Profile applicability: Level 2
Disable access to the Kubernetes API from outside the node network if it is not required.
In a private cluster, the master node has two endpoints, a private and public endpoint.
The private endpoint is the internal IP address of the master, behind an internal
load balancer in the master's VPC network. Nodes communicate with the master using
the private endpoint.
The public endpoint enables the Kubernetes API to be accessed from outside the master's
VPC network. Although Kubernetes API requires an authorized token to perform sensitive
actions, a vulnerability could potentially expose the Kubernetes publically with unrestricted
access.
Additionally, an attacker may be able to identify the current cluster and Kubernetes
API version and determine whether it is vulnerable to an attack. Unless required,
disabling public endpoint will help prevent such threats, and require the attacker
to be on the master's VPC network to perform any attack on the Kubernetes API.
 |
NoteBy default, the Private Endpoint is disabled.
|
Impact
To enable a Private Endpoint, the cluster has to also be configured with private nodes,
a private master IP range and IP aliasing enabled. If the Private Endpoint flag
--enable-private-endpoint is passed to the gcloud CLI, or the external IP address undefined in the Google Cloud
Console during cluster creation, then all access from a public IP address is prohibited.Audit
Using Google Cloud Console:
- Go to Kubernetes Engine by visiting: Google Cloud Console Kubernetes Engine page.
- Select the required cluster, and within the Details pane, make sure the 'Endpoint' does not have a public IP address.
Using Command Line:
To check Private Endpoint status for an existing cluster, first define 3 variables
Cluster Name, Location and Project and then run the following command:
gcloud container clusters describe $CLUSTER_NAME --location $LOCATION -- project $PROJECT_ID --format json | jq '.privateClusterConfig.enablePrivateEndpoint'
The output of the above command returns
{ "enablePrivateEndpoint": true } if a Private Endpoint is enabled with Public Access disabled.For an additional check, the endpoint parameter can be queried with the following
command:
gcloud container clusters describe <cluster_name> --format json | jq '.endpoint'
The output of the above command returns a private IP address if Private Endpoint is
enabled with Public Access disabled.
Remediation
Once a cluster is created without enabling Private Endpoint only, it cannot be remediated.
Rather, the cluster must be recreated.
Using Google Cloud Console:
- Go to Kubernetes Engine by visiting: Google Cloud Console Kubernetes Engine page.
- Click CREATE CLUSTER, and choose CONFIGURE for the Standard mode cluster.
- Configure the cluster as required then click Networking under CLUSTER in the navigation pane.
- Under IPv4 network access, click the Private cluster radio button.
- Uncheck the Access control plane using its external IP address checkbox.
- In the Control plane IP range textbox, provide an IP range for the control plane.
- Configure the other settings as required, and click CREATE.
Using Command Line:
Create a cluster with a Private Endpoint enabled and Public Access disabled by including
the
--enable-private-endpoint flag within the cluster create command:gcloud container clusters create <cluster_name> --enable-private-endpoint
Setting this flag also requires the setting of
--enable-private-nodes, --enable-ip-alias and --master-ipv4-cidr=<master_cidr_range>.