Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets

Using Console

1. Go to Kubernetes GCP Console visiting https://console.cloud.google.com/kubernetes/list
2. From the list of clusters, for each clusters note the Subnet name
3. Go to VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list
4. Click noted subnet, The Subnet details page is displayed
5. Click on Edit button
6. Set Private Google access to On
7. Click on Save

Using Command Line

To set Private Google access for a network subnet, run the following command:

gcloud compute networks subnets update \[SUBNET_NAME\] --region \[REGION\] --enable-private-ip-google-access

Impact

Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services.

Default Value

By default, Private Google access is set to Off when you create a new cluster/cluster subnetwork.

References

1. https://cloud.google.com/vpc/docs/configure-private-google-access
2. https://cloud.google.com/vpc/docs/private-google-access

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Google Cloud

Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.

Operational rollout

1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
3. Re-scan and track approved exceptions with an owner and expiry date.