Prevent Default Service Account Usage

Risk Level: Medium (should be achieved)

Ensure that your Google Kubernetes Engine (GKE) clusters are configured to use user-managed service accounts instead of the default service account managed by Google Cloud in order to follow the Principle of Least Privilege (POLP) and enhance the security posture of your Kubernetes workloads.

Security

Applications running on GKE clusters use a service account to access Google Cloud APIs. The default service account in GKE (i.e., the Compute Engine default service account) has broad permissions across your GCP project, which increases the risk of unauthorized access and potential data breaches if compromised. To minimize this risk, it is strongly recommended to create and use custom, user-managed service accounts with only the permissions necessary for your applications, adhering to the Principle of Least Privilege. This approach enhances security and reduces the likelihood of attackers escalating privileges or accessing sensitive project resources.

Audit

To determine if your GKE cluster node pools are not using the default service account, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters provisioned for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the NODES tab to access the node pools created for the selected cluster.

07 Click on the name (link) of the GKE cluster node pool that you want to examine.

08 In the Security section, check the Service account attribute value. If the Service account value is set to default, the selected Google Kubernetes Engine (GKE) cluster node pool is using the default service account provided by Google Cloud.

09 Repeat steps no. 7 and 8 for each node pool provisioned for the selected GKE cluster.

10 Repeat steps no. 5 – 9 for each GKE cluster provisioned within the selected GCP project.

11 Repeat steps no. 2 – 10 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS:

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run container clusters list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each GKE cluster provisioned for the selected project:

gcloud container clusters list
	--project cc-web-project-123123
	--format="table(NAME,ZONE)"

04 The command output should return the requested cluster names and their regions:

NAME: cc-gke-backend-cluster
ZONE: us-central1

NAME: cc-gke-frontend-cluster
ZONE: us-central1

05 Run container node-pools list command (Windows/macOS/Linux) with the name of the GKE cluster that you want to examine as the identifier parameter, to describe the name of each node pool provisioned for the selected cluster:

gcloud container node-pools list
	--cluster=cc-gke-backend-cluster
	--region=us-central1
	--format="(NAME)"

06 The command output should return the requested GKE node pool names:

NAME:
cc-gke-backend-pool-001
cc-gke-backend-pool-002
cc-gke-backend-pool-003

07 Run container node-pools describe command (Windows/macOS/Linux) with the name of the cluster node pool that you want to examine as the identifier parameter and custom output filters to determine if the selected node pool is configured to use the default service account:

gcloud container node-pools describe cc-gke-backend-pool-001
	--cluster=cc-gke-backend-cluster
	--region=us-central1
	--format="value(config.serviceAccount)"

08 The command output should return the name of the service account configured for the selected node pool:

default

If the container node-pools describe command output returns default, the selected Google Kubernetes Engine (GKE) cluster node pool is using the default service account provided by Google Cloud.

09 Repeat step no. 7 and 8 for each node pool provisioned for the selected GKE cluster.

10 Repeat steps no. 5 - 9 for each GKE cluster provisioned for the selected GCP project.

11 Repeat steps no. 3 – 10 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that your Google Kubernetes Engine (GKE) clusters are configured to use user-managed service accounts instead of the default service account, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam.

04 In the left navigation panel, select Service Accounts.

05 Choose CREATE SERVICE ACCOUNT and perform the following actions to create the compliant user-managed service account that will replace the default one within the GKE cluster configuration:

For Service account details, provide a unique name and short description for the new service account. Choose CREATE AND CONTINUE to continue the setup process.
For Grant this service account access to project, grant the appropriate access by selecting an IAM role from the Select a role dropdown list. For example, you can use the Kubernetes Engine Default Node Service Account role as a secure, least privilege alternative to the default service account, for your GKE cluster nodes. (Optional) To add conditions, choose ADD IAM CONDITION to define your IAM conditions. Choose CONTINUE to continue the setup.
(Optional) For Grant users access to this service account, grant access to users and/or groups that need to perform actions as this service account.
Choose DONE to deploy your new user-managed service account.

06 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

07 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters deployed for the selected GCP project.

08 Click on the name (link) of the GKE cluster that you want to configure.

09 Select the NODES tab to access the node pools created for the selected cluster.

10 Click on the name (link) of the cluster node pool that you want to re-create and collect all the configuration information available for the selected resource.

11 Go back to the NODES panel and choose ADD NODE POOL to create a new node pool for your GKE cluster:

For Node pool details, provide the following information:
1. Provide a unique name for the new node pool in the Name box.
2. Enter the number of nodes for the new pool in the Number of nodes (per zone) box.
3. Choose whether or not to enable cluster auto-scaler. Must match the node pool configuration collected at step no. 10.
4. (Optional) Choose whether or not to enable private nodes. Must match the node pool configuration collected at step no. 10.
5. (Optional) If required, select the Specify node locations checkbox and choose additional zone nodes.
6. (Optional) If required, configure the node pool upgrade strategy for the new node pool. Must match the node pool configuration collected at step no. 10.
For Nodes, perform the following operations:
1. Select the type of the node image from the Image type dropdown list.
2. Choose the machine family, type, and series for the new node pool. Select the appropriate boot disk type and size. Must match the node pool configuration collected at step no. 10.
3. For Boot disk encryption, select Cloud KMS key, and choose your own Customer-Managed Encryption Key (CMEK) for boot disk encryption.
For Networking, perform the following actions:
1. Enter the maximum number of Kubernetes Pods per node in the Maximum Pods per node box.
2. (Optional) Use Network tags to configure any required network tags.
3. (Optional) Choose whether or not to create secondary address ranges. Must match the node pool configuration collected at step no. 10.
For Security, provide the following information:
1. Choose the new, compliant service account created at step no. 5 from the Service account dropdown list.
2. Select the appropriate access scope(s). Must match the node pool configuration collected at step no. 10.
3. (Optional) Under Shielded options, enable integrity monitoring, secure boot, and confidential GKE nodes to enhance security at the cluster node level.
For Metadata, add any required resource labels (tags), and configure the metadata settings such as GCE instance metadata based on the configuration information taken from the source node pool at step no. 10.
Choose CREATE to create your new GKE cluster node pool.

12 (Optional) Once the new cluster node pool is operating successfully, you can remove the source node pool in order to stop adding charges to your Google Cloud bill. Go back to the NODES panel and perform the following actions:

Click on the name (link) of the node pool (i.e., source node pool) that you want to delete.
Choose DELETE from to initiate the deletion process.
In the confirmation box, confirm deletion by typing the node pool name, and choose DELETE to remove the node pool from your GKE cluster.

13 Repeat steps no. 10 - 12 to replace the default service account for other node pools provisioned within the selected GKE cluster.

14 Repeat steps no. 8 – 13 for each GKE cluster that you want to configure, created for the selected GCP project.

15 Repeat steps no. 2 – 14 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run iam service-accounts create command (Windows/macOS/Linux) to create the compliant user-managed service account that will replace the default service account within your GKE cluster configuration:

gcloud iam service-accounts create cc-kubernetes-service-account
	--display-name="GKE Service Account"
	--project cc-web-project-123123
	--format="table(email)"

02 The command output should return the email of the new service account:

Created service account [cc-kubernetes-service-account].
EMAIL: cc-kubernetes-service-account@cc-web-project-123123.iam.gserviceaccount.com

03 Run add-iam-policy-binding command (Windows/macOS/Linux) to grant the appropriate IAM role to the newly created service account in order to allow that service account access to relevant resources. The following example assigns the Kubernetes Engine Default Node Service Account role (i.e., roles/container.defaultNodeServiceAccount) to the new service account:

gcloud projects add-iam-policy-binding cc-web-project-123123
	--member serviceAccount:cc-kubernetes-service-account@cc-web-project-123123.iam.gserviceaccount.com
	--role roles/container.defaultNodeServiceAccount

04 The command output should return the updated project IAM policy:

Updated IAM policy for project [cc-web-project-123123].
bindings:
- members:
	- serviceAccount:cc-kubernetes-service-account@cc-web-project-123123.iam.gserviceaccount.com
	role: roles/container.defaultNodeServiceAccount
- members:
	- serviceAccount:123456789012-compute@developer.gserviceaccount.com
	role: roles/editor
- members:
	- user:user@domain.com
	role: roles/owner
etag: ABCDABCDABCD
version: 1

05 Run container node-pools describe command (Windows/macOS/Linux) with the name of the GKE cluster node pool that you want to re-create as the identifier parameter and custom output filtering to describe the configuration information available for the selected node pool:

gcloud container node-pools describe cc-gke-backend-pool-001
	--cluster=cc-gke-backend-cluster
	--region=us-central1
	--format=json

06 The command output should return the requested configuration information:

{
	"config": {
		"diskSizeGb": 150,
		"diskType": "pd-standard",
		"imageType": "COS",
		"metadata": {
			"disable-legacy-endpoints": "true"
		},
		"serviceAccount": "default",
		"shieldedInstanceConfig": {
			"enableIntegrityMonitoring": true
		}
	},
	"locations": [
		"us-central1-a",
		"us-central1-b"
	],

	...

	"management": {
		"autoRepair": true,
		"autoUpgrade": true
	},
	"maxPodsConstraint": {
		"maxPodsPerNode": "110"
	},
	"name": "cc-gke-frontend-pool-001",
	"podIpv4CidrSize": 24,
	"status": "RUNNING",
	"upgradeSettings": {
		"maxSurge": 1
	}
}

07 Run container node-pools create command (Windows/macOS/Linux) with the information returned at the previous step as the configuration data, to create a new GKE cluster node pool with the user-managed service account created at step no. 1. Use the --service-account paramater to specify your new service account:

gcloud beta container node-pools create cc-new-backend-pool-001
	--cluster=cc-gke-backend-cluster
	--region=us-central1
	--disk-type=pd-standard
	--disk-size=150
	--service-account=cc-kubernetes-service-account@cc-web-project-123123.iam.gserviceaccount.com

08 The command output should return the full URL of the new cluster node pool:

Created [https://container.googleapis.com/v1/projects/cc-web-project-12312/zones/us-central1/clusters/cc-gke-backend-cluster/nodePools/cc-new-backend-pool-001]

09 (Optional) Once the new node pool is operating successfully, you can remove the source node pool in order to stop adding charges to your GCP bill. Run container node-pools delete command (Windows/macOS/Linux) with the name of the resource that you want to remove as the identifier parameter, to remove the specified node pool from your GKE cluster:

gcloud beta container node-pools delete cc-gke-frontend-pool-001
	--cluster=cc-gke-backend-cluster
	--region=us-central1

10 Type Y to confirm the cluster node pool removal:

The following node pool will be deleted.
[cc-gke-frontend-pool-001] in cluster [cc-gke-backend-cluster] in [us-central1]
Do you want to continue (Y/n)?  Y

11 The output should return the **container node-pools delete** command request status:

Deleting node pool cc-gke-frontend-pool-001... done.
Deleted [https://container.googleapis.com/v1/projects/cc-web-project-12312/zones/us-central1/clusters/cc-gke-backend-cluster/nodePools/cc-gke-frontend-pool-001].

12 Repeat steps no. 5 - 11 to replace the default service account for other node pools provisioned for the selected GKE cluster.

13 Repeat steps no. 5 - 12 for each GKE cluster that you want to configure, available within the selected GCP project.

14 Repeat steps no. 1 – 13 for each GCP project deployed in your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Types of service accounts
Service accounts
Use least privilege IAM service accounts

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud container clusters list
gcloud container clusters describe
gcloud container node-pools list
gcloud container node-pools describe
gcloud beta container node-pools create
gcloud beta container node-pools delete
gcloud iam service-accounts create
gcloud projects add-iam-policy-binding

Publication date Dec 3, 2024

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related GKE rules