The GKE cluster control plane and nodes have internet routable addresses that can be accessed from any IP address by default. Direct internet access to nodes can be disabled by specifying the gcloud tool option enable-private-nodes at cluster creation.
We recommend you disable direct internet access to nodes at cluster creation and ensure clusters use master authorized networks and private nodes to reach the control plane by whitelisted CIDRs, nodes within the cluster VPC and Google management jobs.
We also recommend you limit the exposure of the cluster control plane and nodes to the internet. These settings can only be set at cluster creation time and help ensure sensitive controllers are not exposed to external access.
Updated 2 months ago