Detections
Analytics

Ensure control plane is not public for Google Container Cluster

HIGH

Description

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice.

Remediation

Private Cluster Configuration cannot be altered once created. To create a new cluster with private endpoint enabled, follow the steps below.

In GCP Console -

  1. Open the GCP Portal and Go to the Google Kubernetes Engine (GKE).
  2. Select a Cluster to edit.
  3. Click on Details.
  4. In the Node Subnet list. select a subnet.
  5. Select the private cluster radio button.
  6. Clear the Access control plane using its external IP address checkbox.
  7. (Only Applicable if not Autopilot): Set the Control plane IP range.
  8. Click Create.

In Terraform -

  1. In the google_container_cluster resource, private_cluster_config block attribute is added with enabled_private_endpoint attribute set to 'true'.

References:
https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_private_nodes
https://cloud.google.com/kubernetes-engine/docs/concepts/types-of-clusters?&_ga=2.204662101.-430909071.1651029933&_gac=1.254162554.1674874051.Cj0KCQiAic6eBhCoARIsANlox87Ulk4q8xgfXRABIzIp_CPBzBV0oqJFtgM6QFPjoDc67jyWuW_p-HoaAgrHEALw_wcB#isolation-choices

Policy Details

Rule Reference ID: AC_GCP_0023
CSP: GCP
Remediation Available: Yes
Domain: Infrastructure Security
Resource: google_container_cluster
Resource Category: Compute
Resource Type: Google Kubernetes Engine (GKE)

Frameworks