GKE control plane is publicly accessible Affecting Container service in Google


Severity

0.0
high
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Containers / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-Controls NIST-800-53 SOC-2
  • Snyk ID SNYK-CC-00415
  • credit Snyk Research Team

Description

Potentially anyone can access the GKE administrative endpoint.

How to fix?

Set master_authorized_networks_config.cidr_blocks to specific ranges only .e.g 192.168.0.0/24.

Example Configuration

resource "google_container_cluster" "allowed" {
  name     = "my-gke-cluster"
  location = "us-central1"
}

resource "google_container_cluster" "allowed_2" {
  name     = "my-gke-cluster"
  location = "us-central1"
  master_authorized_networks_config {
  }
}

resource "google_container_cluster" "allowed_3" {
  name     = "my-gke-cluster"
  location = "us-central1"
  master_authorized_networks_config {
    cidr_blocks {
      cidr_block = "192.168.0.0/24"
    }
    cidr_blocks {
      cidr_block = "192.0.0.0/16"
    }
  }
}