Blog
Securing GKE Control Plane Access with DNS-Based Endpoints
Discover the modern, Terraform-ready approach to securing your private GKE data and control planes using identity instead of network perimeters.
We all love private Google Kubernetes Engine (GKE) clusters. Locking down your control plane so it isn't exposed to the public internet is Kubernetes Security 101. However, the moment you try to hook up your CI/CD pipeline, like GitHub Actions running on hosted runners, you hit a classic architectural brick wall.
GitHub's hosted runners use a massive, dynamically changing pool of public IP addresses. Traditionally, you had to choose between two painful options:
- Expose the attack surface: Constantly update GKE's Master Authorized Networks with giant blocks of public IPs.
- Build a bridge: Deploy self-hosted runners inside your VPC, or manage an Identity-Aware Proxy (IAP) infrastructure to route and proxy your external traffic securely.
While proxy architectures work brilliantly for tools natively embedded in your Google Cloud environment, setting them up for external CI/CD platforms adds unnecessary operational overhead and maintenance debt.
Fortunately, in the modern day, there is a better and improved way! By leveraging GKE DNS-Based Endpoints alongside Workload Identity Federation (WIF), you can grant your external GitHub Actions workflows secure, direct access to your private cluster control plane without maintaining a single piece of proxy infrastructure.
Shifting from Network Security to IAM-Gated Security
GKE DNS-based endpoints fundamentally change how external traffic is handled by the GKE control plane. Instead of relying solely on network-level IP whitelisting via Master Authorized Networks, this feature introduces a DNS-only, IAM-gated endpoint (*.gke.goog).
When you allow external traffic through a DNS endpoint, the endpoint is technically resolvable over the internet, but network access alone gets you nowhere. Every single request hitting that endpoint must be explicitly authenticated and authorized via Google Cloud IAM.
This allows you to securely execute a "merge-before-apply" GitOps workflow directly from standard GitHub-hosted runners:
- No Static Keys: GitHub authenticates using keyless OpenID Connect (OIDC) tokens exchanged through a Workload Identity Federation (WIF) Pool.
- No Network Exceptions: The runner safely hits the GKE control plane over the internet because its identity, not its shifting public IP, is its passport through the gate.
Strict Least Privilege: The runner only possesses short-lived tokens with tightly scoped IAM permissions to manage the cluster.
Architectural Blueprint
In a highly hardened enterprise landing zone, the DNS-based endpoint serves as the secure, clean management line connecting your external control planes to your private workloads.
Here is how it integrates into a comprehensive security architecture:
- Identity Gate: GitHub Actions maps directly to a dedicated Terraform Runner Service Account using a secure impersonation trust chain.
- Isolated Networking: The worker nodes themselves remain entirely private inside a dedicated worker subnet, entirely insulated from public traffic.
- Recommended additional Data Plane Hardening & Storage Security: The cluster data plane is heavily reinforced at multiple layers:
- Application-Layer Secrets Encryption: All Kubernetes Secret objects are explicitly encrypted using a Cloud KMS key before being committed to the etcd database, securing the storage layer from snapshot-level compromises.
- eBPF-Based Routing: Utilizes GKE Dataplane V2 for optimized, secure, and purely internal network policy enforcement.
- Node Infrastructure Hardening: Employs Shielded GKE Nodes with Secure Boot enabled and blocks access to legacy Compute Engine metadata endpoints.
- Supply Chain Security: Integrates Binary Authorization to ensure only audited, CVE-scanned images from the Artifact Registry can ever run on your nodes.
Implementing DNS Endpoints with Terraform
Bringing this architecture to life is straightforward. To keep things focused, the production-ready snippet below showcases solely the configuration required to enable the DNS-based endpoint and application-layer secrets encryption.
We will leave out the rest of the standard GKE cluster and node pool boilerplate definitions for now.In your GKE Terraform module, you need to configure the control_plane_endpoints_config block inside the google_container_cluster resource, while keeping your cluster network-private.
resource "google_container_cluster" "primary" {
# ... other configurations/settings ...
# Isolate your node infrastructure strictly inside the private network
private_cluster_config {
enable_private_nodes = true
enable_private_endpoint = true
# Use your own custom private /28 CIDR range here
master_ipv4_cidr_block = var.master_ipv4_cidr_block
}
### WHERE THE MAGIC HAPPENS ###
# Leave out the network-level IP whitelisting entirely (MAN).
# No more maintaining brittle, shifting lists of public CI/CD runner IPs.
master_authorized_networks_config {}
# Expose a public, cryptographically IAM-gated DNS endpoint.
# This allows authenticated external platforms (like GitHub Actions) to safely reach the cluster API using identity verification instead of an IP address.
control_plane_endpoints_config {
dns_endpoint_config {
allow_external_traffic = true
}
}
# ... other configurations/settings ...
}Important Security Note
DNS-based endpoints remove the need for bastion hosts and large IP allowlists, but they also shift your security boundary from the network layer to the identity layer.
With Master Authorized Networks (MAN), only trusted IPs could reach the control plane. With DNS-based endpoints, access is protected through IAM and Workload Identity Federation (WIF) instead.
That means your WIF configuration becomes critical. A misconfigured WIF binding or overly broad IAM permissions could unintentionally expose cluster access.
To keep this setup secure:
- Strictly scope WIF attribute conditions (repo, branch, environment).
- Use least-privilege IAM permissions.
- Separate identities per environment.
- Keep credentials short-lived.
- Enable auditing and monitoring for federation activity.
When properly configured, this provides a strong zero-trust model without the operational overhead of proxy infrastructure.
Summary of Benefits
By modernizing your private GKE access strategy with DNS-based endpoints, additional hardening, you achieve a zero-trust architecture without operational headaches:
- Zero Infrastructure Overhead: Stop paying for, patching, and scaling bastion hosts or self-hosted CI/CD runner VMs just to act as network proxies.
- Streamlined Multi-Environment Pipelines: Easily scale your pipelines across separate staging and production GCP projects using dedicated, short-lived WIF bindings per environment.
True Zero-Trust Security: Perimeter security is fragile. Shifting your security posture to cryptographically validated identities (OIDC + IAM) guarantees that even if an attacker discovers your cluster's DNS name, they cannot access it without valid cloud credentials.
Useful Links
Interested in setting up Workload Identity Federation (WIF) with GitHub Actions?
- Check out Niels van Doorn's post: Setup keyless authentication to Google Cloud for GitHub Actions using Terraform
Interested in another secure approach using an IAP Proxy?
- Check out Mark van Holsteijn's post: How to access private GKE clusters from Google Cloud Build via the Identity-Aware Proxy
Written by
Lars Prosec
I am a Cloud Platform Engineer at Xebia Cloud, working with the GCP Cloud Control Team. This team focuses on providing tailored assessments, reviews, scans, and support for your Google Cloud environment, offering various services, including Managed Services.
Our Ideas
Explore More Blogs
Contact