Google Cloud has announced a new DNS-based endpoint for GKE clusters. This endpoint, available now on every cluster regardless of version or cluster configuration, allows for enhanced flexibility in access methods and security controls. The new DNS-based endpoint addresses several current challenges associated with Kubernetes control plane access, including complex IP-based firewall/allowlist configurations, static configurations based on IP addresses, and proxy/bastion hosts. By using the DNS-based endpoint, authorized users can access your control plane from different clouds, on-prem deployments, or from home without jumping through proxies. With DNS-based endpoints, there are no restrictions for transiting multiple VPCs, as the only requirement is access to Google APIs. Furthermore, access to your control plane over the DNS-based endpoint is protected via the same IAM policies used to protect all GCP API access. Using IAM policies, you can ensure that only authorized users can access the control plane, irrespective of which IP or network they use. In addition to IAM policies, you can also configure network-based controls with VPC Service Controls, providing a multi-layer security model for your cluster control plane. Overall, DNS-based endpoints provide increased flexibility in managing the security of your cluster control planes, while also reducing the complexity of accessing clusters from private networks.