Ensure that your Google Kubernetes Engine (GKE) clusters are configured with master authorized networks in order to limit their exposure to the Internet. Master authorized networks allow you to whitelist specific IP addresses and/or IP address ranges to access your cluster master endpoint using HTTPS.
Adding master authorized networks can provide network level protection and additional security benefits for your GKE cluster. Authorized networks grant access to a specific set of trusted IP addresses, such as those that originate from a secure network. This can help protect access to your GKE cluster in the case of a vulnerability in the cluster's authentication or authorization mechanism.
Audit
To determine if your Google Kubernetes Engine (GKE) clusters are exposed to the Internet, perform the following operations:
Remediation / Resolution
To restrict access to your Google Kubernetes Engine (GKE) clusters and limit their exposure to the Internet using authorized networks, perform the following operations:
Note: Authorized networks block untrusted IP addresses from outside Google Cloud Platform (GCP). IPs from inside Google Cloud (such as traffic from Compute Engine virtual machines) can reach the cluster provided that they have the necessary Kubernetes access credentials.References
- Google Cloud Platform (GCP) Documentation
- Hardening your cluster's security
- Adding authorized networks for control plane access
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud container clusters list
- gcloud container clusters describe
- gcloud container clusters update
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Restrict Network Access to GKE Clusters
Risk Level: High