Kubernetes Cluster is not VPC-Native. Affecting Kubernetes (Container) Engine service in Google
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00744
- creditSnyk Research Team
Description
Non-VPC-Native Kubernetes clusters may lead to suboptimal networking performance and security issues due to the lack of pod-to-VM native routing. VPC-Native clusters enable the use of alias IP ranges, improving network security and efficiency by ensuring that pods are treated as first-class citizens on the network with direct access to VPC features.
How to fix?
Set the networking_mode attribute to VPC_NATIVE for the resource google_container_cluster.
Example Configuration
resource "google_container_cluster" "allow" {
name = "vpc-native-cluster"
location = "us-central1"
initial_node_count = 1
deletion_protection = false
networking_mode = "VPC_NATIVE"
network = google_compute_network.allow-network.id
subnetwork = google_compute_subnetwork.allow-subnetwork.id
ip_allocation_policy {
cluster_secondary_range_name = "pod-ranges"
services_secondary_range_name = google_compute_subnetwork.allow-subnetwork.secondary_ip_range.0.range_name
}
}