Creating Authorized Networks for Master Access

Authorized networks are a way of specifying a restricted range of IP addresses that are permitted to access your container cluster's Kubernetes master endpoint.

Container Engine uses both Transport Layer Security (TLS) and authentication to provide secure access to your container cluster's Kubernetes master endpoint from the public internet. This provides you the flexibility to administer your cluster from anywhere; however, you might want to further restrict access to a set of IP addresses that you control. You can set this restriction by specifying an authorized network.

Restricting access to an authorized network can provide additional security benefits for your container cluster, including:

  • Better Protection from Outsider Attacks: Authorized networks provide an additional layer of security by limiting external, non-GCP access to a specific set of addresses you designate, such those that originate from your premesis. This helps protect access to your cluster in the case of a vulnerability in the cluster's authentication or authorization mechanism.

  • Better Protection from Insider Attacks: Authorized networks help protect your cluster from accidental leaks of master certificates from your company's premises. Leaked certificates used from outside GCP and outside the authorized IP ranges--for example, from addresses outside your company--are still denied access.

Setting up an authorized network

You can create an authorized network for a new cluster at creation time, or you can update an existing cluster to add an authorized network.

Creating a new cluster with an authorized network

You can create a new cluster with an authorized network using the gcloud command-line tool, or by using the Cloud Platform Console.

gcloud

Using the gcloud command-line tool, run the gcloud container clusters create command with two flags: the --enable-master-authorized-networks flag, and the --master-authorized-networks flag.

The --master-authorized-networks flag contains a list of up to ten external networks that are allowed to connect to your cluster's Kubernetes master through HTTPS. You provide these networks as a comma-separated list of addresses in CIDR notation (such as 1.2.3.4/30). For example:

gcloud container clusters create example-cluster --enable-master-authorized-networks --master-authorized-networks=8.8.8.8/32,8.8.8.0/24

Console

Console instructions TBD.

Updating an existing cluster to configure an authorized network

You can update an existing cluster to add or change an authorized network by using the gcloud command-line tool, or by using the Cloud Platform Console.

gcloud

Using the gcloud command-line tool, run the gcloud container clusters update command with two flags: the --enable-master-authorized-networks flag, and the --master-authorized-networks flag.

The --master-authorized-networks flag contains a list of up to ten external networks that are allowed to connect to your cluster's Kubernetes master through HTTPS. You provide these networks as a comma-separated list of addresses in CIDR notation (such as 192.168.100.0/24). For example:

gcloud container clusters update example-cluster --enable-master-authorized-networks --master-authorized-networks=8.8.8.8/32,8.8.8.0/24

You can also run the gcloud container clusters update command with the --no-enable-master-authorized-networks flag to allow the public internet (0.0.0.0/0) to connect to your cluster's Kubernetes master through HTTPS.

Console

Console instructions TBD.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Container Engine