Private cluster disabled

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 3b30e3d6-c99b-4318-b38f-b99db74578b5

Cloud Provider: GCP

Platform: Ansible

Severity: Medium

Category: Insecure Configurations

Learn More

Description

GKE clusters must be configured as private to avoid exposing the control plane endpoint and worker nodes to the public internet. Public exposure increases the risk of unauthorized access and lateral movement.

For Ansible resources using google.cloud.gcp_container_cluster or gcp_container_cluster, the private_cluster_config property must be defined with enable_private_endpoint and enable_private_nodes set to true. Resources missing private_cluster_config, missing either attribute, or with either attribute set to false are flagged.

Secure Ansible configuration example:

- name: Create private GKE cluster
  google.cloud.gcp_container_cluster:
    name: my-cluster
    location: us-central1
    private_cluster_config:
      enable_private_nodes: true
      enable_private_endpoint: true

Compliant Code Examples

- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: my-cluster
    initial_node_count: 2
    master_auth:
      username: cluster_admin
      password: my-secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    private_cluster_config:
      enable_private_endpoint: yes
      enable_private_nodes: yes

Non-Compliant Code Examples

- name: create a cluster1
  google.cloud.gcp_container_cluster:
    name: my-cluster1
    initial_node_count: 2
    master_auth:
      username: cluster_admin
      password: my-secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
- name: create a cluster2
  google.cloud.gcp_container_cluster:
    name: my-cluster2
    initial_node_count: 2
    master_auth:
      username: cluster_admin
      password: my-secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    private_cluster_config:
      enable_private_endpoint: yes
- name: create a cluster3
  google.cloud.gcp_container_cluster:
    name: my-cluster3
    initial_node_count: 2
    master_auth:
      username: cluster_admin
      password: my-secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    private_cluster_config:
      enable_private_nodes: yes
- name: create a cluster4
  google.cloud.gcp_container_cluster:
    name: my-cluster4
    initial_node_count: 2
    master_auth:
      username: cluster_admin
      password: my-secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    private_cluster_config:
      enable_private_endpoint: no
      enable_private_nodes: yes
- name: create a cluster5
  google.cloud.gcp_container_cluster:
    name: my-cluster5
    initial_node_count: 2
    master_auth:
      username: cluster_admin
      password: my-secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    private_cluster_config:
      enable_private_endpoint: yes
      enable_private_nodes: no