Ensure that all Kubernetes clusters have private clusters enabled.
Risk Level: High
Description
This plugin guarantees that private clusters are generated and activated for all GKE clusters. A Kubernetes private cluster is a VPC-native cluster in which all of the nodes have internal IP addresses. As a result, the nodes and pods are cut off from the rest of the internet.
About the Service
Google Cloud Kubernetes Engine:
The Google Cloud Kubernetes Engine is a Kubernetes-based service that includes a control plane, nodes that house pods, and Google Cloud services. It aids in the modernization of your programs by offering a platform for deploying, managing, and scaling containerized applications. The Google Cloud Console or kubectl can be used to interact with this Google Cloud Kubernetes Engine. To know more, read here.
Impact
When a private cluster is employed, the cluster nodes are assigned a set of reserved IP addresses, thus isolating their workload from the rest of the internet. It is necessary to use a private cluster to ensure network communication between your API server and your node pools stays only on the private network.
Steps to Reproduce
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the navigation panel on the left side of the console, go to Kubernetes Engine and select Clusters. You can use this link here to navigate directly if you’re already logged in.
- Select the cluster you want to investigate from the list of clusters displayed and go to the Details tab of the selected cluster.
- Under the Networking section, check the status of the Private cluster. If it is disabled, then the selected cluster does not have a private cluster enabled.
- Repeat steps 4 and 5 for all the clusters you want to investigate in the selected project.
- If you have multiple projects that you want to investigate, repeat steps 2 to 6 for each project in your GCP console.
Steps for Remediation
Determine whether or not you truly require the private cluster to be disabled. If not, make the necessary changes to enable it using the steps given below.
NOTE: This feature cannot be changed once the cluster is made. Hence, to enable it, we must re-create the cluster.
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the navigation panel on the left side of the console, go to Kubernetes Engine and select Clusters. You can use this link here to navigate directly if you’re already logged in.
- Select the cluster you want to reconfigure from the list of clusters displayed and note down all the configuration details of the selected cluster. (In case you aren’t sure which cluster needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
- Click on the Duplicate button found on the top navigation bar.
- In the Networking section, choose the Private cluster option.
- If you wish to have no client access to the public endpoint, ensure that the Access control plane using its external IP address checkbox remains unchecked.
- If you wish to have limited client access to the public endpoint, ensure that the Access control plane using its external IP address and Enable control plane authorized networks checkboxes are checked.
- If you wish to have unrestricted client access to the public endpoint, ensure that the Access control plane using its external IP address is checked and Enable control plane authorized networks checkbox is unchecked.
- If you want an autopilot cluster, set the Control plane IP range to 172.16.0.32/28.
- Click CREATE to create the new cluster.
- You can now delete the original cluster to avoid unwanted expenses. Click on the cluster and select the DELETE button from the top navigation bar and press DELETE in the pop-up box to confirm the deletion.
- Repeat steps 4 to 12 for all the clusters you want to reconfigure in the selected project.
- If you have multiple projects, repeat steps 2 to 13 for each project in your GCP console.