Profile applicability: Level 2
Enable Control Plane Authorized Networks to restrict access to the cluster's control
plane to only an allowlist of authorized IPs.
Authorized networks are a way of specifying a restricted range of IP addresses that
are permitted to access your cluster's control plane. Kubernetes Engine uses both
Transport Layer Security (TLS) and authentication to provide secure access to your
cluster's control plane from the public internet. This provides you the flexibility
to administer your cluster from anywhere; however, you might want to further restrict
access to a set of IP addresses that you control. You can set this restriction by
specifying an authorized network.
Control Plane Authorized Networks blocks untrusted IP addresses. Google Cloud Platform
IPs (such as traffic from Compute Engine VMs) can reach your master through HTTPS
provided that they have the necessary Kubernetes credentials.
Restricting access to an authorized network can provide additional security benefits
for your container cluster, including:
- Better protection from outsider attacks: Authorized networks provide an additional layer of security by limiting external, non-GCP access to a specific set of addresses you designate, such as those that originate from your premises. This helps protect access to your cluster in the case of a vulnerability in the cluster's authentication or authorization mechanism.
- Better protection from insider attacks: Authorized networks help protect your cluster from accidental leaks of master certificates from your company's premises. Leaked certificates used from outside GCP and outside the authorized IP ranges (for example, from addresses outside your company) are still denied access.
 |
NoteBy default, Control Plane Authorized Networks is disabled.
|
Impact
When implementing Control Plane Authorized Networks, be careful to ensure all desired
networks are on the allow list to prevent inadvertently blocking external access to
your cluster's control plane.
Audit
Using Google Cloud Console:
- Go to Kubernetes Engine website.
- From the list of clusters, click on the cluster to open the Details page.
- Make sure Master authorized networks is set to Enabled.
Using Command Line:
To check Master Authorized Networks status for an existing cluster, run the following
command:
gcloud container clusters update $CLUSTER_NAME --zone $COMPUTE_ZONE --enable-master-authorized-networks
The output should return the following if Control Plane Authorized Networks is enabled:
{
"enabled": true
}
If Master Authorized Networks is disabled, the above command will return null (
{ }).Remediation
Using Google Cloud Console:
- Go to Kubernetes Engine website.
- Select Kubernetes clusters for which Control Plane Authorized Networks is disabled.
- Within the Details pane, under the Networking heading, click on the pencil icon named Edit control plane authorized networks.
- Check the box next to Enable control plane authorized networks.
- Click SAVE CHANGES.
Using Command Line:
To enable Control Plane Authorized Networks for an existing cluster, run the following
command:
gcloud container clusters update <cluster_name> --zone <compute_zone> --enable-master-authorized-networks
Along with this, you can list authorized networks using the
--master-authorized-networks flag which contains a list of up to 20 external networks that are allowed to connect
to your cluster's control plane through HTTPS. You provide these networks as a comma-separated
list of addresses in CIDR notation (such as 90.90.100.0/24).