Disable Workload Identity at Cluster Creation

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that "Disable Workload Identity Cluster Creation" policy is enforced at the GCP organization level in order to require that any new Google Kubernetes Engine (GKE) clusters have the Workload Identity feature disabled at the time of their creation. This constraint policy is useful when you want to tightly control service account access in your organization by disabling Workload Identity in addition to service account creation and service account key creation.

Security

The applications running on GKE clusters must authenticate to use Google Cloud APIs such as the Compute APIs, Storage and Database APIs, or Machine Learning APIs. With Workload Identity feature, you can configure a Kubernetes service account to act as a Google service account in order to access Google Cloud APIs. This enables you to assign fine-grained identity and authorization for applications in your GKE cluster. From a security perspective, Workload Identity allows Google Kubernetes Engine (GKE) service to assert Kubernetes service account identities that can be authorized to access Google Cloud resources. Administrators who have taken actions to isolate GKE workloads from other Google Cloud resources, like disabling service account creation or disabling service account key creation, might also want to disable Workload Identity for GKE clusters.


Audit

To determine if "Disable Workload Identity Cluster Creation" policy is enforced at the GCP organization level, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID filter box, select Disable Workload Identity Cluster Creation to return the "Disable Workload Identity Cluster Creation" policy.

06 Click on the name of the GCP organization policy returned at the previous step.

07 On the Policy details page, under Effective policy, check the Enforcement configuration attribute status. If the Enforcement attribute status is set to Not enforced, the "Disable Workload Identity Cluster Creation" constraint policy is not currently enforced at the GCP organization level.

08 Repeat steps no. 2 – 7 for each organization available in your Google Cloud account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each GCP organization created within your Google Cloud account:

gcloud organizations list
    --format="table(name)"

02 The command output should return the requested organization identifiers (IDs):

ID
112233441122
123412341234

03 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to examine as identifier parameter, to describe the enforcement configuration of the "Disable Workload Identity Cluster Creation" policy, available for the selected organization:

gcloud alpha resource-manager org-policies describe
"iam.disableWorkloadIdentityClusterCreation"
    --effective
    --organization=112233441122
    --format="table(booleanPolicy)"

04 The command request should return the requested configuration information:

BOOLEAN_POLICY
{}

If the resource-manager org-policies describe command output returns an empty object for the BOOLEAN_POLICY configuration attribute, i.e. {}, the "Disable Workload Identity Cluster Creation" constraint policy is not enforced at the GCP organization level, therefore the Workload Identity feature can be enabled for any GKE cluster deployed within your organization.

05 Repeat step no. 3 and 4 for each organization available in your Google Cloud account.

Remediation / Resolution

To enforce the "Disable Workload Identity Cluster Creation" policy at the Google Cloud Platform (GCP) organization level, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to reconfigure.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID box, select Disable Workload Identity Cluster Creation to list only the "Disable Workload Identity Cluster Creation" policy.

06 Click on the name of the GCP organization policy listed at the previous step.

07 On the Policy details page, click on the EDIT button from the dashboard top menu to edit the selected policy.

08 On the Edit policy configuration page, perform the following:

  1. Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
  2. Under Enforcement, select On to enable the "Disable Workload Identity Cluster Creation" policy for the selected Google Cloud organization.
  3. Click SAVE to apply the changes and enforce the policy at the organization level.

09 If required, repeat steps no. 2 – 8 to enable the constraint policy for other organizations available in your Google Cloud account.

Using GCP CLI

01 Run resource-manager org-policies enable-enforce command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) organization that you want to reconfigure as identifier parameter, to enforce the "Disable Workload Identity Cluster Creation" policy (i.e. "iam.disableWorkloadIdentityClusterCreation" constraint) for the selected GCP organization:

gcloud alpha resource-manager org-policies enable-enforce
"iam.disableWorkloadIdentityClusterCreation"
    --organization=112233441122

02 The command request should return the reconfigured organization policy metadata:

booleanPolicy:
  enforced: true
constraint: constraints/iam.disableWorkloadIdentityClusterCreation
etag: abcdabcdabcd
updateTime: '2020-09-15T10:00:00.000Z'

03 If required, repeat step no. 1 and 2 to enforce the required policy for other GCP organizations created within your Google Cloud account.

References

Publication date May 10, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Disable Workload Identity at Cluster Creation

Risk level: Medium