lacework-global-771
Enable Control Plane Authorized Networks (Automated)
Description
Enable Control Plane Authorized Networks to restrict access to the cluster's control plane to only an allowlist of authorized IPs.
Remediation
Using Google Cloud Console:
- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
- Select Kubernetes clusters with
Control Plane Authorized Networks
disabled. - Within the
Details
pane, under theNetworking
heading, click the pencil icon namedEdit control plane authorised networks
. - Check the box next to
Enable control plane authorised networks
. - Click
Save Changes
.
Using Command Line:
To enable Control Plane Authorized Networks for an existing cluster, run the following command:
gcloud container clusters update <cluster_name> --zone <compute_zone> --enable-master-authorized-networks
Along with this, you can list authorized networks using the --master-authorized-networks
flag which contains a list of up to 20 external networks allowed to connect to the cluster's control plane through HTTPS.
You can provide these networks as a comma-separated list of addresses in Classless Inter-Domain Routing (CIDR) notation (such as 90.90.100.0/24
).
References
https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks