🛡️ Google GKE Cluster Control Plane Authorized Networks are disabled🟢

• Contextual name: 🛡️ Cluster Control Plane Authorized Networks are disabled🟢
• ID: /ce/ca/google/gke/cluster-authorized-networks
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google GKE Cluster
  • 🔌 Google GKE Cluster - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies Google GKE Clusters where Control Plane Authorized Networks are not enabled. Enabling this feature restricts access to the cluster’s control plane to a defined allowlist of trusted IP addresses.

Rationale

Control Plane Authorized Networks improve cluster security by limiting which IP addresses can access the Kubernetes API server.

Key benefits include:

• Restricts external, non-GCP access to a specified set of IP addresses (e.g., corporate office ranges), reducing exposure in the event of a vulnerability in authentication or authorization mechanisms.
• Helps mitigate risks from leaked master certificates by ensuring they cannot be used from unauthorized IP ranges.
• Allows administrators to enforce strict access policies while still permitting trusted GCP traffic (e.g., Compute Engine VMs).

Impact

When implementing Control Plane Authorized Networks, ensure all required networks are included in the allowlist, otherwise legitimate external access to the cluster’s control plane may be inadvertently blocked.

... see more

Remediation

Open File

Remediation

Enable Control Plane Authorized Networks

Using gcloud CLI

To enable Control Plane Authorized Networks for an existing cluster, run the following command:

```sh
gcloud container clusters update <cluster_name> \
    --location {{location}} \
    --enable-master-authorized-networks
```

You can also specify the allowed IP ranges using the --master-authorized-networks flag. This flag accepts a comma-separated list of CIDR blocks (up to 100 for private clusters, 50 for public clusters).

These authorized networks define the IP addresses permitted to access your cluster’s control plane via HTTPS.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GKE v1.8.0 → 💼 5.6.3 Ensure Control Plane Authorized Networks is Enabled (Automated)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			57		no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	56		no data
💼 PCI DSS v3.2.1 → 💼 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.		6	20		no data
💼 PCI DSS v3.2.1 → 💼 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.			20		no data
💼 PCI DSS v3.2.1 → 💼 1.3.5 Permit only “established” connections into the network.			20		no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			56		no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			56		no data
💼 PCI DSS v4.0.1 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.			20		no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		7	56		no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			56		no data
💼 PCI DSS v4.0 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.		7	20		no data