4

I've just started using Google Kubernetes Engine (GKE) and I love it.

I spent some time getting an Internal Load Balancer working so my app has a 10.128.0.0/16 IP.

Now I am wondering, can I remove the external IP from my cluster?

All I am finding is that Google requires the external IP on the cluster and that it can't be removed. Does anyone have any experience with this?

I'm working with health data and I'm hesitant to deploy a production application into a cluster with an external IP. I think that the firewall on my project provides enough protection but I just feel wrong having system with an external IP if I intend to put individual health data into it. If you don't know the answer to the "can I remove the external IP from my cluster?" question, I would love to get some comments on that. I see GKE is Covered Product in Google's HIPAA Compliance documentation.

Mike
  • 311
  • 2
  • 5
  • 15

2 Answers2

4

Google Kubernetes Engine has a beta feature called Master Authorized Networks that allows you to restrict traffic to the IP of your hosted Kubernetes control plane by CIDR blocks. Note that GCE public IPs will still be able to access your cluster endpoint, so it isn't as good as fully private clusters but it is much better than having the IP available to the entire internet.

Robert Bailey
  • 599
  • 3
  • 6
  • Thank you, Robert. Is there any hope of achieving "fully private clusters" or is this the best I can do? What risk am I taking letting Google Compute Engine Public IPs and Google Prod IPs access to the cluster? Can someone else using GCE access my cluster's endpoint? – Mike Dec 04 '17 at 13:29
  • 1
    You can't create fully private GKE clusters (if you want to run a different installer on Google Cloud then you can), which means you are unfortunately waiting for Google to release fully private clusters as a feature of GKE. – Robert Bailey Dec 04 '17 at 23:55
  • 1
    Restricting access to your cluster endpoint is defense in depth. Even exposed, it is restricted by access controls and credentials that are unique to your cluster. But if there were to be a zero-day vulnerability, having restricted access is much better than wide open access. I'd also recommend disabling basic auth, because I think it is easier to crack a basic auth password via brute force guessing that to spoof a google identity or spoof client certificate that appears signed by the cluster certificate authority. – Robert Bailey Dec 04 '17 at 23:58
  • 1
    The caveat means that requests coming from google prod IPs and GCE IPs won't be rejected *before* they reach the cluster's apiserver (e.g. dropped by the network itself). They will still be rejected by the apiserver unless proper client credentials are passed. So any packets coming from GCE will reach your apiserver, but unless those packets contain valid credentials the apiserver will reject them. – Robert Bailey Dec 04 '17 at 23:59
  • Ok, thanks for this answer Robert! Can't do "fully private clusters" today but there are some security measures I can take. I ended up finding this post which I think touches on what you're suggesting: https://cloudplatform.googleblog.com/2017/11/precious-cargo-securing-containers-with-Kubernetes-Engine-18.html – Mike Dec 06 '17 at 15:41
  • Yes, that post is excellent. – Robert Bailey Dec 07 '17 at 05:15
  • Still, was hoping there was a way to keep it private, having the same issue with Cloud SQL. I had a server with a very specific version of MySQL and it totally blew up when I tried to install the cloud sql proxy... :( – Mike Dec 07 '17 at 15:15
3

It is now possible to create a private Kubernetes cluster on GKE.

The master is inaccessible from the public internet by default and your nodes do not have any public IP addresses.

You still need to access the master, otherwise your cluster will be useless :) For that reason you need to add master authorized networks, where you assign one or more public ip addresses that are allowed to connect to the master instance.

Erik Zivkovic
  • 146
  • 3
  • Great! Thanks @erik-z. Hopefully Terrraform supports this soon :) – Mike Apr 06 '18 at 12:19
  • 1
    Actually, looks like it has: https://github.com/terraform-providers/terraform-provider-google/pull/1250 – Mike Apr 06 '18 at 12:19