Detections
Analytics

Ensure master authorized networks config block is set for Google Container Cluster

LOW

Description

Adding authorized networks works similar to a firewall in that it allows specific networks to have access to the HTTPS endpoint for the cluster control plane. For more information, see the GCP documentation.
References:
https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks

Remediation

Changing the Network configuration is not possible after provisioning the GKE Cluster. Follow the steps below to create a new cluster with appropriate network configuration.

In GCP Console -

  1. Open the GCP Portal and Go to the Google Kubernetes Engine (GKE).
  2. Click Create and choose Standard or Autopilot Cluster.
  3. Go to Networking and choose appropriate Network and Node subnet.
  4. Click Create.

In Terraform -

  1. In the google_container_cluster resource, ensure that master_authorized_networks_config block attribute is added with cidr_blocks block attribute where cidr_blocks.cidr_block and cidr_block.display_name attributes are set to valid values.

References:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_master_authorized_networks_config
https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-zonal-cluster

Policy Details

Rule Reference ID: AC_GCP_0290
CSP: GCP
Remediation Available: Yes
Domain: Infrastructure Security
Resource: google_container_cluster
Resource Category: Compute
Resource Type: Google Kubernetes Engine (GKE)

Frameworks