Enable Intranode Visibility

Risk Level: Medium (should be achieved)

Rule ID: GKE-018

Ensure that intranode visibility is enabled for your Google Kubernetes Engine (GKE) clusters. This allows you to monitor and troubleshoot network traffic between pods running on the same node, enhancing both visibility and security. With this feature, you can use VPC flow logs or other VPC features for intra-node traffic.

This rule resolution is part of the Conformity solution.

Security

Intranode visibility ensures that packets exchanged between Pods are always processed by the VPC network. This guarantees that firewall rules, routes, flow logs, and packet mirroring configurations are consistently applied to the traffic. When a Pod communicates with another Pod on the same node, the packet exits the node, is processed by the Google Cloud network, and is then returned to the same node before being delivered to the destination Pod. Intranode visibility provides the following benefits:

Comprehensive Flow Logs: Capture flow logs for all traffic between Pods, including traffic on the same node.
Enhanced Firewall Control: Enforce firewall rules for all Pod-to-Pod communication, including intra-node traffic.
Traffic Inspection with Packet Mirroring: Clone and forward all traffic, including intra-node traffic, for analysis.

Audit

To determine if intranode visibility is enabled for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters provisioned for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Cluster Networking section, check the Intranode visibility attribute value to determine the feature status. If Intranode visibility is set to Disabled, intranode visibility is not enabled for the selected Google Kubernetes Engine (GKE) cluster.

08 Repeat steps no. 5 – 7 for each GKE cluster provisioned within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account:

gcloud projects list
gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS:

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run container clusters list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each GKE cluster provisioned for the selected project:

gcloud container clusters list
	--project cc-web-project-123123
	--format="table(NAME,ZONE)"

04 The command output should return the requested cluster names and their regions:

NAME: cc-gke-backend-cluster
ZONE: us-central1

NAME: cc-gke-frontend-cluster
ZONE: us-central1

05 Run container clusters describe command (Windows/macOS/Linux) with the name of the GKE cluster that you want to examine as the identifier parameter and custom output filters to describe the Intranode Visibility feature status, available for the selected cluster:

gcloud container clusters describe cc-gke-backend-cluster
	--region=us-central1
	--format="json(networkConfig.enableIntraNodeVisibility)"

06 The command output should return the feature status ("enableIntraNodeVisibility": true for enabled, null for disabled):

null

If the container clusters describe command output returns null, as shown in the example above, intranode visibility is not enabled for the selected Google Kubernetes Engine (GKE) cluster.

07 Repeat steps no. 5 and 6 for each GKE cluster provisioned for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable intranode visibility for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters deployed for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to configure.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Cluster Networking section, click on the Edit intranode visibility button (i.e., pencil icon) available next to Intranode visibility to modify the feature settings.

08 Inside the Edit intranode visibility configuration box, check the Enable Intranode visibility setting checkbox to enable the Intranode Visibility feature, and choose SAVE CHANGES to apply the changes. Once you enable intranode visibility, Google Kubernetes Engine (GKE) restarts components in both the control plane and the worker nodes. The duration of this process can vary based on the cluster size, usage, and maintenance window.

09 Repeat steps no. 5 – 8 for each GKE cluster that you want to configure, created for the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run container clusters update command (Windows/macOS/Linux) with the name of the Google Kubernetes Engine (GKE) cluster that you want to configure as the identifier parameter, to enable intranode visibility for your GKE cluster. After you enable intranode visibility, Google Kubernetes Engine (GKE) restarts components in both the control plane and the worker nodes. The duration of the cluster update process can vary based on the cluster size, usage, and the configured maintenance window:

gcloud container clusters update cc-gke-backend-cluster
	--region=us-central1
	--enable-intra-node-visibility

02 The command output should return the full URL of the modified GKE cluster:

Updating cc-gke-backend-cluster... done.
Updated [https://container.googleapis.com/v1/projects/cc-web-project-123123/zones/us-central1/clusters/cc-gke-backend-cluster].

03 Repeat steps no. 1 and 2 for each GKE cluster that you want to configure, available within the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
VPC-native clusters
Network overview
Setting up intranode visibility

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud container clusters list
gcloud container clusters describe
gcloud container clusters update

Publication date Dec 2, 2024

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related GKE rules