Google CloudOverview
Dashboard is a web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster itself along with its attendant resources. You can use Dashboard to get an overview of applications running on your cluster, as well as for creating or modifying individual Kubernetes resources (such as Deployments, Jobs, DaemonSets, etc). For example, you can scale a Deployment, initiate a rolling update, restart a pod or deploy new applications using a deploy wizard.
Rationale
You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account.
Remediation guidance
From Console
- Go to
Kubernetes Engine. - Go to
Kubernetes clusters. - For every
Kubernetes clusterclick on edit. - Click on
Add-ons. - Select Disabled from dropdown of
Kubernetes dashboard.
Using Command line
To disable the Kubernetes Web UI:
gcloud container clusters update \[CLUSTER_NAME\] --update-addons=KubernetesDashboard=DISABLED --zone \[ZONE\]
Default Value
The Kubernetes web UI (Dashboard) does not have admin access by default in Kubernetes Engine 1.7 and higher. The Kubernetes web UI is disabled by default in Kubernetes Engine 1.10 and higher.
References
- https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster
Multiple Remediation Paths
Google Cloud
SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.
gcloud org-policies set-policy policy.yaml
ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.
PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.
References for Service-Wide Patterns
- GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
- GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
- gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Google Cloud: apply organization policy constraints at org/folder scope.
gcloud org-policies set-policy policy.yaml
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Kubernetes web UI / Dashboard is disabled
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{kubernetesDashboardDisabled:false}){...AssetFragment}
