GKE cluster might be publicly exposed Affecting Kubernetes (Container) Engine service in Google
Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Containers/ Best Practices
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Controls
- Snyk IDSNYK-CC-00413
- creditSnyk Research Team
Description
Master endpoints or nodes may be configured with public addresses.
How to fix?
Configure private_cluster_config block by setting enable_private_nodes and enable_private_endpoint attributes to true.
Example Configuration
resource "google_container_cluster" "allowed" {
name = "marcellus-wallace"
location = "us-central1-a"
initial_node_count = 1
private_cluster_config {
enable_private_endpoint = true
enable_private_nodes = true
master_ipv4_cidr_block = "192.168.0.0/28"
}
master_authorized_networks_config {
cidr_blocks {
cidr_block = "10.0.0.0/18"
display_name = "master_auth"
}
}
ip_allocation_policy {
cluster_ipv4_cidr_block = "10.32.0.0/14"
services_ipv4_cidr_block = "10.0.0.0/20"
}
}