We recently received helpful information through the Vulnerability Rewards Program for Authorized Networks and Cloud Run/Functions on Google Kubernetes Engine (GKE). Based on that information, we updated our product documentation and prioritized a plan to make engineering changes to GKE to restrict access to only GKE-related services. Those changes will roll out automatically to over 99% of our GKE customers by late August, and we will proactively reach out to the remaining customers to work on migration issues together.

Our existing firewall rules allow the Kubernetes API server’s IP address to be reachable from the Cloud Run and Cloud Functions services. However, even with this access, calls to the API still need to be authenticated and authorized using either Google Identity and Access Management or GKE role-based access control. To further improve security, we will soon limit that access to GKE-related services and block access from Cloud Run and Cloud Functions.

We plan to take the following steps:

  • Migrate core GKE services that communicate with the API server onto a dedicated set of IP addresses.
  • Notify customers that currently rely on being able to communicate from other cloud services to the Kubernetes API server that the access will be removed (approximately 1% of clusters). We will provide instructions to migrate to a new solution and allowlist existing customer usage to give them time to migrate.
  • Remove the existing firewall rule and introduce a targeted rule allowing only the dedicated set of IP addresses belonging to the core GKE services.

Once these steps are complete, 99% of private clusters won’t be accessible from Cloud Run or Cloud Functions, with no action required from those customers. The remaining 1% will migrate on their own timeline as those customers need time to move their access to new solutions. Public clusters (where nodes have public IPs) will continue to be accessible from Google Cloud IPs as this is necessary for those nodes to communicate with the API server.

To access the GKE API server from serverless environments such as Cloud Run and Cloud Functions, customers can use Serverless VPC Access and connect through its private IP address. For customers who already access their GKE API server using this method, no further action is required.*

We look forward to continuing to work with all our partners and customers, and the research community, to advance security for everyone.

*This blog was edited on June 17, 2022 to provide additional customer guidance on their use of Serverless VPC Access



By: Mahesh Narayanan (Product Manager, GKE) and Greg Castle (Security Engineer, GKE Security)
Source: Google Cloud Blog

Previous Security Insights From Chrome Browser Delivered With Splunk
Next Package Management For Debian/Ubuntu Operating Systems On Google Cloud