Adding Authorized Networks for Cluster Master Access

This page explains how to grant authorized network access to cluster masters in Google Kubernetes Engine clusters. For general information about GKE networking, visit the Network Overview.

Overview

Authorized networks allow you to whitelist specific CIDR ranges and allow IP addresses in those ranges to access your cluster master endpoint using HTTPS. Authorized networks are compatible with all clusters.

GKE uses both Transport Layer Security (TLS) and authentication to provide secure access to your cluster master endpoint from the public Internet. This provides you the flexibility to administer your cluster from anywhere. By using authorized networks, you can further restrict access to specified sets of IP addresses.

Benefits

Adding authorized networks can provide additional security benefits for your cluster. Authorized networks grant access to a specific set of addresses that you designate, such as those that originate from your environment. This can help protect access to your cluster in the case of a vulnerability in the cluster's authentication or authorization mechanisms.

Benefits with private clusters

Private clusters run nodes without external IP addresses, and optionally run their cluster master without a publicly-reachable endpoint. Additionally, private clusters do not allow GCP IP addresses to access the cluster master endpoint by default. Using private clusters with authorized networks makes your cluster master reachable only by the whitelisted CIDRs, by nodes within your cluster's VPC, and by Google's internal production jobs that manage your master.

Limitations

  • A cluster can have no more than 20 authorized network CIDR ranges.

Before you begin

To prepare for this task, perform the following steps:

  • Ensure that you have enabled the Google Kubernetes Engine API.
  • Enable Google Kubernetes Engine API
  • Ensure that you have installed the Cloud SDK.
  • Set your default project ID:
    gcloud config set project [PROJECT_ID]
  • If you are working with zonal clusters, set your default compute zone:
    gcloud config set compute/zone [COMPUTE_ZONE]
  • If you are working with regional clusters, set your default compute region:
    gcloud config set compute/region [COMPUTE_REGION]
  • Update gcloud to the latest version:
    gcloud components update

Creating a cluster with authorized networks

You can create a private cluster with one or more authorized networks using the gcloud command-line tool, or by using Google Cloud Platform Console.

gcloud

Run the following command:

gcloud container clusters create [CLUSTER_NAME] \
    --enable-master-authorized-networks \
    --master-authorized-networks [CIDR],[CIDR]...

With the --master-authorized-networks flag, you can specify up to 20 comma-delimited CIDRs (such as 8.8.8.0/24) that you'd like to grant access your cluster master endpoint through HTTPS.

For example:

gcloud container clusters create example-cluster \
    --enable-master-authorized-networks \
    --master-authorized-networks 8.8.8.8/32,8.8.8.0/24

Console

  1. Visit the Google Kubernetes Engine menu in GCP Console.

    Visit the Google Kubernetes Engine menu

  2. Click Create cluster.

  3. Configure your cluster as desired. Then, click Advanced options.
  4. In the Network security section, select Enable master authorized networks.
  5. Click Add authorized network.
  6. Fill Name with the desired name for the network.
  7. Fill Network with a CIDR range that you want to grant whitelisted access to your cluster master.
  8. Click Done. Add additional authorized networks as desired.
  9. Click Create at the bottom of the menu.

API

Specify the masterAuthorizedNetworksConfig object in your cluster create request:

"masterAuthorizedNetworksConfig": {
  "enabled": true,
  "cidrBlocks": [
  {
      "displayName": string,
      "cidrBlock": string
  }
]
  }

For more information, refer to MasterAuthorizedNetworksConfig.

Creating a private cluster with authorized networks

To learn how to create a private cluster with one or more authorized networks, refer to Private Clusters.

Add an authorized network to an existing cluster

You can add an authorized network to an existing cluster using the gcloud command-line tool, or by using GCP Console.

gcloud

Run the following command:

gcloud container clusters update [CLUSTER_NAME] \
    --enable-master-authorized-networks \
    --master-authorized-networks [CIDR],[CIDR]...

With the --master-authorized-networks flag, you can specify up to 20 comma-delimited CIDRs (such as 8.8.8.0/24) that you'd like to grant access your cluster master endpoint through HTTPS.

For example:

gcloud container clusters update example-cluster \
    --enable-master-authorized-networks \
    --master-authorized-networks 8.8.8.8/32,8.8.8.0/24

Console

  1. Visit the Google Kubernetes Engine menu in GCP Console.

    Visit the Google Kubernetes Engine menu

  2. Select the desired cluster.

  3. Click Edit.
  4. From the Master authorized networks drop-down menu, select Enabled, if it isn't already enabled.
  5. Click Add authorized network.
  6. Fill Name with the desired name for the network.
  7. Fill Network with a CIDR range that you want to grant whitelisted access to your cluster master.
  8. Click Done. Add additional authorized networks as desired.
  9. Click Save at the bottom of the menu.

API

Specify the desiredMasterAuthorizedNetworksConfig field in your cluster update request. In the field, specify a MasterAuthorizedNetworksConfig object:

"desiredMasterAuthorizedNetworksConfig": {
    object(MasterAuthorizedNetworksConfig)
  }

Verifying an authorized network

You can verify an authorized network in an existing cluster using the gcloud command-line tool, or by using GCP Console.

gcloud

Run the following command:

gcloud container clusters describe [CLUSTER_NAME]

In the command output, look for the masterAuthorizedNetworksConfig field:

  ...
masterAuthorizedNetworksConfig:
  cidrBlocks:
  - cidrBlock: 8.8.8.8/32
  - cidrBlock: 8.8.4.4/32
  enabled: true
  ...

Console

  1. Visit the Google Kubernetes Engine menu in GCP Console.

    Visit the Google Kubernetes Engine menu

  2. Select the desired cluster.

The Master authorized networks field displays the whitelisted CIDRs.

API

Send a get request. Look for the CIDR blocks under the masterAuthorizedNetworksConfig field. For example:

"masterAuthorizedNetworksConfig": {
"enabled": true,
"cidrBlocks": [
  {
    "displayName": "Office",
    "cidrBlock": "192.0.2.0/24"
  }
]
  }

Disable authorized networks

You can disable authorized networks for an existing cluster using the gcloud command-line tool, or by using GCP Console.

gcloud

Run the following command:

gcloud container clusters update [CLUSTER_NAME] \
--no-enable-master-authorized-networks

Console

  1. Visit the Google Kubernetes Engine menu in GCP Console.

    Visit the Google Kubernetes Engine menu

  2. Select the desired cluster.

  3. Click Edit.
  4. From the Master authorized networks drop-down menu, select Disabled.
  5. Click Save.

Troubleshooting

The following sections explain how to resolve common issues with authorized networks.

Too many CIDR blocks

gcloud returns the following error when attempting to create or update a cluster with more than 20 CIDR blocks:

ERROR: (gcloud.container.clusters.update) argument --master-authorized-networks: too many args

To resolve this issue, ensure that you specify fewer than 20 CIDR blocks.

Unable to connect to master

kubectl commands time out due to incorrectly configured CIDR blocks:

Unable to connect to the server: dial tcp MASTER_IP: getsockopt: connection timed out

When you create or update a cluster, ensure that you specify the correct CIDR blocks.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Kubernetes Engine