Skip to main content

lacework-global-797

Create clusters with Private Endpoint Enabled and Public Access Disabled (Automated)

Description

Disable access to the Kubernetes API from outside the node network if it is not required.

Remediation

Note: Lacework does not support Autopilot mode clusters, so the remediation only considers the standard mode cluster option.

It is not possible to remediate a cluster created without Private Endpoint only enabled. Rather, you must recreate the cluster.

Using Google Cloud Console:

  1. Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
  2. Click CREATE CLUSTER, and choose CONFIGURE for the Standard mode cluster.
  3. Configure the cluster as required then click Networking under CLUSTER in the navigation pane.
  4. Under IPv4 network access, click the Private cluster radio button.
  5. Uncheck the Access control plane using its external IP address checkbox.
  6. In the Control plane IP range textbox, provide an IP range for the control plane.
  7. Configure the other settings as required, and click CREATE.

Using Command Line:

Create a cluster with a Private Endpoint enabled and Public Access disabled by including the --enable-private-endpoint flag within the cluster create command:

gcloud container clusters create <cluster_name> --enable-private-endpoint

Setting this flag also requires the setting of --enable-private-nodes, --enable-ip-alias and --master-ipv4-cidr=<master_cidr_range>.

References

https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters

Last updated on