GCP Kubernetes Engine Clusters not configured with private nodes feature
Description
Disable public IP addresses for cluster nodes, so that they only have private IP addresses. Private Nodes are nodes with no public IP addresses. Disabling public IP addresses on cluster nodes restricts access to only internal networks, forcing attackers to obtain local network access before attempting to compromise the underlying Kubernetes hosts.
Code Example
go
resource "google_container_cluster" "example" {
name = var.name
location = var.location
project = data.google_project.project.name
+ private_cluster_config {
+ enable_private_nodes = var.private_cluster_config["enable_private_nodes"]
+ enable_private_endpoint = var.private_cluster_config["enable_private_endpoint"]
+ master_ipv4_cidr_block = var.private_cluster_config["master_ipv4_cidr_block"]
+ }Remediation
Terraform
- Resource: google_container_cluster
- Arguments: private_cluster_config
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0923 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_64 |