GCP Kubernetes Engine Clusters Not Configured With Private Cluster

This policy identifies Kubernetes Engine Clusters which are not configured with the Private cluster. Private cluster makes your master inaccessible from the public internet and nodes do not have public IP addresses, so your workloads run in an environment that is isolated from the internet.

Policy Details

Policy Subtype
Run, Build
Severity
Low
Template Type
Terraform

Build Rules

GCP Kubernetes Engine Clusters not configured with private cluster.
JSON Query:
$.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster.*[*].*.private_cluster_config anyNull or $.resource[*].google_container_cluster.*[*].*.private_cluster_config[*].enable_private_nodes anyNull or $.resource[*].google_container_cluster.*[*].*.private_cluster_config[*].enable_private_nodes anyFalse)
Recommendation:
Recommended solution to configure Kubernetes Engine Clusters with private cluster.
Ensure that GCP Kubernetes Engine Clusters are configured with private cluster. Please make sure that your template have "private_cluster_config" block with "enable_private_nodes" set to true.
For example:
"google_container_cluster": [ { "<container_cluster_name>": [ { "location": "us-central1", "name": "my-gke-cluster", "private_cluster_config": [ { "enable_private_nodes": true } ] } ] } ]

Run Rule Recommendation

GCP Kubernetes private cluster option can be enabled at the time of cluster creation. So to fix this alert, Create a new cluster with a private cluster configured on it and migrate all required data from reported cluster to the newly created cluster.
  1. Login to GCP Portal.
  2. Click on 'CREATE CLUSTER'.
  3. Choose the required name/value for other cluster fields.
  4. Click on 'Advanced options'.
  5. Under the Networking section, Check the 'Enable VPC-native (using alias IP)' option.
  6. Choose the required Network, Node subnet parameters.
  7. In the Network security section, Check the 'Private cluster' option.
  8. Set 'Master IP range' to as per your required IP range.
  9. Click on 'Create'.
    NOTE: When you create a private cluster, you must specify a /28 CIDR range for the VMs that run the Kubernetes master components. You also need to enable IP aliases.

Compliance

There are 4 standards that are applicable to this policy:
  • ISO 27001:2013
  • CIS v1.0.0 (GCP)
  • PIPEDA
  • CCPA 2018

Recommended For You