Enable Workload Identity Federation

Risk Level: Medium (should be achieved)

Ensure that Workload Identity Federation is enabled for your Google Kubernetes Engine (GKE) clusters to securely connect to Google Cloud APIs from Kubernetes workloads. Workload Identity Federation enhances security, simplify access management, and eliminate the need for less secure methods like service account keys.

Security

Workload Identity Federation for GKE clusters simplifies and secures access to Google Cloud APIs for your Kubernetes workloads. By leveraging IAM policies, you can grant specific permissions to each application within your cluster without the need for manual configuration or less secure methods like service account keys. This approach provides several advantages:

Enhanced security: By assigning distinct identities to each application, you strengthen security and reduce the risk of unauthorized access.
Fine-grained access control: IAM policies allow you to implement granular access controls, ensuring that each application has only the necessary permissions.
Simplified management: Workload Identity Federation eliminates the need for metadata concealment, simplifying your cluster configuration and reducing potential security risks.

By adopting Workload Identity Federation, you can streamline your Google Kubernetes Engine (GKE) environment and maintain a robust security posture.

Audit

To determine if Workload Identity Federation is enabled for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters provisioned for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Security section, check the Workload Identity attribute value to determine the Workload Identity Federation feature status. If Workload Identity Federation is set to Disabled, Workload Identity Federation is not enabled for the selected Google Kubernetes Engine (GKE) cluster.

08 Repeat steps no. 5 – 7 for each GKE cluster provisioned within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS:

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run container clusters list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each GKE cluster provisioned for the selected project:

gcloud container clusters list
	--project cc-web-project-123123
	--format="table(NAME,ZONE)"

04 The command output should return the requested cluster names and their regions:

NAME: cc-gke-backend-cluster
ZONE: us-central1

NAME: cc-gke-frontend-cluster
ZONE: us-central1

05 Run container clusters describe command (Windows/macOS/Linux) with the name of the GKE cluster that you want to examine as the identifier parameter and custom output filters to describe the Workload Identity Federation feature configuration, available for the selected cluster:

gcloud container clusters describe cc-gke-backend-cluster
	--region=us-central1
	--format="json(workloadIdentityConfig)"

06 The command output should return the Workload Identity Federation configuration information available for your GKE cluster:

null

If the container clusters describe command output returns null, the requested configuration information is not available. Therefore, the Workload Identity Federation feature is not enabled for the selected Google Kubernetes Engine (GKE) cluster.

07 Repeat steps no. 5 and 6 for each GKE cluster provisioned for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable Workload Identity Federation for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters deployed for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to configure.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Security section, click on the Edit workload identity button (i.e., pencil icon) available next to Workload Identity to modify the feature settings.

08 Inside the Edit Workload Identity configuration box, check the Enable Workload Identity setting checkbox to enable the Workload Identity Federation feature for the selected GKE cluster. Choose SAVE CHANGES to apply the changes. Once the feature is enabled, GKE will use the project's default workload pool. Workload Identity Federation requires a workload pool to aggregate identity across multiple GKE clusters. In a workload pool, Cloud IAM treats Kubernetes service accounts that share the same name and Kubernetes namespace as the same principal.

09 Repeat steps no. 5 – 8 for each GKE cluster that you want to configure, created for the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run container clusters update command (Windows/macOS/Linux) with the name of the Google Kubernetes Engine (GKE) cluster that you want to configure as the identifier parameter, to enable Workload Identity Federation for your GKE cluster. For --workload-pool, specify the project's default workload pool. Workload Identity Federation requires a workload pool to aggregate identity across multiple GKE clusters. In a workload pool, Cloud IAM treats Kubernetes service accounts that share the same name and Kubernetes namespace as the same principal. Replace \<project-id\> with the ID of the GCP project that runs your GKE cluster:

gcloud container clusters update cc-gke-backend-cluster
	--region=us-central1
	--workload-pool=<project-id>.svc.id.goog

02 The command output should return the full URL of the modified GKE cluster:

Updating cc-gke-backend-cluster... done.
Updated [https://container.googleapis.com/v1/projects/cc-web-project-123123/zones/us-central1/clusters/cc-gke-backend-cluster].

03 Repeat steps no. 1 and 2 for each GKE cluster that you want to configure, available within the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
GKE cluster architecture
About Workload Identity Federation for GKE
Authenticate to Google Cloud APIs from GKE workloads

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud container clusters list
gcloud container clusters describe
gcloud container clusters update

Publication date Dec 3, 2024

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related GKE rules