Enable master authorized networks on all clusters.
Risk Level: Medium
Description
This plugin ensures that master authorized networks are enabled on GKE clusters. Authorized networks allow you to designate a limited range of IP addresses that are allowed to reach your Kubernetes master endpoint in your container cluster.
About the Service
Google Cloud Kubernetes Engine:
The Google Cloud Kubernetes Engine is a Kubernetes-based service that includes a control plane, nodes that house pods, and Google Cloud services. It aids in the modernization of your programs by offering a platform for deploying, managing, and scaling containerized applications. The Google Cloud Console or kubectl can be used to interact with this Google Cloud Kubernetes Engine. To know more, read here.
Impact
If you disable the master-approved network for your clusters, it reduces the security and prevents you from receiving extra security benefits. It also enables HTTPS access to your control plane endpoint from the public internet. As a result, because the cluster's authentication and authorization are reduced, it renders it exposed to attacks.
Steps to Reproduce
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the navigation panel on the left side of the console, go to Kubernetes Engine and select Clusters. You can use this link here to navigate directly if you’re already logged in.
- Select the cluster you want to investigate from the list of clusters displayed.
- Under the Networking section, check the status of Control plane authorised networks. If it says disabled then SentinelOne CNS strongly recommends enabling it.
- Repeat steps 4 and 5 for all the clusters you want to investigate in the selected project.
- If you have multiple projects that you want to investigate, repeat steps 2 to 6 for each project in your GCP console.
Steps for Remediation
Determine whether or not you truly require master authorized network to be disabled. If not, make the necessary changes to enable it using the steps given below.
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the navigation panel on the left side of the console, go to Kubernetes Engine and select Clusters. You can use this link here to navigate directly if you’re already logged in.
- Select the cluster you want to reconfigure from the list of clusters displayed and go to the DETAILS tab of the selected cluster. (In case you aren’t sure which node pool needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
- Under the Networking section, click on the edit icon in the Control plane authorised networks row to edit the configuration.
- In the Edit Control plane authorised networks pop-up box, check the Enable control plane authorised networks checkbox.
- Click on ADD AUTHORISED NETWORK to add an authorised network. Enter a valid name and network in the textboxes provided and click DONE.
- Then, click on SAVE CHANGES to save the edit.
- Repeat steps 4 to 8 for all the clusters you want to reconfigure in the selected project.
- If you have multiple projects, repeat steps 2 to 9 for each project in your GCP console.