Profile applicability: Level 2
Disable access to the Kubernetes API from outside the node network if it is not required.
In a private cluster, the master node has two endpoints, a private and public endpoint.
The private endpoint is the internal IP address of the master, behind an internal
load balancer in the master's VPC network. Nodes communicate with the master using
the private endpoint. The public endpoint enables the Kubernetes API to be accessed
from outside the master's VPC network.
Although Kubernetes API requires an authorized token to perform sensitive actions,
a vulnerability could potentially expose the Kubernetes publically with unrestricted
access. Additionally, an attacker may be able to identify the current cluster and
Kubernetes API version and determine whether it is vulnerable to an attack. Unless
required, disabling public endpoint will help prevent such threats, and require the
attacker to be on the master's VPC network to perform any attack on the Kubernetes
API.
 |
NoteBy default, the Private Endpoint is disabled.
|
Impact
To enable a Private Endpoint, the cluster has to also be configured with private nodes,
a private master IP range and IP aliasing enabled.
If the Private Endpoint flag
--enable-private-endpoint is passed to the gcloud CLI, or the external IP address undefined in the Google Cloud
Console during cluster creation, then all access from a public IP address is prohibited.Audit
Using Google Cloud Console:
- Go to Kubernetes Engine website.
- Select the required cluster, and within the Details pane, make sure the Endpoint does not have a public IP address.
Using Command Line:
Run this command:
gcloud container clusters describe <cluster_name> --format json | jq '.privateClusterConfig.enablePrivateEndpoint'
The output of the above command returns
true if a Private Endpoint is enabled with Public Access disabled. For an additional check, the endpoint parameter can be queried with the following
command:
gcloud container clusters describe <cluster_name> --format json | jq '.endpoint'
The output of the above command returns a private IP address if Private Endpoint is
enabled with Public Access disabled.
Remediation
Once a cluster is created without enabling Private Endpoint only, it cannot be remediated.
Rather, the cluster must be recreated.
Using Google Cloud Console:
- Go to Kubernetes Engine website.
- Click CREATE CLUSTER, and choose CONFIGURE for the Standard mode cluster.
- Configure the cluster as required, then click Networking under CLUSTER in the navigation pane.
- Under IPv4 network access, click the Private cluster radio button.
- Uncheck the Access control plane using its external IP address checkbox.
- In the Control plane IP range textbox, provide an IP range for the control plane.
- Configure the other settings as required, and click CREATE.
Using Command Line:
Create a cluster with a Private Endpoint enabled and Public Access disabled by including
the --enable-private-endpoint flag within the cluster create command:
gcloud container clusters create <cluster_name> --enable-private-endpoint
Setting this flag also requires the setting of
--enable-private-nodes, --enable-ip-alias, and --master-ipv4-cidr=<master_cidr_range>.