🛡️ Google GKE Cluster Private Google Access is not enabled.🟢

Contextual name: 🛡️ Cluster Private Google Access is not enabled.🟢
ID: /ce/ca/google/gke/cluster-private-access
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Google GKE Cluster
- 🔌 Google GKE Cluster - object.extracts.yaml
- 🔌 Google GCE Subnetwork - object.extracts.yaml
- 🧪 test-data.json

Description

Description

This policy identifies Google GKE clusters whose associated subnetwork is not configured with Private Google Access.

Private Google Access enables cluster nodes within a subnet to reach Google APIs and services using only internal IP addresses. This removes the requirement for nodes to have external IP addresses when performing tasks such as pulling container images from Artifact Registry or Container Registry (gcr.io), or interacting with other Google Cloud services.

Rationale

Enabling Private Google Access enhances the security posture of a GKE cluster by allowing nodes to operate without exposure to the public internet. Keeping traffic within Google’s network reduces the risk of unauthorized access and data exfiltration.

Audit

This policy marks a Google GKE Cluster as INCOMPLIANT if its associated GCE Subnetwork does not have Private Google Access Enabled.

Remediation

Open File

Remediation

To allow GKE cluster nodes to securely access Google APIs and services without exposure to the public internet, Private Google Access must be enabled on the cluster's subnetwork.

Enable Private Google Access

From gcloud CLI
```shell
gcloud compute networks subnets update {{subnet-name}} \
    --region={{region}}\
    --enable-private-ip-google-access
```

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 Cloudaware Framework → 💼 Secure Access			57	no data
💼 PCI DSS v3.2.1 → 💼 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.	7	8	30	no data
💼 PCI DSS v4.0.1 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.			19	no data
💼 PCI DSS v4.0 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.		7	19	no data

Logic​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Enable Private Google Access​

From gcloud CLI​

policy.yaml​

Linked Framework Sections​

Logic

Description

Description

Rationale

Audit

Remediation

Remediation

Enable Private Google Access

From gcloud CLI

policy.yaml

Linked Framework Sections