GCP GKE control plane exposed to internet
Description
AlphaSOC detected that a Google Kubernetes Engine (GKE) cluster's control plane
was configured for public internet access. This occurs when the public endpoint
is enabled without proper authorized network restrictions, or when the
authorized networks include 0.0.0.0/0 (allowing access from any IP address).
Impact
Exposing the GKE control plane to the internet significantly increases the attack surface. Anyone on the internet can attempt to authenticate to the Kubernetes API server, making the cluster vulnerable to brute force attacks, credential stuffing, and exploitation of any API server vulnerabilities. Successful compromise of the control plane grants full control over all workloads and data in the cluster.
Severity
| Severity | Condition |
|---|---|
Medium | GKE control plane exposed publicly |
Investigation and Remediation
Review GCP audit logs for the
google.container.v1beta1.ClusterManager.UpdateCluster action to identify who
modified the cluster configuration. Examine the authorizedNetworksConfig to
determine the extent of exposure.
Immediately restrict access to the control plane by configuring authorized networks with specific CIDR ranges for your organization. Consider using private clusters with Private Google Access to eliminate public endpoint exposure entirely. Review cluster audit logs for any unauthorized access attempts during the exposure period.