Updates coming for Authorized Networks and Cloud Run/Functions on GKE

Google recently received helpful information through the Vulnerability Rewards Program for Authorized Networks and Cloud Run/Functions on Google Kubernetes Engine (GKE). Based on that information, Google updated their product documentation and prioritized a plan to make engineering changes to GKE to restrict access to only GKE-related services. Those changes will roll out automatically to over 99% of their GKE customers by late August, and will proactively reach out to the remaining customers to work on migration issues together.

Google’s existing firewall rules allow the Kubernetes API server’s IP address to be reachable from the Cloud Run and Cloud Functions services. However, even with this access, calls to the API still need to be authenticated and authorized using either Google Identity and Access Management or GKE role-based access control. To further improve security, they will soon limit that access to GKE-related services and block access from Cloud Run and Cloud Functions.

Google plan to take the following steps: 

Once these steps are complete, 99% of private clusters won’t be accessible from Cloud Run or Cloud Functions, with no action required from those customers. The remaining 1% will migrate on their own timeline as those customers need time to move their access to new solutions. Public clusters (where nodes have public IPs) will continue to be accessible from Google Cloud IPs as this is necessary for those nodes to communicate with the API server.

Google look forward to continuing to work with all their partners and customers, and the research community, to advance security for everyone.

Related posts

Tips on building a network security policy in Google Cloud

by Kartika Triyanti
1 year ago

Supercharge Your Event-driven Architecture with New Cloud Functions (2nd gen)

by Cloud Ace Indonesia
3 years ago

Build a Data Mesh on Google Cloud with Dataplex, Now Generally Available

by Kartika Triyanti
3 years ago