To minimize internet exposure, ensure that your Google Kubernetes Engine (GKE) clusters are configured with control plane authorized networks. Once configured, authorized networks can allow specific IP addresses and/or IP address ranges to access your cluster control plane endpoint using HTTPS.
This rule resolution is part of the Conformity solution.
Adding control plane authorized networks to your GKE clusters can enhance network-level security by restricting access to a specific set of trusted IP addresses. These authorized networks, such as those originating from a secure and well-known network, provide an additional layer of protection for your Kubernetes workloads. This helps mitigate the risk of unauthorized access that could exploit vulnerabilities in the cluster's authentication or authorization mechanisms.
Audit
To determine if your GKE cluster control plane is exposed to the Internet, perform the following operations:
Remediation / Resolution
To ensure that your Google Kubernetes Engine (GKE) cluster control plane is not exposed to the Internet, perform the following operations:
Note: Authorized networks block untrusted IP addresses from outside Google Cloud Platform (GCP). IPs from inside Google Cloud (such as traffic from Compute Engine virtual machines) can reach the cluster provided that they have the necessary Kubernetes access credentials.References
- Google Cloud Platform (GCP) Documentation
- Harden your cluster's security
- About network isolation in GKE
- How authorized networks work
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud container clusters list
- gcloud container clusters describe
- gcloud container clusters update