Ensure Master authorized networks are set to Enabled on Kubernetes Engine Clusters

Authorized networks are a way of specifying a restricted range of IP addresses that are permitted to access your container cluster's Kubernetes master endpoint. Kubernetes Engine uses both Transport Layer Security (TLS) and authentication to provide secure access to your container cluster's Kubernetes master endpoint from the public internet. This provides you the flexibility to administer your cluster from anywhere; however, you might want to further restrict access to a set of IP addresses that you control. You can set this restriction by specifying an authorized network.

Risk Level: Medium
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.NET.10
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

GkeCluster should have masterAuthorizedNetworksConfig.enabled=true

REMEDIATION

From Portal

  1. Go to Kubernetes GCP Console by visiting https://console.cloud.google.com/kubernetes/list?
  2. Click the name of the cluster you want to modify.
  3. Under Networking, in the Control plane authorized networks field, click Edit control plane authorized networks.
  4. Select the Enable control plane authorized networks checkbox.
  5. Click Add authorized network.
  6. Enter a Name for the network.
  7. For Network, enter a CIDR range that you want to grant access to your cluster control plane.
  8. Click Done. Add additional authorized networks as needed.
  9. Click Save Changes.

From TF
Under 'master_authorized_networks_config' set the 'enabled' argument to 'true':

resource "google_container_cluster" "primary" {
	...
	"masterAuthorizedNetworksConfig": {
		"enabled": true,
		"cidrBlocks": [
		{
			...
		}
		]
	}
}

From Command Line
Run

gcloud container clusters update CLUSTER_NAME --enable-master-authorized-networks --master-authorized-networks CIDR1,CIDR2,...

References

  1. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster
  2. https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks#console
  3. https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks#gcloud_1

Kubernetes Cluster

Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.

Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Foundations v. 1.0.0
  • GCP CloudGuard Best Practices
  • GCP CloudGuard CheckUp
  • GCP NIST 800-53 Rev 5