Kubernetes Cluster is not VPC-Native. Affecting Kubernetes (Container) Engine service in Google
Severity Framework
Snyk CCSS
Rule category
Network / Network
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00744
- credit Snyk Research Team
Description
Non-VPC-Native Kubernetes clusters may lead to suboptimal networking performance and security issues due to the lack of pod-to-VM native routing. VPC-Native clusters enable the use of alias IP ranges, improving network security and efficiency by ensuring that pods are treated as first-class citizens on the network with direct access to VPC features.
How to fix?
Set the networking_mode
attribute to VPC_NATIVE
for the resource google_container_cluster
.
Example Configuration
resource "google_container_cluster" "allow" {
name = "vpc-native-cluster"
location = "us-central1"
initial_node_count = 1
deletion_protection = false
networking_mode = "VPC_NATIVE"
network = google_compute_network.allow-network.id
subnetwork = google_compute_subnetwork.allow-subnetwork.id
ip_allocation_policy {
cluster_secondary_range_name = "pod-ranges"
services_secondary_range_name = google_compute_subnetwork.allow-subnetwork.secondary_ip_range.0.range_name
}
}