How DNS-Based Endpoints Enhance Security in GKE Clusters
Google Cloud is presenting a new DNS-based endpoint for GKE clusters today, which offers more security restrictions and access method flexibility
You must adjust the approved network IP firewall configuration in accordance with changes in network configuration and IP ranges
Proxy/bastion hosts: You must set up a proxy or bastion host if you are accessing the GKE control plane from a different cloud location
Complex allowlist and firewall setups based on IP: ACLs and approved network configurations based on IP addresses are vulnerable to human setup error
Transiting various VPCs is unrestricted with DNS-based endpoints because all that is needed is access to Google APIs
The same IAM controls that safeguard all GCP API access are also utilized to protect access to your control plane over the DNS-based endpoint
You may set up network-based controls with VPC Service Controls in addition to IAM policies, giving your cluster control plane a multi-layer security architecture