๐ก๏ธ Google GKE Cluster Control Plane Authorized Networks are disabled๐ข
- Contextual name: ๐ก๏ธ Cluster Control Plane Authorized Networks are disabled๐ข
- ID: /ce/ca/google/gke/cluster-authorized-networks
- Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
 
- Policy Type: COMPLIANCE_POLICY
- Policy Categories: SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Descriptionโ
Descriptionโ
This policy identifies Google GKE Clusters where Control Plane Authorized Networks are not enabled. Enabling this feature restricts access to the clusterโs control plane to a defined allowlist of trusted IP addresses.
Rationaleโ
Control Plane Authorized Networks improve cluster security by limiting which IP addresses can access the Kubernetes API server.
Key benefits include:
- Restricts external, non-GCP access to a specified set of IP addresses (e.g., corporate office ranges), reducing exposure in the event of a vulnerability in authentication or authorization mechanisms.
- Helps mitigate risks from leaked master certificates by ensuring they cannot be used from unauthorized IP ranges.
- Allows administrators to enforce strict access policies while still permitting trusted GCP traffic (e.g., Compute Engine VMs).
Impactโ
When implementing Control Plane Authorized Networks, ensure all required networks are included in the allowlist, otherwise legitimate external access to the clusterโs control plane may be inadvertently blocked.
... see more
Remediationโ
Remediationโ
Enable Control Plane Authorized Networksโ
Using gcloud CLIโ
To enable Control Plane Authorized Networks for an existing cluster, run the following command:
```sh
gcloud container clusters update <cluster_name> \
--location {{location}} \
--enable-master-authorized-networks
```You can also specify the allowed IP ranges using the
--master-authorized-networksflag. This flag accepts a comma-separated list of CIDR blocks (up to 100 for private clusters, 50 for public clusters).These authorized networks define the IP addresses permitted to access your clusterโs control plane via HTTPS.