Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Restrict Network Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: GKE-013

To minimize internet exposure, ensure that your Google Kubernetes Engine (GKE) clusters are configured with control plane authorized networks. Once configured, authorized networks can allow specific IP addresses and/or IP address ranges to access your cluster control plane endpoint using HTTPS.

This rule resolution is part of the Conformity solution.

Security

Adding control plane authorized networks to your GKE clusters can enhance network-level security by restricting access to a specific set of trusted IP addresses. These authorized networks, such as those originating from a secure and well-known network, provide an additional layer of protection for your Kubernetes workloads. This helps mitigate the risk of unauthorized access that could exploit vulnerabilities in the cluster's authentication or authorization mechanisms.

Audit

To determine if your GKE cluster control plane is exposed to the Internet, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters provisioned for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Control Plane Networking section, check the Authorized networks attribute value to determine if your cluster's control plane is configured with authorized networks. If Authorized networks is set to Disabled, anyone on the Internet can perform requests to the GKE cluster control plane. Therefore, the control plane access configuration available for the selected Google Kubernetes Engine (GKE) cluster is not compliant.

08 Repeat steps no. 5 – 7 for each GKE cluster provisioned within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS: 

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run container clusters list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each GKE cluster provisioned for the selected project: 

gcloud container clusters list
	--project cc-web-project-123123
	--format="table(NAME,ZONE)"

04 The command output should return the requested cluster names and their regions: 

NAME: cc-gke-backend-cluster
ZONE: us-central1

NAME: cc-gke-frontend-cluster
ZONE: us-central1

05 Run container clusters describe command (Windows/macOS/Linux) with the name of the GKE cluster that you want to examine as the identifier parameter and custom output filters to determine if the cluster's control plane is configured with authorized networks: 

gcloud container clusters describe cc-gke-backend-cluster
	--region=us-central1
	--format="yaml(masterAuthorizedNetworksConfig.enabled)"

06 The command output should return the feature status (enabled: true for enabled, null for disabled): 

null

If the container clusters describe command output returns null, as shown in the example above, there are no authorized networks configured to provide controlled access and anyone on the Internet can perform requests to the GKE cluster control plane. Therefore, the control plane access configuration available for the selected Google Kubernetes Engine (GKE) cluster is not compliant.

07 Repeat steps no. 5 and 6 for each GKE cluster provisioned for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that your Google Kubernetes Engine (GKE) cluster control plane is not exposed to the Internet, perform the following operations:

Note: Authorized networks block untrusted IP addresses from outside Google Cloud Platform (GCP). IPs from inside Google Cloud (such as traffic from Compute Engine virtual machines) can reach the cluster provided that they have the necessary Kubernetes access credentials.

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters deployed for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to configure.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Control Plane Networking section, click on the Edit Control plane networking button (i.e., pencil icon) available next to DNS endpoint, and perform the following actions to configure authorized networks:

  1. Check the Enable authorized networks setting checkbox available under Access using IPv4 addresses.
  2. Under Authorized networks, choose ADD AN AUTHORIZED NETWORK to configure a new authorized network.
  3. For Name, provide a unique name for your authorized network.
  4. For Network, enter the IPv4 address or IPv4 address range (using CIDR notation, e.g. 198.51.105.0/24) of the network that is authorized to access your GKE cluster control plane.
  5. Choose DONE to save the network configuration.
  6. (Optional) Choose ADD AN AUTHORIZED NETWORK and add as many authorized networks as needed in order to block untrusted IPv4 addresses from accessing your cluster control plane through HTTPS.
  7. Once all the authorized networks are configured, choose SAVE CHANGES to apply the changes.

08 Repeat steps no. 5 – 7 for each GKE cluster that you want to configure, created for the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run container clusters update command (Windows/macOS/Linux) with the name of the Google Kubernetes Engine (GKE) cluster that you want to configure as the identifier parameter, to define the networks that are authorized to access your GKE cluster control plane. Include the --enable-master-authorized-networks and --master-authorized-networks command parameters to specify the authorized networks with access to the cluster's control plane endpoint. With --master-authorized-networks, you can specify up to 50 comma-delimited CIDRs: 

gcloud container clusters update cc-gke-backend-cluster
	--zone=us-central1
	--enable-master-authorized-networks
	--master-authorized-networks 198.51.105.0/24

02 The command output should return the full URL of the modified GKE cluster: 

Updating cc-gke-backend-cluster... done.
Updated [https://container.googleapis.com/v1/projects/cc-web-project-123123/zones/us-central1/clusters/cc-gke-backend-cluster].

03 Repeat steps no. 1 and 2 for each GKE cluster that you want to configure, available within the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date May 10, 2021

Related GKE rules