5.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled

Information

Disable access to the Kubernetes API from outside the node network if it is not required.

In a private cluster, the master node has two endpoints, a private and public endpoint. The private endpoint is the internal IP address of the master, behind an internal load balancer in the master's VPC network. Nodes communicate with the master using the private endpoint. The public endpoint enables the Kubernetes API to be accessed from outside the master's VPC network.

Although Kubernetes API requires an authorized token to perform sensitive actions, a vulnerability could potentially expose the Kubernetes publically with unrestricted access. Additionally, an attacker may be able to identify the current cluster and Kubernetes API version and determine whether it is vulnerable to an attack. Unless required, disabling public endpoint will help prevent such threats, and require the attacker to be on the master's VPC network to perform any attack on the Kubernetes API.

Solution

Once a cluster is created without enabling Private Endpoint only, it cannot be remediated. Rather, the cluster must be recreated.

Using Google Cloud Console:

- Go to Kubernetes Engine by visiting

https://console.cloud.google.com/kubernetes/list

- Click CREATE CLUSTER, and choose CONFIGURE for the Standard mode cluster.
- Configure the cluster as required then click Networking under CLUSTER in the navigation pane.
- Under IPv4 network access, click the Private cluster radio button.
- Uncheck the Access control plane using its external IP address checkbox.
- In the Control plane IP range textbox, provide an IP range for the control plane.
- Configure the other settings as required, and click CREATE.

Using Command Line:

Create a cluster with a Private Endpoint enabled and Public Access disabled by including the --enable-private-endpoint flag within the cluster create command:

gcloud container clusters create <cluster_name> --enable-private-endpoint

Setting this flag also requires the setting of --enable-private-nodes --enable-ip-alias and --master-ipv4-cidr=<master_cidr_range>

Impact:

To enable a Private Endpoint, the cluster has to also be configured with private nodes, a private master IP range and IP aliasing enabled.

If the Private Endpoint flag --enable-private-endpoint is passed to the gcloud CLI, or the external IP address undefined in the Google Cloud Console during cluster creation, then all access from a public IP address is prohibited.

See Also

https://workbench.cisecurity.org/benchmarks/19166

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5)

Plugin: GCP

Control ID: cebb60bebeda8246957616cf300150c7ad98875e240a16d3d37bcd3a0424889f