GCP Kubernetes Engine Clusters have Master authorized networks disabled
Description
Authorized networks allow whitelisting of specific CIDR ranges and permit IP addresses in those ranges to access the cluster master endpoint using HTTPS. GKE uses both TLS and authentication to secure access to the cluster master endpoint from the public Internet. This approach enables the flexibility to administer the cluster from anywhere. We recommend you enable master authorized networks in GKE clusters. Using authorized networks you will be able further restrict access to specified sets of IP addresses.
Code Example
go
{
"resource "google_container_cluster" "primary" {
name = "marcellus-wallace"
location = "us-central1-a"
initial_node_count = 3
master_auth {
client_certificate_config {
issue_client_certificate = false
}
}
master_authorized_networks_config {
cidr_blocks {
cidr_block ="10.10.10.10/0"
display_name = "foo"
}
}
}
",
}Remediation
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0879 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_20 |