GCP Kubernetes Engine Clusters Have Master Authorized Networks Disabled

This policy identifies Kubernetes Engine Clusters which have disabled Master authorized networks. Enabling Master authorized networks will let the Kubernetes Engine block untrusted non-GCP source IPs from accessing the Kubernetes master through HTTPS.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

GCP Kubernetes Engine Clusters have Master authorized networks disabled.
JSON Query:
$.resource[*].google_container_cluster[*].*.*.master_authorized_networks_config anyNull
Recommendation:
Recommended solution to enable Kubernetes Engine Clusters Master authorized networks.
Ensure that GCP Kubernetes Engine Clusters have Master authorized networks enabled. Please make sure that your template "master_authorized_networks_config" defined.
For example:
"google_container_cluster": [ { "<container_cluster_name>": [ { "initial_node_count": 3, "location": "us-central1-a", "master_auth": [ { "client_certificate_config": [ { "issue_client_certificate": false } ], "password": "", "username": "" } ], "master_authorized_networks_config": [ { "cidr_blocks": [ ] } ], "name": "marcellus-wallace" } ] } ]

Run Rule Recommendation

  1. Login to GCP Portal.
  2. Go to Kubernetes Engine (Left Panel).
  3. Select Kubernetes clusters.
  4. From the list of clusters, choose the reported cluster.
  5. Click on EDIT button.
  6. Set 'Master authorized networks (beta)' to Enabled.
  7. Click on Save.

Compliance

There are 9 standards that are applicable to this policy:
  • PCI DSS v3.2
  • HIPAA
  • CSA CCM v3.0.1
  • SOC 2
  • CIS v1.0.0 (GCP)
  • PIPEDA
  • ISO 27001:2013
  • CCPA 2018
  • NIST 800-53 Rev4

Recommended For You