GKE control plane is publicly accessible Affecting Container service in Google

Severity Framework Snyk CCSS

Rule category Containers / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls NIST-800-53 SOC-2

Snyk ID SNYK-CC-00415
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Potentially anyone can access the GKE administrative endpoint.

How to fix?

Set master_authorized_networks_config.cidr_blocks to specific ranges only .e.g 192.168.0.0/24.

Example Configuration

resource "google_container_cluster" "allowed" {
  name     = "my-gke-cluster"
  location = "us-central1"
}

resource "google_container_cluster" "allowed_2" {
  name     = "my-gke-cluster"
  location = "us-central1"
  master_authorized_networks_config {
  }
}

resource "google_container_cluster" "allowed_3" {
  name     = "my-gke-cluster"
  location = "us-central1"
  master_authorized_networks_config {
    cidr_blocks {
      cidr_block = "192.168.0.0/24"
    }
    cidr_blocks {
      cidr_block = "192.0.0.0/16"
    }
  }
}

Terraform

google_container_cluster