'Do GKE clusters need a bastion host?

I'm hosting my frontend & backend servers with GKE (Gcloud Kubernetes Engine) with private nodes in a default VPC network like this

gcloud beta container clusters create-auto my-production-cluster \
        --enable-private-nodes \
        --network "projects/$PROJECT_ID/global/networks/default" \
        --subnetwork "projects/$PROJECT_ID/regions/$_GKE_LOCATION/subnetworks/default" \
        --cluster-ipv4-cidr "/17" \
        --services-ipv4-cidr "/22"

I ssh pods using kubectl like this:

gcloud container clusters get-credentials my-production-cluster
kubectl exec --stdin --tty my-pod-abcd-xyz -- bash

So my question is:

  1. Is that safe? Can hackers access our cluster & pods somehow?
  2. If it's not safe, what should I do to improve it?
  3. Does a bastion host provide any benefit in my case? AFAIK, it doesn't because the cluster exposes only ports that I specify (ingress & load balancer). I only specify port 80 for Cloudflare HTTPS mapping
securitykubernetesgoogle-cloud-platformgoogle-kubernetes-enginegcloud


Solution 1:[1]

It's a best practice to deploy a private cluster. That means the control plane and the workers are private and you haven't public IP, so, no public access and hackers from the internet can't access them.

If you want to access to that internal resource, you must be in the internal network. A common way is to have a bastion with a leg in public access, and another one in the internal network.

Another solution, if you want to interact with the control plane, is to allow authorized network to whitelist some IPs allowed to access the control plane. I don't like that solution but it exists!

In terms of security, yes it's safer to keep your internal resources internal, but even in case of public exposure you must have an authorized credential to access your control plane. It's an additional layer of security!

Then, for your services, you can expose them externally through Load Balancer and Ingress config in K8S. No bastion requirement for the services.

Solution 2:[2]

No, GKE (and most Kubernetes setups) use a private network for the cluster communication. You have to "poke holes" into cluster-space using things like LoadBalancer services. You can also use things like GCP IAP for internal service access.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Edward Shtern
Solution 2 coderanger

Related Questions

Secure cookies flag always getting lost in first session after resetting IIS

How to show or hide contents of an aspx page based on current user's roles

protect images on webpage from being copied/saved?

Getting error "403 - Forbidden: Access is denied" on browser when user is NOT administrator

Disable SSLHandshakeException for a single connection

SSL certificate error for IE users only

How to access HttpContext and Request in RequireAssersion?

Send Public key(generated as seckeyref in iPhone) to server(in Java)

The EXECUTE permission is denied on the user-defined table types?

cannot commit or push using egit (guess: issues with secure storage area)

Authorisation in microservices - how to approach domain object or entity level access control using ACL?

Adding nonce value to @Scripts.Render ASP.Net MVC razor pages with NWebSec

SSL Java java.io.IOException: Invalid keystore format

preventing abuse of API service usage

Protecting or Licensing a Django Application