5.6.5 Ensure clusters are created with Private Nodes

Information

Private Nodes are nodes with no public IP addresses. Disable public IP addresses for cluster nodes, so that they only have private IP addresses.

Disabling public IP addresses on cluster nodes restricts access to only internal networks, forcing attackers to obtain local network access before attempting to compromise the underlying Kubernetes hosts.

Solution

Once a cluster is created without enabling Private Nodes, it cannot be remediated. Rather the cluster must be recreated.

Using Google Cloud Console:

- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list
- Click CREATE CLUSTER.
- Configure the cluster as required then click Networking under CLUSTER in the navigation pane.
- Under IPv4 network access, click the Private cluster radio button.
- Configure the other settings as required, and click CREATE.

Using Command Line:

To create a cluster with Private Nodes enabled, include the --enable-private-nodes flag within the cluster create command:

gcloud container clusters create <cluster_name> --enable-private-nodes

Setting this flag also requires the setting of --enable-ip-alias and --master-ipv4-cidr=<master_cidr_range>

Impact:

To enable Private Nodes, the cluster has to also be configured with a private master IP range and IP Aliasing enabled.

Private Nodes do not have outbound access to the public internet. If you want to provide outbound Internet access for your private nodes, you can use Cloud NAT or you can manage your own NAT gateway.

To access Google Cloud APIs and services from private nodes, Private Google Access needs to be set on Kubernetes Engine Cluster Subnets.

See Also

https://workbench.cisecurity.org/benchmarks/19166

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5)

Plugin: GCP

Control ID: 8e03754011426f171fe214e550755a655722ebf12224dbfffdaf3723fcaf4266