Error: Default network exists in a project Bridgecrew Policy ID: BC_GCP_NETWORKING_7 The default network has a pre-configured network configuration and automatically generates the following insecure firewall rules: These automatically created firewall rules do not get audit logged and cannot be configured to enable firewall rule logging. In addition, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses. As a
result, it is not possible to use Cloud VPN or VPC Network Peering with the default network. We recommend that a project should not have a default network to prevent use of default network. Based on organization security and networking requirements, the organization should create a new network and delete the default network. To change the policy using the GCP Console, follow these steps: For each Google Cloud
Platform project: resource "google_project" "my_project" {
name = "My Project"
project_id = "your-project-id"
org_id = "1234567"
+ auto_create_network = false
}
Updated 3 days ago
Checkov Check ID: CKV_GCP_27
Severity: MEDIUM
the network.
gcloud compute networks delete default
gcloud compute networks create <network name>
Configuring authorization for Google Cloud Platform
Roles
Configuring GCP for OpenShift Container Platform requires the following GCP role:
roles/owner | Needed for creating service accounts, cloud storage, instances, images, templates, Cloud DNS entries, and to deploy load balancers and health checks. |
delete permissions might also be required if the user is expected to redeploy the environment during testing phases.
You can also create a service account to avoid using personal users when deploying GCP objects.
Scopes and service accounts
GCP uses scopes to determine if an authenticated identity is authorized to perform operations within a resource. For example, if application A with a read-only scope access token can only read, while application B with a read-write scope access token can read and modify data.
You can specify scopes using the --scopes=[SCOPE,…] option when creating instances, or you can use the --no-scopes option to create the instance without scopes if you don’t want the instance accessing the GCP API.
By default, a newly created instance is automatically enabled to run as the default service account with the following access scopes:
//www.googleapis.com/auth/devstorage.read_only
//www.googleapis.com/auth/logging.write
//www.googleapis.com/auth/monitoring.write
//www.googleapis.com/auth/pubsub
//www.googleapis.com/auth/service.management.readonly
//www.googleapis.com/auth/servicecontrol
//www.googleapis.com/auth/trace.append
//www.googleapis.com/auth/bigquery
//www.googleapis.com/auth/cloud-platform
//www.googleapis.com/auth/compute.readonly
//www.googleapis.com/auth/compute
//www.googleapis.com/auth/datastore
//www.googleapis.com/auth/logging.write
//www.googleapis.com/auth/monitoring
//www.googleapis.com/auth/monitoring.write
//www.googleapis.com/auth/servicecontrol
//www.googleapis.com/auth/service.management.readonly
//www.googleapis.com/auth/sqlservice.admin
//www.googleapis.com/auth/devstorage.full_control
//www.googleapis.com/auth/devstorage.read_only
//www.googleapis.com/auth/devstorage.read_write
//www.googleapis.com/auth/taskqueue
//www.googleapis.com/auth/userinfo.email
You can specify another service account with the --service-account=SERVICE_ACCOUNT option when creating the instance, or explicitly disabling service accounts for the instance using the --no-service-account option using the gcloud CLI.
Google Compute Engine objects
Integrating OpenShift Container Platform with Google Compute Engine (GCE) requires the following components or services.
A GCP project
A GCP project is the base level organizing entity that forms the basis for creating, enabling, and using all GCP services. This includes managing APIs, enabling billing, adding and removing collaborators, and managing permissions.
Project IDs are unique identifiers, and project IDs must be unique across all of Google Cloud Engine. This means you cannot use myproject as a project ID if someone else has created a project with that ID before. |
Billing
You cannot create new resources unless billing is attached to an account. The new project can be linked to an existing project or new information can be entered.
Cloud identity and access management
Deploying OpenShift Container Platform requires the proper permissions. A user must be able to create service accounts, cloud storage, instances, images, templates, Cloud DNS entries, and deploy load balancers and health checks. Delete permissions are also helpful in order to be able to redeploy the environment while testing.
You can create service accounts with specific permissions, then use them to deploy infrastructure components instead of regular users. You can also create roles to limit access to different users or service accounts.
GCP instances use service accounts to allow applications to call GCP APIs. For example, OpenShift Container Platform node hosts can call the GCP disk API to provide a persistent volume to an application.
SSH keys
GCP injects SSH public keys as authorized keys so you can log in using SSH in the created instances. You can configure the SSH keys per instance or per project.
You can use existing SSH keys. GCP metadata can help with storing the SSH keys that are injected at boot time in the instances to allow SSH access.
GCP regions and zones
GCP has a global infrastructure that covers regions and availability zones. While deploying OpenShift Container Platform in GCP on different zones can help avoid single-point-of-failures, there are some caveats regarding storage.
GCP disks are created within a zone. Therefore, if a OpenShift Container Platform node host goes down in zone "A" and the pods move to zone "B", the persistent storage cannot be attached to those pods because the disks are in a different zone.
Deploying a single zone of multizone OpenShift Container Platform environment is an important decision to make before installing OpenShift Container Platform. If deploying a multizone environment, the recommended setup is to use three different zones in a single region.
External IP address
So that GCP instances can communicate with the Internet, you must attach an external IP address to the instance. Also, an external IP address is required to communicate with instances deployed in GCP from outside the Virtual Private Cloud (VPC) Network.
Cloud DNS
GCP cloud DNS is a DNS service used to publish domain names to the global DNS using GCP DNS servers.
The public cloud DNS zone requires a domain name that you purchased either through Google’s "Domains" service or through a third-party provider. When you create the zone, you must add the name servers provided by Google to the registrar.
GCP VPC networks have an internal DNS service that automatically resolves internal host names. The internal fully qualified domain name (FQDN) for an instance follows the [HOST_NAME].c.[PROJECT_ID].internal format. |
Load balancing
The GCP load balancing service enables the distribution of traffic across multiple instances in the GCP cloud.
There are five types of Load Balancing:
Internal
Network load balancing
-
HTTP(S) load balancing
SSL Proxy load balancing
TCP Proxy load balancing
HTTPS and TCP proxy load balancing are the only options for using HTTPS health checks for master nodes, which checks the status of /healthz. Because HTTPS load balancing requires a custom certificate, this implementation uses TCP Proxy load balancing to simplify the process. |
Instances sizes
A successful OpenShift Container Platform environment requires some minimum hardware requirements:
Table 1. Instances sizesMaster | n1-standard-8 |
Node | n1-standard-4 |
Storage Options
By default, each GCP instance has a small root persistent disk that contains the operating system. When applications running on the instance require more storage space, you can add additional storage options to the instance:
Standard persistent disks
SSD persistent disks
Local SSDs
Cloud storage buckets