Kubernetes Cluster is not VPC-Native. Affecting Kubernetes (Container) Engine service in Google

Severity Framework Snyk CCSS

Rule category Network / Network

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00744
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Non-VPC-Native Kubernetes clusters may lead to suboptimal networking performance and security issues due to the lack of pod-to-VM native routing. VPC-Native clusters enable the use of alias IP ranges, improving network security and efficiency by ensuring that pods are treated as first-class citizens on the network with direct access to VPC features.

How to fix?

Set the networking_mode attribute to VPC_NATIVE for the resource google_container_cluster.

Example Configuration


resource "google_container_cluster" "allow" {
  name               = "vpc-native-cluster"
  location           = "us-central1"
  initial_node_count = 1
  deletion_protection = false
  networking_mode = "VPC_NATIVE"
  network    = google_compute_network.allow-network.id
  subnetwork = google_compute_subnetwork.allow-subnetwork.id

  ip_allocation_policy {
    cluster_secondary_range_name  = "pod-ranges"
    services_secondary_range_name = google_compute_subnetwork.allow-subnetwork.secondary_ip_range.0.range_name
  }
}

Terraform

google_container_cluster