Ensure GCP Kubernetes Engine Clusters are configured with private nodes feature

Error: GCP Kubernetes Engine Clusters not configured with private nodes feature

Bridgecrew Policy ID: BC_GCP_KUBERNETES_19
Checkov Check ID: CKV_GCP_64
Severity: MEDIUM

GCP Kubernetes Engine Clusters not configured with private nodes feature

Description

Disable public IP addresses for cluster nodes, so that they only have private IP addresses. Private Nodes are nodes with no public IP addresses.
Disabling public IP addresses on cluster nodes restricts access to only internal networks, forcing attackers to obtain local network access before attempting to compromise the underlying Kubernetes hosts.

Fix - Buildtime

Terraform

  • Resource: google_container_cluster
  • Argument: private_cluster_config
resource "google_container_cluster" "example" {
  name               = var.name
  location           = var.location
  project            = data.google_project.project.name

+ private_cluster_config {
+   enable_private_nodes    = var.private_cluster_config["enable_private_nodes"]
+   enable_private_endpoint = var.private_cluster_config["enable_private_endpoint"]
+   master_ipv4_cidr_block  = var.private_cluster_config["master_ipv4_cidr_block"]
+ }