Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets

Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS.

Suggest Edits

Risk Level: High
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.NET.19
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

GkeCluster should have subnetwork.privateIpGoogleAccess

REMEDIATION

From Portal

  1. Go to Kubernetes GCP Console visiting https://console.cloud.google.com/kubernetes/list
  2. From the list of clusters, for each clusters note the Subnet name
  3. Go to VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list
  4. Click noted subnet, The Subnet details page is displayed
  5. Click on Edit button
  6. Set Private Google access to On
  7. Click on Save

From TF

resource "google_compute_subnetwork" "vpc_subnetwork" {
	name    = NAME
	region  = REGION
	project = PROJECT
	...
	private_ip_google_access = true
}

From Command Line

  1. Determine the name and region of the subnet. To list the subnets for a particular network, use the following command:
gcloud compute networks subnets list --filter=NETWORK_NAME
  1. Run the following command to enable Private Google Access:
gcloud compute networks subnets update SUBNET_NAME --region=REGION --enable-private-ip-google-access

References

  1. https://cloud.google.com/vpc/docs/configure-private-google-access
  2. https://cloud.google.com/vpc/docs/private-google-access

Kubernetes Cluster

Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.

Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Foundations v. 1.0.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5

Updated 7 months ago