Add authorized networks for control plane access

This page explains how to grant authorized network access to cluster control planes in Google Kubernetes Engine (GKE) clusters. For general information about GKE networking, visit the Network overview.

Overview

Authorized networks allow you to specify CIDR ranges and allow IP addresses in those ranges to access your cluster control plane endpoint using HTTPS. Authorized networks are compatible with all clusters.

GKE uses both Transport Layer Security (TLS) and authentication to provide secure access to your cluster control plane endpoint from the public internet. This provides you the flexibility to administer your cluster from anywhere. By using authorized networks, you can further restrict access to specified sets of IP addresses.

Private clusters run nodes that only have internal IP addresses and—similar to authorized networks—do not allow untrusted IP addresses from outside Google Cloud to access the control plane endpoint.

Using authorized networks in private clusters makes your control plane reachable only by the following:

  • Addresses inside Google Cloud, such as Compute Engine virtual machines (VMs) Cloud Functions and Cloud Run
  • Allowed CIDR blocks
  • Nodes and Pods within your cluster's VPC
  • Google's internal production jobs that manage your control plane

Authorized networks and private cluster users should not depend on accessing the control plane from cloud services like Cloud Run and Cloud Functions, because this access will be removed in the future.

Benefits

Adding authorized networks can provide additional security benefits for your cluster. Authorized networks grant access to a specific set of addresses that you designate, such as those that originate from your environment. This can help protect access to your cluster in the case of a vulnerability in the cluster's authentication or authorization mechanisms.

Limitations

  • Public clusters can have up to 50 authorized network CIDR ranges; private clusters can have up to 100.
  • If you expand a subnet that is used by a cluster with authorized networks, you must update the authorized network to include the expanded IP address range.

Before you begin

Before you start, make sure you have performed the following tasks:

  • Enable the Google Kubernetes Engine API.
  • Enable Google Kubernetes Engine API
  • If you want to use the Google Cloud CLI for this task, install and then initialize the gcloud CLI.

Create a cluster with authorized networks

You can create a cluster with one or more authorized networks by using the Google Cloud CLI, the Google Cloud console, or the GKE API.

gcloud

Run the following command:

gcloud container clusters create CLUSTER_NAME \
    --enable-master-authorized-networks \
    --master-authorized-networks CIDR1,CIDR2,...

Replace the following:

  • CLUSTER_NAME: the name of your existing cluster.
  • CIDR1,CIDR2,...: A comma-delimited list of the CIDR values for the authorized networks. For example, 8.8.8.8/32,8.8.8.0/24.

Console

  1. Go to the Google Kubernetes Engine page in the console.

    Go to Google Kubernetes Engine

  2. Click Create.

  3. Configure your cluster as needed.

  4. In the navigation menu, under Cluster, click Networking.

  5. Under Advanced networking options, select the Enable control plane authorized networks checkbox.

  6. Click Add authorized network.

  7. Enter a Name for the network.

  8. For Network, enter a CIDR range that you want to grant access to your cluster control plane.

  9. Click Done. Add additional authorized networks as needed.

  10. Click Create.

API

Specify the masterAuthorizedNetworksConfig object in your cluster create request:

"masterAuthorizedNetworksConfig": {
  "enabled": true,
  "cidrBlocks": [
    {
      "displayName": string,
      "cidrBlock": string
    }
  ]
}

For more information, refer to MasterAuthorizedNetworksConfig.

Create a private cluster with authorized networks

To learn how to create a private cluster with one or more authorized networks, refer to Private clusters.

Add an authorized network to an existing cluster

You can add an authorized network to an existing cluster using the gcloud CLI or the console.

gcloud

Run the following command:

gcloud container clusters update CLUSTER_NAME \
    --enable-master-authorized-networks \
    --master-authorized-networks CIDR1,CIDR2,...

Replace the following:

  • CLUSTER_NAME: the name of your existing cluster.
  • CIDR1,CIDR2,...: A comma-delimited list of the CIDR values for the authorized networks. For example, 8.8.8.8/32,8.8.8.0/24.

Console

  1. Go to the Google Kubernetes Engine page in console.

    Go to Google Kubernetes Engine

  2. Click the name of the cluster you want to modify.

  3. Under Networking, in the Control plane authorized networks field, click Edit control plane authorized networks.

  4. Select the Enable control plane authorized networks checkbox.

  5. Click Add authorized network.

  6. Enter a Name for the network.

  7. For Network, enter a CIDR range that you want to grant access to your cluster control plane.

  8. Click Done. Add additional authorized networks as needed.

  9. Click Save Changes.

API

Specify the desiredMasterAuthorizedNetworksConfig field in your cluster update request. In the field, specify a MasterAuthorizedNetworksConfig object:

"desiredMasterAuthorizedNetworksConfig": {
    object(MasterAuthorizedNetworksConfig)
  }

Verify an authorized network

You can verify an authorized network in an existing cluster using the gcloud CLI or the console.

gcloud

Run the following command:

gcloud container clusters describe CLUSTER_NAME

The output is similar to the following:

...
masterAuthorizedNetworksConfig:
  cidrBlocks:
  - cidrBlock: 8.8.8.8/32
  - cidrBlock: 8.8.4.4/32
  enabled: true
...

Console

  1. Go to the Google Kubernetes Engine page in console.

    Go to Google Kubernetes Engine

  2. Click the name of the cluster you want to modify.

  3. Under Networking, the Control plane authorized networks field displays the allowed CIDRs.

API

Send a get request. Look for the CIDR blocks under the masterAuthorizedNetworksConfig field. For example:

"masterAuthorizedNetworksConfig": {
"enabled": true,
 "cidrBlocks": [
  {
    "displayName": "Office",
    "cidrBlock": "192.0.2.0/24"
  }
]
}

Disable authorized networks

You can disable authorized networks for an existing cluster using the gcloud CLI or the console.

gcloud

Run the following command:

gcloud container clusters update CLUSTER_NAME \
    --no-enable-master-authorized-networks

Console

  1. Go to the Google Kubernetes Engine page in console.

    Go to Google Kubernetes Engine

  2. Click the name of the cluster you want to modify.

  3. Under Networking, in the Control plane authorized networks field, click Edit control plane authorized networks.

  4. Clear the Enable control plane authorized networks checkbox.

  5. Click Save Changes.

Remove authorized networks

You can remove all custom authorized networks for an existing cluster using the console.

  1. Go to the Google Kubernetes Engine page in the console.

    Go to Google Kubernetes Engine

  2. Click the name of the cluster you want to modify.

  3. Under Networking, in the Control plane authorized networks field, click Edit control plane authorized networks.

  4. To remove CIDRs, click Delete.

  5. Click Save Changes.

Troubleshooting

The following sections explain how to resolve common issues with authorized networks.

Too many CIDR blocks

gcloud returns the following error when attempting to create or update a cluster with more than 50 CIDR blocks:

ERROR: (gcloud.container.clusters.update) argument --master-authorized-networks: too many args

To resolve this issue, if your cluster is public, ensure that you specify no more than 50 CIDR blocks. If your cluster is private, specify no more than 100 CIDR blocks.

Unable to connect to the server

kubectl commands time out due to incorrectly configured CIDR blocks:

Unable to connect to the server: dial tcp MASTER_IP: getsockopt: connection timed out

When you create or update a cluster, ensure that you specify the correct CIDR blocks.

What's next