More Info:

Ensures private cluster is enabled for all Kubernetes clusters. Kubernetes private clusters only have internal ip ranges, which ensures that their workloads are isolated from the public internet.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the “Private Cluster Should Be Enabled” misconfiguration in GCP using the GCP console, follow these steps:
  1. Open the GCP Console and navigate to the Kubernetes Engine page.
  2. Select the cluster that you want to remediate and click on the “Edit” button.
  3. Scroll down to the “Networking” section and click on “Show advanced options”.
  4. Under “Private cluster”, select the checkbox for “Enable private endpoint”.
  5. Optionally, you can also enable “Private nodes” and “Private endpoint with DNS zone”.
  6. Click on “Save” to apply the changes.
By enabling private endpoint in GCP Kubernetes Engine, you are ensuring that your cluster is only accessible from a private IP address range and not from the public internet. This will help to protect your cluster from unauthorized access and potential security threats.

To remediate the misconfiguration “Private Cluster Should Be Enabled” for GCP using GCP CLI, follow the below steps:
  1. Open the GCP Console and navigate to the Google Kubernetes Engine (GKE) cluster that needs to be remediated.
  2. Open the Cloud Shell by clicking on the icon on the top right corner of the console.
  3. In the Cloud Shell, run the following command to enable private cluster: 
gcloud container clusters update [CLUSTER_NAME] --enable-private-nodes --master-ipv4-cidr [MASTER_CIDR] --enable-private-endpoint
Replace [CLUSTER_NAME] with the name of the GKE cluster that needs to be remediated and [MASTER_CIDR] with the IP range for the master node.
  1. If you want to enable private nodes for an existing cluster, run the following command:
gcloud container clusters update [CLUSTER_NAME] --enable-private-nodes
  1. If you want to enable private endpoint for an existing cluster, run the following command:
gcloud container clusters update [CLUSTER_NAME] --enable-private-endpoint
  1. Verify that the private endpoint is enabled by running the following command:
gcloud container clusters describe [CLUSTER_NAME] --format='get(privateClusterConfig.enablePrivateEndpoint)'
The output should be true.
  1. Verify that private nodes are enabled by running the following command:
gcloud container clusters describe [CLUSTER_NAME] --format='get(privateClusterConfig.enablePrivateNodes)'
The output should be true.By following the above steps, you can remediate the misconfiguration “Private Cluster Should Be Enabled” for GCP using GCP CLI.
To remediate the misconfiguration of “Private Cluster Should Be Enabled” in GCP using Python, you can follow the below steps:
  1. Import the necessary libraries:
from google.cloud import container_v1
from google.oauth2 import service_account
  1. Set up the credentials for authentication:
credentials = service_account.Credentials.from_service_account_file('path/to/service_account.json')
  1. Initialize the client for GCP Container API:
client = container_v1.ClusterManagerClient(credentials=credentials)
  1. Get the current state of the cluster:
cluster = client.get_cluster('projects/{project_id}/locations/{zone}/clusters/{cluster_name}')
  1. Check if the cluster is private:
if cluster.private_cluster_config.enable_private_nodes:
    print('Cluster is already private')
else:
    print('Cluster is not private')
  1. If the cluster is not private, enable private cluster:
cluster.private_cluster_config.enable_private_nodes = True
update_request = container_v1.UpdateClusterRequest(cluster=cluster, update_mask={'paths': ['private_cluster_config.enable_private_nodes']})
operation = client.update_cluster(update_request)
  1. Wait for the operation to complete:
operation.result()
By following these steps, you can remediate the misconfiguration of “Private Cluster Should Be Enabled” in GCP using Python.

Additional Reading: