Ensure master authorized networks are enabled in GKE clusters
Error: Master authorized networks are not enabled in GKE clusters
Bridgecrew Policy ID: BC_GCP_KUBERNETES_12
Checkov Check ID: CKV_GCP_20
Severity: MEDIUM
Master authorized networks are not enabled in GKE clusters
Description
Authorized networks allow whitelisting of specific CIDR ranges and permit IP addresses in those ranges to access the cluster master endpoint using HTTPS. GKE uses both TLS and authentication to secure access to the cluster master endpoint from the public Internet. This approach enables the flexibility to administer the cluster from anywhere.
We recommend you enable master authorized networks in GKE clusters. Using authorized networks you will be able further restrict access to specified sets of IP addresses.
Fix - Buildtime
Terraform
resource "google_container_cluster" "primary" {
name = "marcellus-wallace"
location = "us-central1-a"
initial_node_count = 3
master_auth {
client_certificate_config {
issue_client_certificate = false
}
}
master_authorized_networks_config {
cidr_blocks {
cidr_block ="10.10.10.10/0"
display_name = "foo"
}
}
}
Updated 8 months ago