent potential attack vectors. The Kubernetes Dashboard is a web-based user interface that provides a visual representation and management capabilities for Kubernetes clusters. It allows users to monitor and interact with the resources running within the cluster, such as pods, deployments, and services, through a graphical interface rather than using command-line tools.

Security

It is generally recommended to disable the Kubernetes Dashboard when running on GKE clusters due to its security vulnerabilities and the potential for privileged escalation if compromised. The Kubernetes Dashboard runs with a highly privileged Kubernetes service account, granting it access to sensitive cluster resources. This makes it a prime target for attackers seeking unauthorized control over the cluster. Additionally, the Google Cloud Platform (GCP) Console provides all the necessary functionality of the Kubernetes Dashboard and leverages Cloud IAM to restrict user access to sensitive cluster settings and controls. Therefore, the best practice is to disable the Kubernetes Dashboard (Web UI) at the cluster level and use the GCP Console instead.

Audit

To determine the Kubernetes Dashboard status for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Getting the Kubernetes Dashboard operational status for your GKE clusters using Google Cloud Platform (GCP) Console is not currently supported.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS: 

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run container clusters list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each GKE cluster provisioned for the selected project: 

gcloud container clusters list
	--project cc-web-project-123123
	--format="table(NAME,ZONE)"

04 The command output should return the requested cluster names and their regions: 

NAME: cc-gke-backend-cluster
ZONE: us-central1

NAME: cc-gke-frontend-cluster
ZONE: us-central1

05 Run container clusters describe command (Windows/macOS/Linux) with the name of the GKE cluster that you want to examine as the identifier parameter and custom output filters to determine whether the Kubernetes Dashboard (Web UI) is enabled for the selected cluster: 

gcloud container clusters describe cc-gke-backend-cluster
	--region=us-central1
	--format=json | jq '.addonsConfig.kubernetesDashboard'

06 The command output should return the configuration status available for the KubernetesDashboard cluster add-on. The KubernetesDashboard add-on is used for deploying Kubernetes Dashboard at GKE cluster level: 

{
	"disabled": false
}

If the container clusters describe command output returns "disabled": false, as shown in the example above, the Kubernetes Dashboard is enabled for the selected Google Kubernetes Engine (GKE) cluster.

07 Repeat steps no. 5 and 6 for each GKE cluster provisioned for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To disable the Kubernetes Dashboard (Web UI) for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Disabling Kubernetes Dashboard for your GKE clusters using Google Cloud Platform (GCP) Console is not currently supported.

Using GCP CLI

01 Run container clusters update command (Windows/macOS/Linux) with the name of the Google Kubernetes Engine (GKE) cluster that you want to configure as the identifier parameter, to disable the Kubernetes Dashboard (Web UI) for the selected cluster by decommissioning the KubernetesDashboard add-on: 

gcloud container clusters update cc-gke-backend-cluster
	--region=us-central1
	--update-addons=KubernetesDashboard=DISABLED

02 The command output should return the full URL of the modified GKE cluster: 

Updating cc-gke-backend-cluster... done.
Updated [https://container.googleapis.com/v1/projects/cc-web-project-123123/zones/us-central1/clusters/cc-gke-backend-cluster].

03 Repeat steps no. 1 and 2 for each GKE cluster that you want to configure, available within the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Feb 17, 2025

Related GKE rules