lacework-global-797
Create clusters with Private Endpoint Enabled and Public Access Disabled (Automated)
Description
Disable access to the Kubernetes API from outside the node network if it is not required.
Remediation
Note: Lacework does not support Autopilot mode clusters, so the remediation only considers the standard mode cluster option.
It is not possible to remediate a cluster created without Private Endpoint only enabled. Rather, you must recreate the cluster.
Using Google Cloud Console:
- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
- Click
CREATE CLUSTER
, and chooseCONFIGURE
for the Standard mode cluster. - Configure the cluster as required then click
Networking
underCLUSTER
in the navigation pane. - Under
IPv4 network access
, click thePrivate cluster radio button
. - Uncheck the
Access control plane using its external IP address
checkbox. - In the
Control plane IP range
textbox, provide an IP range for the control plane. - Configure the other settings as required, and click
CREATE
.
Using Command Line:
Create a cluster with a Private Endpoint enabled and Public Access disabled by including the --enable-private-endpoint
flag within the cluster create command:
gcloud container clusters create <cluster_name> --enable-private-endpoint
Setting this flag also requires the setting of --enable-private-nodes
, --enable-ip-alias
and --master-ipv4-cidr=<master_cidr_range>
.
References
https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters