Google Cloud Kubernetes Engine
  1. CNS Policies
  2. GCP Knowledge Base
  3. Google Cloud Kubernetes Engine

Alias IP Ranges Disabled

Ensures that Kubernetes clusters have alias IP ranges enabled.

Risk Level: Low

Description

This plugin ensures that all the Google Cloud Kubernetes clusters have alias IP ranges enabled. Google Cloud alias IP ranges allow you to alias a range of internal IP addresses to the network interfaces. 

About the Service

Google Cloud Kubernetes Engine:

The Google Cloud Kubernetes Engine is a Kubernetes-based service that includes a control plane, nodes that house pods, and Google Cloud services. It aids in the modernization of your programs by offering a platform for deploying, managing, and scaling containerized applications. The Google Cloud Console or kubectl can be used to interact with this Google Cloud Kubernetes Engine. To know more, read here

Impact

When alias IP ranges are enabled, you can assign numerous internal IP addresses without having to define a separate network interface. This greatly reduces the routing traffic and makes managing all the containers much easier.

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Kubernetes Engine and select Clusters. You can use this link here to navigate directly if you’re already logged in.
  4. Select the cluster you want to investigate from the list of clusters displayed.
  5. Under the Networking tab, check the status of VPC-native traffic routing. If it says disabled then the Alias IP Ranges are disabled for the selected cluster.
  6. Repeat steps 4 and 5 for all the clusters you want to investigate in the selected project.
  7. If you have multiple projects that you want to investigate, repeat steps 2-6 for each project in your GCP console.

Steps for Remediation

Determine whether or not you truly require the alias IP ranges to be disabled. If not, make the necessary changes to enable it using the steps given below.

NOTE: This feature cannot be changed once the cluster is made. Hence, to enable it, we must re-create the cluster.

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Kubernetes Engine and select Clusters. You can use this link here to navigate directly if you’re already logged in.
  4. Select the cluster you want to reconfigure from the list of clusters displayed and note down all the configuration details of the selected cluster. (In case you aren’t sure which cluster needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
  5. Click on the Duplicate button found on the top navigation bar.
  6. Select and fill in the required configurations for the cluster. Then, go to the Networking section from the side navigation bar.
  7. Under the Advanced networking options, check the Enable VPC-native traffic routing (uses alias IP) checkbox.
  8. Click CREATE to create the new cluster.
  9. You can now delete the original cluster to avoid unwanted expenses. Click on the cluster and select the DELETE button from the top navigation bar and press DELETE in the pop-up box to confirm the deletion.


  10. Repeat steps 4 to 9 for all the clusters you want to reconfigure in the selected project.
  11. If you have multiple projects, repeat steps 2 to 10 for each project in your GCP console.