Cyscale
Back to controls

Ensure GKE clusters use private nodes / network isolation

GKE network isolation reduces exposure by keeping cluster nodes private and by controlling how administrators reach the control plane. Older guidance described this as a `private cluster`. Current GKE guidance frames this as network isolation, including private nodes, optional private control-plane access, and restricted public access where needed.

Category

Controls

Medium

Applies to

Google Cloud

Coverage

1 queries

Asset types

1 covered

Overview

GKE network isolation reduces exposure by keeping cluster nodes private and by controlling how administrators reach the control plane. Older guidance described this as a private cluster. Current GKE guidance frames this as network isolation, including private nodes, optional private control-plane access, and restricted public access where needed.

Rationale

Private nodes reduce the attack surface because nodes do not need public IP addresses. For sensitive environments, you should also review whether the control plane needs a public endpoint at all, whether authorized networks are enabled, and whether Cloud NAT or other egress paths are configured correctly.

Remediation guidance

Using Google Cloud Console

  1. Open Kubernetes Engine in Google Cloud Console.
  2. Select the affected cluster.
  3. Open Networking.
  4. Enable private nodes for the cluster.
  5. If your security standard requires it, also disable public control-plane access or restrict it with authorized networks.
  6. Ensure outbound access is handled through Cloud NAT or another approved egress path.

Using Command Line

For current GKE network isolation, enable private nodes:

gcloud container clusters update [CLUSTER_NAME]   --location [LOCATION]   --enable-private-nodes   --enable-ip-alias

If your standard requires the control plane to be internal only, create or update the cluster to use a private endpoint as well. Validate the resulting network isolation settings:

gcloud container clusters describe [CLUSTER_NAME]   --location [LOCATION]   --format='yaml(controlPlaneEndpointsConfig,privateClusterConfig,networkConfig)'

Important rollout note

In current GKE, cluster-level updates to private-node settings might only apply to new node pools. Existing node pools can require migration or recreation. Review the exact cluster mode and version before assuming this is an in-place fix.

Better platform fix

For regulated or internet-exposed environments, define a standard network-isolation baseline: private nodes by default, explicit control-plane access rules, Cloud NAT for egress, and authorized networks if IP-based endpoints remain enabled.

References

  1. https://cloud.google.com/kubernetes-engine/docs/concepts/network-isolation
  2. https://cloud.google.com/kubernetes-engine/docs/how-to/latest/network-isolation
  3. https://cloud.google.com/kubernetes-engine/docs/how-to/legacy/network-isolation

Service-wide remediation

Recommended when many resources are affected: remediate the cluster networking baseline once, not cluster by cluster.

Update landing-zone templates and GKE modules so new clusters use the approved network-isolation model by default.

Operational rollout

  1. Confirm Shared VPC, Private Google Access, and Cloud NAT prerequisites first.
  2. Migrate non-production clusters before production clusters.
  3. Re-scan after the node-pool changes have completed.

Query logic

These are the stored checks tied to this control.

Kubernetes Cluster is created with Private cluster enabled

Connectors

Google Cloud

Covered asset types

Cluster

Expected check: eq []

gkeClusters(where:{privateClusterConfig:null}){...AssetFragment}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon