Disable access to the Kubernetes API from outside the node network if it is not required. Rationale: In a private cluster, the master node has two endpoints, a private and public endpoint. The private endpoint is the internal IP address of the master, behind an internal load balancer in the master's VPC network. Nodes communicate with the master using the private endpoint. The public endpoint enables the Kubernetes API to be accessed from outside the master's VPC network. Although Kubernetes API requires an authorized token to perform sensitive actions, a vulnerability could potentially expose the Kubernetes publically with unrestricted access. Additionally, an attacker may be able to identify the current cluster and Kubernetes API version and determine whether it is vulnerable to an attack. Unless required, disabling public endpoint will help prevent such threats, and require the attacker to be on the master's VPC network to perform any attack on the Kubernetes API.
Solution
Once a cluster is created without enabling Private Endpoint only, it cannot be remediated. Rather, the cluster must be recreated. Using Google Cloud Console Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list Click CREATE CLUSTER Configure the cluster as desired then click 'Availability, networking, security, and additional features' Under 'Network Security' ensure the 'Private cluster' checkbox is checked Clear the 'Access master using its external IP address' checkbox. Configure other settings as required Click CREATE. Using Command Line Create a cluster with a Private Endpoint enabled and Public Access disabled by including the --enable-private-endpoint flag within the cluster create command: gcloud container clusters create [CLUSTER_NAME] \ --enable-private-endpoint Setting this flag also requires the setting of --enable-private-nodes, --enable-ip-alias and --master-ipv4-cidr=[MASTER_CIDR_RANGE]. Impact: To enable a Private Endpoint, the cluster has to also be configured with private nodes, a private master IP range and IP aliasing enabled. If the Private Endpoint flag --enable-private-endpoint is passed to the gcloud CLI, or the external IP address undefined in the Google Cloud Console during cluster creation, then all access from a public IP address is prohibited. Default Value: By default, the Private Endpoint is disabled.