Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets
Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS.
Risk Level: High
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.NET.19
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
GkeCluster should have subnetwork.privateIpGoogleAccess
REMEDIATION
From Portal
- Go to Kubernetes GCP Console visiting https://console.cloud.google.com/kubernetes/list
- From the list of clusters, for each clusters note the Subnet name
- Go to VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list
- Click noted subnet, The Subnet details page is displayed
- Click on Edit button
- Set Private Google access to On
- Click on Save
From TF
resource "google_compute_subnetwork" "vpc_subnetwork" {
name = NAME
region = REGION
project = PROJECT
...
private_ip_google_access = true
}
From Command Line
- Determine the name and region of the subnet. To list the subnets for a particular network, use the following command:
gcloud compute networks subnets list --filter=NETWORK_NAME
- Run the following command to enable Private Google Access:
gcloud compute networks subnets update SUBNET_NAME --region=REGION --enable-private-ip-google-access
References
- https://cloud.google.com/vpc/docs/configure-private-google-access
- https://cloud.google.com/vpc/docs/private-google-access
Kubernetes Cluster
Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.
Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Foundations v. 1.0.0
- GCP CloudGuard Best Practices
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
Updated over 1 year ago