Overview

If you created a GKE service that allows external access, you will be surprised to see a few firewall rules (at the VPC level) created automatically for you. Some of these rules will be flagged automatically by tools such as Wiz and Prisma.

This assumes that you set the cluster to use the  VPC Network (and not some other network).

The external access creates a rule allowing traffic from 0.0.0.0/0 to the Load Balancer IP - which is a public IP. The public IP is just for pass through (since this is pass through load balancer) - which means that the traffic goes straight to the backend cluster nodes/pods. Such a rule is called a forwarding rule.

Moral of the Story

  1. Just finding a 0.0.0.0/0 rule by itself isn't a bad thing - in fact, load balancers rely on such rules
  2. GKE clusters will create a BUNCH of different firewall rules, which will be flagged by CSPM tools like Wiz and Prisma

gCloud

To see the  forwarding rules in your load balancer try these commands

# Get all load balancers in your project
gcloud compute forwarding-rules list


# Describe a specific forwarding rule (replace [FORWARDING_RULE_NAME])
gcloud compute forwarding-rules describe [FORWARDING_RULE_NAME]

To figure out the tags or SAs that a FW is attached to.

gcloud compute firewall-rules describe NAME [GCLOUD_WIDE_FLAG …]