Private Cluster
This is the must enterprise security requirement. There is number of hardening options white setting up your private Kubernetes cluster.
- private cluster, private nodes
- master authorized networks
- cluster service account with minimal privileges
- private container repository
- explicit egress control
- no external access (via jumpbox) (overrides master authorized networks)
We will revisit them in turn, but let's start with the first two.
Recommended reading: Completely Private GKE Clusters with No Internet Connectivity by Andrey Kumarov.
It is worth to keep his excellent diagram for private cluster networking right before your eyes:
AHR-*-CTL 
