Ensure GKE control plane is not public

Error: GKE control plane is public

Bridgecrew Policy ID: BC_GCP_KUBERNETES_10
Checkov Check ID: CKV_GCP_18
Severity: LOW

GKE control plane is public


The GKE cluster control plane and nodes have internet routable addresses that can be accessed from any IP address by default. Direct internet access to nodes can be disabled by specifying the gcloud tool option enable-private-nodes at cluster creation.

We recommend you disable direct internet access to nodes at cluster creation and ensure clusters use master authorized networks and private nodes to reach the control plane by whitelisted CIDRs, nodes within the cluster VPC and Google management jobs.

We also recommend you limit the exposure of the cluster control plane and nodes to the internet. These settings can only be set at cluster creation time and help ensure sensitive controllers are not exposed to external access.

Fix - Buildtime


resource "google_container_cluster" "primary" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  private_cluster_config {
    	enable_private_nodes = true