GKE cluster might be publicly exposed Affecting Kubernetes (Container) Engine service in Google
Severity Framework
Snyk CCSS
Rule category
Containers / Best Practices
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Controls
- Snyk ID SNYK-CC-00413
- credit Snyk Research Team
Description
Master endpoints or nodes may be configured with public addresses.
How to fix?
Configure private_cluster_config
block by setting enable_private_nodes
and enable_private_endpoint
attributes to true.
Example Configuration
resource "google_container_cluster" "allowed" {
name = "marcellus-wallace"
location = "us-central1-a"
initial_node_count = 1
private_cluster_config {
enable_private_endpoint = true
enable_private_nodes = true
master_ipv4_cidr_block = "192.168.0.0/28"
}
master_authorized_networks_config {
cidr_blocks {
cidr_block = "10.0.0.0/18"
display_name = "master_auth"
}
}
ip_allocation_policy {
cluster_ipv4_cidr_block = "10.32.0.0/14"
services_ipv4_cidr_block = "10.0.0.0/20"
}
}