PlatformResourcesSign inSign Up

Ensure master authorized networks are enabled in GKE clusters

Error: Master authorized networks are not enabled in GKE clusters

Bridgecrew Policy ID: BC_GCP_KUBERNETES_12
Checkov Check ID: CKV_GCP_20
Severity: MEDIUM

Suggest Edits

Master authorized networks are not enabled in GKE clusters

Description

Authorized networks allow whitelisting of specific CIDR ranges and permit IP addresses in those ranges to access the cluster master endpoint using HTTPS. GKE uses both TLS and authentication to secure access to the cluster master endpoint from the public Internet. This approach enables the flexibility to administer the cluster from anywhere.

We recommend you enable master authorized networks in GKE clusters. Using authorized networks you will be able further restrict access to specified sets of IP addresses.

Fix - Buildtime

Terraform

resource "google_container_cluster" "primary" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  master_auth {
    client_certificate_config {
      issue_client_certificate = false
    }
  }
  master_authorized_networks_config {
    cidr_blocks {
      cidr_block ="10.10.10.10/0"
      display_name = "foo"
    }
  }
}

Updated 8 months ago