0

I would like to create a bastion host to manage a private GKE cluster on GCP.

  • The bastion host is a GCE VM named bastion.
  • The cluster is a GKE private cluster named cluster.

The flow should be:

User -> (SSH via IAP) -> bastion -> (gke control-plane) -> cluster

For both resources, I would like to create and configure two service accounts from scratch in order to ensure the principle of the least privilege.

Do you have any suggestions for the optimal setup for scopes and roles?

SubZeno
  • 341
  • 3
  • 15
  • 1) What are the two service accounts for? 2) The Bastion Host needs zero cloud permissions, just access to the public Internet and the GKE network. An exception would be permissions to log to Stackdriver. 3) Your design requires the user to login to the Bastion host and then access GKE cluster. As popular as Bastion Hosts (Jump Boxes) are, IMHO this is a weak security model. 4) If you plan to manage the GKE cluster from the Bastion, now you have two sets of credentials to manage on the Bastion for each user: SSH keys and service accounts. – John Hanley Jan 30 '21 at 21:38
  • Thanks John. Could you recommend a better approach to manage a private GKE cluster? – SubZeno Jan 31 '21 at 10:42
  • My recommendation is to edit your question with what needs to be managed, the permissions required and who should have those rights/permissions/roles. – John Hanley Jan 31 '21 at 10:52

1 Answers1

0

To have a better overview about how to handle GKE clusters for production purposes, I would suggest taking a look on this article, specifically on the section dedicated for Private Clusters in which is mentioned the alternative to use VPC Service Controls that can help you mitigate the risk of data exfiltration.

Raul Bautista
  • 131
  • 3