Restrict Network Access to GKE Clusters

Risk Level: High (not acceptable risk)

Ensure that your Google Kubernetes Engine (GKE) clusters are configured with master authorized networks in order to limit their exposure to the Internet. Master authorized networks allow you to whitelist specific IP addresses and/or IP address ranges to access your cluster master endpoint using HTTPS.

Security

Adding master authorized networks can provide network level protection and additional security benefits for your GKE cluster. Authorized networks grant access to a specific set of trusted IP addresses, such as those that originate from a secure network. This can help protect access to your GKE cluster in the case of a vulnerability in the cluster's authentication or authorization mechanism.

Audit

To determine if your Google Kubernetes Engine (GKE) clusters are exposed to the Internet, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Google Kubernetes Engine (GKE) console at https://console.cloud.google.com/kubernetes.

04 In the navigation panel, select Clusters to access the list of the GKE clusters deployed within the selected project.

05 Click on the name of the GKE cluster that you want to examine.

06 Select the Details tab to access the cluster configuration information, and check the Master authorized networks attribute value. If the Master authorized networks value is set to Disabled, anyone on the Internet can perform network connections to the cluster control plane, therefore your Google Kubernetes Engine (GKE) cluster access configuration is not compliant.

07 Repeat step no. 5 and 6 for each GKE cluster created for the selected Google Cloud project.

08 Repeat steps no. 2 – 7 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account:

gcloud projects list
    --format="table(projectId)"

02 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-bigdata-project-123123
cc-sap-app-project-112233

03 Run container clusters list command (Windows/macOS/Linux) using custom query filters to describe the name and the zone of each GKE cluster provisioned for the selected Google Cloud project:

gcloud container clusters list
    --project cc-bigdata-project-123123
    --format="(NAME,LOCATION)"

04 The command output should return the requested GKE cluster names and their zones:

NAME                     LOCATION
cc-gke-frontend-cluster  us-central1-c
cc-gke-backend-cluster   us-central1-c

05 Run container clusters describe command (Windows/macOS/Linux) using the name of the Google Cloud GKE cluster that you want to examine as identifier parameter and custom query filters to describe the master authorized network(s) configured for the selected GKE cluster:

gcloud container clusters describe cc-gke-frontend-cluster
    --zone=us-central1-c
    --format="yaml(masterAuthorizedNetworksConfig)"

06 The command output should return the master authorized network(s) configuration:

masterAuthorizedNetworksConfig: {}

If the container clusters describe command output returns an empty object for the masterAuthorizedNetworksConfig configuration attribute, as shown in the example above, there are no master authorized networks configured to provide controlled access to the control plane, therefore anyone on the Internet can access the selected Google Kubernetes Engine (GKE) cluster.

07 Repeat step no. 5 and 6 for each GKE cluster available within the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To restrict access to your Google Kubernetes Engine (GKE) clusters and limit their exposure to the Internet using authorized networks, perform the following operations:

Note: Authorized networks block untrusted IP addresses from outside Google Cloud Platform (GCP). IPs from inside Google Cloud (such as traffic from Compute Engine virtual machines) can reach the cluster provided that they have the necessary Kubernetes access credentials.

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Google Kubernetes Engine (GKE) console at https://console.cloud.google.com/kubernetes.

04 In the navigation panel, select Clusters to access the list of the GKE clusters created for the selected project.

05 Click on the name of the GKE cluster that you want to reconfigure and click on the EDIT button from the console top menu to enter the cluster edit mode.

06 On the selected cluster configuration page, select Enabled from the Master authorized networks dropdown list and perform the following:

Click on Add authorized network to create a new authorized network.
Provide a unique name for your new authorized network in the Name box.
Fill Network with the trusted IPv4 address or IPv4 address range (using CIDR notation, e.g. 10.10.10.0/24) that you want to grant whitelisted access to your Google Kubernetes Engine (GKE) cluster master.
Click Done to return to the console. Use Add authorized network to add as many additional authorized networks as needed in order to block untrusted, external IP addresses from accessing your GKE cluster through HTTP(S).

07 Click Save to apply the configuration changes.

08 Repeat steps no. 5 – 7 to configure master authorized networks for other GKE clusters available within the selected project.

09 Repeat steps no. 2 – 8 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run container clusters update command (Windows/macOS/Linux) using the name of the Google Cloud GKE cluster that you want to reconfigure as identifier parameter, to add authorized networks to the selected GKE cluster in order to grant access to the cluster master from the trusted IP addresses/IP ranges that you define. With --master-authorized-networks parameter you can specify up to 50 comma-delimited CIDRs (e.g. 10.10.10.5/32,10.10.10.6/32). Repeat this step to add as many additional authorized networks as needed in order to block untrusted non-GCP source IPs from accessing your GKE cluster:

gcloud container clusters update cc-gke-frontend-cluster
    --zone=us-central1-c
    --enable-master-authorized-networks
    --master-authorized-networks 10.10.10.0/24

02 The command output should return the URL of the reconfigured GKE cluster:

Updating cc-gke-frontend-cluster...done.
Updated [https://container.googleapis.com/v1/projects/cc-bigdata-project-123123/zones/us-central1-c/clusters/cc-gke-frontend-cluster].

03 Repeat step no. 1 and 2 to configure master authorized networks for other GKE clusters provisioned for the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Hardening your cluster's security
Adding authorized networks for control plane access

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud container clusters list
gcloud container clusters describe
gcloud container clusters update

Publication date May 10, 2021

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related GKE rules