A naukri.com initiative
Cloudblog
1M
77
Image Credit: Cloudblog
A new flexible DNS-based approach for accessing the GKE control plane
- Google Kubernetes Engine (GKE) has launched a new DNS-based endpoint to allow more flexibility for access methods and security controls to the cluster control plane for Kubernetes API requests. The endpoint is available on every cluster regardless of version or cluster configuration. GKE has historically provided two primary methods for securing its control plane: authorized networks and disabling public endpoints. However, IP address-based authorized network configurations have been prone to human configuration error, whilst static network configurations based on IP ranges require change each time a network configuration changes. The new DNS-based endpoint resolves to a frontend accessible from any network that can reach Google Cloud APIs.
- Using the DNS-based endpoint eliminates the need for a bastion host or proxy nodes. Access is available to authorized users without prior configuration regardless of network location, and there are no restrictions for transiting multiple VPCs. Authorised users can use IAM policies to access the control plane, ensuring only authorised users can use the control plane regardless of their specific location.
- The DNS-based endpoint provides two security layers: IAM policies, and VPC Service Controls. The IAM policies follow the same practices used for all GCP API access, ensuring identified accounts are preventing from easy access to the cluster control plane.
- The VPC Service Controls work in conjunction with the IAM policies to provide context-aware access controls based on network origins and honeypots to prevent unauthorised access to any Google Cloud resources. The VPC Service Controls integrates with Cloud Audit Logs auditing system to monitor access to the control plane.
- Configuring DNS-based access for the GKE cluster control plane is straightforward. Users can create a new cluster with an enable DNS-access command or configure an existing cluster with an enable DNS-access command. The user then needs to configure IAM access to the control plane via IAM policies.
- The DNS-based endpoint offers more flexibility in managing the security of cluster control planes. Using a bastion host and proxies will no longer be necessary, making it more comfortable for authorised users to improve the efficiency of the control plane access method.
- The IP-based endpoint remains available, enabling existing clients to stick to their known protocols while new clients adopt the DNS-based endpoint. Support for the IP-based endpoint is set to phase out going forward, and the DNS-based endpoint will remain available regardless of cluster version or configuration.
Read Full Article
4 Likes
For uninterrupted reading, download the app