Detections
Analytics

Ensure private cluster is enabled for Google Container Cluster

HIGH

Description

Google Kubernetes Engine (GKE) has the capability to run a VPC-native cluster, meaning that the nodes are configured for access through an internal network only. The individual cluster nodes are assigned non-routable RFC1918 addresses and accessed across a VPC. For more information on private clusters, see the GCP documentation.
References:
https://cloud.google.com/kubernetes-engine/docs/concepts/private-cluster-concept

Remediation

Private Cluster Configuration cannot be altered once created. To create a new private cluster, follow the steps below.

In GCP Console -

  1. Open the GCP Portal and Go to the Google Kubernetes Engine (GKE).
  2. Click Create.
  3. Select Standard or Autopilot, click Configure..
  4. From the Network list, select a VPC
  5. In the Node Subnet list. select a subnet.
  6. Select the private cluster radio button.
  7. Clear the Access control plane using its external IP address checkbox.
  8. (Only Applicable if not Autopilot): Set the Control plane IP range.
  9. Click Create.

In Terraform -

  1. In the google_container_cluster resource, ensure private_cluster_config block attribute is added with enable_private_nodes attribute set to true.

References:
https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_private_nodes

Policy Details

Rule Reference ID: AC_GCP_0020
CSP: GCP
Remediation Available: No
Domain: Infrastructure Security
Resource: google_container_cluster
Resource Category: Compute
Resource Type: Google Kubernetes Engine (GKE)

Frameworks