Shayl.Taveras
portfolio / projects / gke-cluster
← back to portfolio
// Project Walkthrough · 04
GKE Cluster Compliant Primitive

An ephemeral, FedRAMP-realistic GKE cluster with four NIST 800-53 controls hard-coded into the cluster definition. Private nodes, KMS-backed secrets encryption, Calico network policy, and full audit logging — all enforced at the infrastructure layer and evidenced in machine-readable artifacts.

terraform gcp gke nist 800-53 kubernetes · kms · fedramp · cmmc l2 · soc 2
Problem Statement
01

Kubernetes clusters are one of the hardest environments to evidence for compliance. The configuration options are numerous, security-relevant settings change between GKE versions, and most are buried deep enough that a standard checklist review misses them. The typical approach is to deploy a cluster, then run a checklist after the fact.

This primitive takes the opposite position. The controls are baked into the Terraform definition before the cluster exists. SC-28, CM-6, AC-3, and AU-3 are not audit findings waiting to happen — they are resource attributes. The evidence is captured in artifacts/plan.json and artifacts/terraform-state.json without any console interaction.

Architecture Decision
02

Every design choice was made to satisfy a specific compliance requirement. The cluster is intentionally minimal — two e2-small nodes, one zone, one lab session — so the compliance primitives are visible without being obscured by production complexity.

// private nodes
No Public Node IPs (AC-3)
Nodes have no external IP addresses. Egress goes through Cloud NAT. Control plane locked to a single operator /32 via master authorized networks.
// kms encryption
Application-Layer Secrets (SC-28)
A dedicated Cloud KMS key encrypts Kubernetes secrets at the application layer. 90-day rotation enforced. Key ARN and state captured in the evidence artifacts.
// shielded nodes
Verified Boot + Integrity (CM-6)
Secure boot and integrity monitoring enabled. STABLE release channel enforces tested GKE versions. GKE_METADATA mode prevents workloads from accessing the underlying VM metadata endpoint.
// audit logging
Five Log Components (AU-3)
logging_config enables SYSTEM_COMPONENTS, WORKLOADS, API_SERVER, SCHEDULER, CONTROLLER_MANAGER. A separate google_project_iam_audit_config captures ADMIN_READ, DATA_READ, DATA_WRITE for container.googleapis.com.
Controls Enforced
03
Control IDMechanismEvidence Field in State
SC-28KMS-backed application-layer secrets encryption, 90-day key rotationdatabase_encryption[].state + key_name
CM-6STABLE release channel, shielded nodes, secure boot, integrity monitoring, Calico, GKE_METADATAcluster + node_pool config blocks
AC-3Private nodes, control plane locked to operator /32, workload identity, network policy, least-scope OAuthprivate_cluster_config, master_authorized_networks_config, workload_identity_config
AU-3Five logging components + project audit log config for container.googleapis.comlogging_config.enable_components + google_project_iam_audit_config
What the Auditor Sees
04

After apply, a single jq query against artifacts/terraform-state.json produces structured evidence for every enforced control. No console login, no manual evidence collection.

jq query output showing private_nodes: true, encryption_state: ENCRYPTED, release_channel: STABLE, five logging components
// jq output from artifacts/terraform-state.json — all four controls confirmed in a single query
Field in OutputValueNIST 800-53NIST 800-171FedRAMPCMMC L2SOC 2
private_nodestrueAC-33.1.1 · 3.1.2AC-3AC.L2-3.1.1CC6.1
encryption_state"ENCRYPTED"SC-283.13.16SC-28SC.L2-3.13.16CC6.7
release_channel"STABLE"CM-63.4.2CM-6CM.L2-3.4.2CC7.1
workload_pool*.svc.id.googAC-33.1.1 · 3.1.2AC-3AC.L2-3.1.2CC6.3
logging_components[5 components]AU-33.3.1AU-3AU.L2-3.3.1CC7.2
Session Flow
05

The cluster is designed for a single lab session and torn down immediately after. The Makefile wraps every step so the session flow is consistent and reproducible.

// full session flow
export TF_VAR_project_id=your-lab-project-id
export TF_VAR_authorized_cidr=$(curl -s https://api.ipify.org)/32

make init
make plan # generates artifacts/plan.json
make apply # generates artifacts/terraform-state.json
make kubeconfig
kubectl get nodes # expect two Ready nodes

make destroy # ends billing immediately
// phase 2
Phase 1 stops at the cluster. Phase 2 installs Kyverno and adds pod-level compliance policies on top of this infrastructure.
File Structure
06
labs/lab-05-gke-kyverno/
  versions.tf # terraform + provider version pins
  variables.tf # project, zone, authorized CIDR, cluster shape
  main.tf # provider, KMS, VPC + NAT, GKE cluster, node pool, audit log config
  outputs.tf # cluster identifiers, kubeconfig command, artifact paths
  Makefile # init / plan / apply / kubeconfig / destroy / clean
  artifacts/ # gitignored — generated evidence per session
    plan.json
    terraform-state.json
Summary
07
4
controls enforced
2
evidence artifacts
5
log components
5
frameworks mapped
Project Details
type
terraform module
cloud
GCP
resource
GKE + KMS + VPC
nodes
2x e2-small
cost
~$0.10/hr
evidence
plan.json + state
phase 2
kyverno
Controls
SC-28
Secrets Encryption
CM-6
Config Settings
AC-3
Access Enforce
AU-3
Audit Records
Frameworks
NIST 800-53
mapped
NIST 800-171
mapped
FedRAMP
mapped
CMMC L2
mapped
SOC 2
mapped
Links
github
view →
portfolio
← back
Shayl.Taveras © 2026