Ensure that Workload Identity Federation is enabled for your Google Kubernetes Engine (GKE) clusters to securely connect to Google Cloud APIs from Kubernetes workloads. Workload Identity Federation enhances security, simplifies access management, and eliminates the need for less secure methods like service account keys.
PoC代码[已公开]
id: gcloud-gke-workload-identity-disabled
info:
name: GKE Clusters Without Workload Identity Federation
author: princechaddha
severity: medium
description: |
Ensure that Workload Identity Federation is enabled for your Google Kubernetes Engine (GKE) clusters to securely connect to Google Cloud APIs from Kubernetes workloads. Workload Identity Federation enhances security, simplifies access management, and eliminates the need for less secure methods like service account keys.
impact: |
Without Workload Identity Federation enabled, applications may rely on less secure authentication methods like service account keys, increasing the risk of credential exposure and unauthorized access to Google Cloud resources.
remediation: |
Enable Workload Identity Federation for your GKE clusters using:
gcloud container clusters update CLUSTER_NAME --region=REGION --workload-pool=PROJECT_ID.svc.id.goog
reference:
- https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/GKE/enable-workload-identity.html
tags: cloud,devops,gcp,gcloud,gke,kubernetes,security,iam,gcp-cloud-config
flow: |
code(1)
for(let projectId of iterate(template.projectIds)){
set("projectId", projectId)
code(2)
for(let cluster of iterate(template.clusters)){
cluster = JSON.parse(cluster)
set("clusterName", cluster.name)
set("location", cluster.location)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
gcloud projects list --format="json(projectId)"
extractors:
- type: json
name: projectIds
internal: true
json:
- '.[].projectId'
- engine:
- sh
- bash
source: |
gcloud container clusters list --project $projectId --format="json(name,location)"
extractors:
- type: json
name: clusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
gcloud container clusters describe $clusterName --location $location --project $projectId --format="json(workloadIdentityConfig)"
matchers:
- type: word
words:
- "null"
extractors:
- type: dsl
dsl:
- '"GKE cluster " + clusterName + " in " + location + " of project " + projectId + " does not have Workload Identity Federation enabled"'
# digest: 4a0a0047304502202829d6a8a4046b6d34675689196cb8e942959f81f10b2cca31cd3e368a48544a022100e8fef52c590ae1a6898b26120bdda5a54ba565664339f096a34c6d6079579b60:922c64590222798bb761d5b6d8e72950