Cyscale
Back to controls

Ensure Kubernetes Engine uses HTTP load balancing

The `HttpLoadBalancing` add-on enables GKE to manage HTTP and HTTPS load balancers for Ingress and related features. Disabling it can break supported ingress patterns and remove platform protections that depend on Google Cloud Load Balancing.

Category

Controls

Medium

Applies to

Google Cloud

Coverage

1 queries

Asset types

1 covered

Overview

The HttpLoadBalancing add-on enables GKE to manage HTTP and HTTPS load balancers for Ingress and related features. Disabling it can break supported ingress patterns and remove platform protections that depend on Google Cloud Load Balancing.

Rationale

This is more of a platform capability control than a direct hardening control. If your environment uses GKE Ingress, container-native load balancing, or related load-balancer features, the add-on should remain enabled. If you do not use those features, document that decision explicitly instead of disabling the add-on by accident.

Remediation guidance

Using Google Cloud Console

  1. Open Kubernetes Engine in Google Cloud Console.
  2. Select the affected cluster.
  3. Under Networking, edit HTTP Load Balancing.
  4. Enable the add-on and save the change.

Using Command Line

Enable the add-on:

gcloud container clusters update [CLUSTER_NAME]   --location [LOCATION]   --update-addons=HttpLoadBalancing=ENABLED

Validate the add-on state:

gcloud container clusters describe [CLUSTER_NAME]   --location [LOCATION]   --format='yaml(addonsConfig.httpLoadBalancing)'

Important note

In Autopilot clusters, this add-on cannot be disabled. If a finding appears there, verify the inventory data path before treating it as a real drift issue.

References

  1. https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress
  2. https://cloud.google.com/kubernetes-engine/docs/concepts/container-native-load-balancing

Service-wide remediation

Recommended when many resources are affected: define whether GKE Ingress and related Google load-balancing features are part of your supported platform baseline, then keep this add-on aligned with that standard.

Operational rollout

  1. Confirm whether the cluster uses or is expected to support GKE Ingress features.
  2. Enable the add-on on supported clusters.
  3. Re-scan and document exceptions for clusters intentionally built without this capability.

Query logic

These are the stored checks tied to this control.

Kubernetes Engine uses HTTP load balancing

Connectors

Google Cloud

Covered asset types

Cluster

Expected check: eq []

{gkeClusters(where:{httpLoadBalancingEnabled:false}){...AssetFragment}}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon