Google Cloud Kubernetes Engine
      Back to home
      1. CNS Policies
      2. GCP Knowledge Base
      3. Google Cloud Kubernetes Engine

      Web Dashboard Enabled

      Ensures that the web dashboard is disabled on all clusters.

      Risk Level: High

      Description

      This plugin ensures that the web dashboard is disabled on all GKE clusters. The Kubernetes web dashboard uses a highly privileged Kubernetes service account. Thus, SentinelOne CNS strongly recommends that all the Kubernetes clusters have the web dashboard disabled. 

      Note: The web dashboard feature has been deprecated and is no longer supported in GKE 1.15 and later versions.

      About the Service

      Google Cloud Kubernetes Engine:

      The Google Cloud Kubernetes Engine is a Kubernetes-based service that includes a control plane, nodes that house pods, and Google Cloud services. It aids in the modernization of your programs by offering a platform for deploying, managing, and scaling containerized applications. The Google Cloud Console or kubectl can be used to interact with this Google Cloud Kubernetes Engine. To know more, read here

      Impact

      If the Kubernetes clusters have the web dashboard enabled, it could lead to privilege escalation. As a result, it could lead to granting various permissions,  eventually failing to follow the principle of least privilege.

      Steps to Reproduce

      Note: Basic authentication can only be accessed through the GCP Command Line Interface (CLI). 

      Using GCP CLI-

      1. Using your account credentials, configure the GCP CLI if you haven’t already.
      2. To check if your GKE cluster has basic authentication enabled, run the following command:
      3. gcloud container clusters describe <clustername> --format yaml
      4. If it is enabled, an output similar to the one below will be displayed. 
      5. addonsConfig:
        kubernetesDashboard: {enabled} 
      6. Repeat steps for all the clusters you want to investigate in the selected project.

      Steps for Remediation

      Determine whether or not you truly require the web dashboard feature to be enabled for your GKE clusters. If not, make the necessary changes to disable it.

      Using GCP CLI-

      1. Using your account credentials, configure the GCP CLI if you haven’t already.
      2. Run the following command to disable the web dashboard for the desired cluster.
      3. gcloud container clusters update CLUSTER_NAME \

            --update-addons=KubernetesDashboard=DISABLED
      4. Repeat steps for all the clusters you want to reconfigure in your GCP project.