Ensure Kubernetes Cluster is created with Private cluster enabled
A private cluster is a cluster that makes your master inaccessible from the public internet. In a private cluster, nodes do not have public IP addresses, so your workloads run in an environment that is isolated from the internet. Nodes have addressed only in the private RFC 1918 address space. Nodes and masters communicate with each other privately using VPC peering.
Risk Level: High
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.NET.22
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
GkeCluster should have privateClusterConfig.enablePrivateNodes=true
REMEDIATION
Note: Remediation is only possible by creation of a new cluster with Private cluster enabled.
From Portal 1. Go to Kubernetes GCP Console by visiting https://console.cloud.google.com/kubernetes/list? 2. Click on CREATE CLUSTER 3. Choose required name/value for cluster fields 4. Under CLUSTER click on Networking 5. Select Private cluster to Enabled 6. Set Control plane IP range 7. Click on Create
From TF resource "google_container_cluster" "cluster" Set the 'networking_mode' to be 'VPC_NATIVE' and add the blocks 'ip_allocation_policy' and 'private_cluster_config':
private_cluster_config { enable_private_nodes ="true" enable_private_endpoint ="false" master_ipv4_cidr_block = "master_ipv4_cidr_block"
master_global_access_config { enabled = "true" } } ... }
From Command Line To create a new cluster with Private cluster enabled:
``` **References** 1. https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
## Kubernetes Cluster
Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.
Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.
## Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Foundations v. 1.0.0
- GCP CloudGuard Best Practices
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
Updated over 1 year ago