Google CloudOverview
Authorized networks are a way of specifying a restricted range of IP addresses that are permitted to access your container cluster's Kubernetes master endpoint. Kubernetes Engine uses both Transport Layer Security (TLS) and authentication to provide secure access to your container cluster's Kubernetes master endpoint from the public internet. This provides you the flexibility to administer your cluster from anywhere; however, you might want to further restrict access to a set of IP addresses that you control. You can set this restriction by specifying an authorized network.
Rationale
By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) can reach your master through HTTPS provided that they have the necessary Kubernetes credentials.
Restricting access to an authorized network can provide additional security benefits for your container cluster, including:
- Better Protection from Outsider Attacks: Authorized networks provide an additional layer of security by limiting external, non-GCP access to a specific set of addresses you designate, such as those that originate from your premises. This helps protect access to your cluster in the case of a vulnerability in the cluster's authentication or authorization mechanism.
- Better Protection from Insider Attacks: Authorized networks help protect your cluster from accidental leaks of master certificates from your company's premises. Leaked certificates used from outside GCP and outside the authorized IP ranges--for example, from addresses outside your company--are still denied access.
Remediation guidance
Using Console
- Go to Kubernetes GCP Console by visiting https://console.cloud.google.com/kubernetes/list?
- Select reported Kubernetes clusters for which Master authorized networks is disabled
- Click on EDIT button and Set 'Master authorized networks (beta)' to Enabled
Using Command line
To check Master authorized networks status for an existing cluster, run the following command
gcloud container clusters describe \[CLUSTER_NAME\] --zone \[COMPUTE_ZONE\] --enable-master-authorized-networks'
Along with this, you can list authorized networks using the --master-authorized- networks flag which contains a list of up to 20 external networks that are allowed to connect to your cluster's Kubernetes master through HTTPS. You provide these networks as a comma-separated list of addresses in CIDR notation (such as 192.168.100.0/24).
Default Value
By default, Master authorized networks is disabled when you create a new cluster using the gcloud command-line tool or Google Cloud Platform Console.
References
- https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks?hl=en_US
Notes
This is a Beta release of Specifying master authorized networks. This feature is not covered by any GCP SLA or deprecation policy and might be subject to backward-incompatible changes.
Multiple Remediation Paths
Google Cloud
SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.
gcloud org-policies set-policy policy.yaml
ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.
PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.
References for Service-Wide Patterns
- GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
- GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
- gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Google Cloud: apply organization policy constraints at org/folder scope.
gcloud org-policies set-policy policy.yaml
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Master authorized networks is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{masterAuthorizedNetworksConfigEnabled_NOT:true}){...AssetFragment}
