Add authorized networks for control plane access

This page explains how to grant authorized network access to cluster control planes in Google Kubernetes Engine (GKE) clusters. For general information about GKE networking, visit the Network overview.

Overview

Authorized networks allow you to specify CIDR ranges and allow IP addresses in those ranges to access your cluster control plane endpoint using HTTPS. Authorized networks are compatible with all clusters.

GKE uses both Transport Layer Security (TLS) and authentication to provide secure access to your cluster control plane endpoint from the public internet. This provides you the flexibility to administer your cluster from anywhere. By using authorized networks, you can further restrict access to specified sets of IP addresses.

Private clusters run nodes that only have internal IP addresses, and do not allow public IPs over the internet to access the control plane endpoint. Additionally, private clusters do not allow Google Cloud IP addresses to access the control plane endpoint by default. Using authorized networks in private clusters makes your control plane reachable only by allowed CIDRs, by nodes and Pods within your cluster's VPC, and by Google's internal production jobs that manage your control plane.

Benefits

Adding authorized networks can provide additional security benefits for your cluster. Authorized networks grant access to a specific set of addresses that you designate, such as those that originate from your environment. This can help protect access to your cluster in the case of a vulnerability in the cluster's authentication or authorization mechanisms.

Limitations

  • Public clusters can have up to 50 authorized network CIDR ranges; private clusters can have up to 100.
  • If you expand a subnet that is used by a cluster with authorized networks, you must update the authorized network to include the expanded IP address range.

Before you begin

Before you start, make sure you have performed the following tasks:

  • Ensure that you have enabled the Google Kubernetes Engine API.
  • Enable Google Kubernetes Engine API
  • Ensure that you have installed the Cloud SDK.
  • Set up default gcloud command-line tool settings for your project by using one of the following methods:
    • Use gcloud init, if you want to be walked through setting project defaults.
    • Use gcloud config, to individually set your project ID, zone, and region.

    gcloud init

    1. Run gcloud init and follow the directions:

      gcloud init

      If you are using SSH on a remote server, use the --console-only flag to prevent the command from launching a browser:

      gcloud init --console-only
    2. Follow the instructions to authorize the gcloud tool to use your Google Cloud account.
    3. Create a new configuration or select an existing one.
    4. Choose a Google Cloud project.
    5. Choose a default Compute Engine zone.
    6. Choose a default Compute Engine region.

    gcloud config

    1. Set your default project ID:
      gcloud config set project PROJECT_ID
    2. Set your default Compute Engine region (for example, us-central1):
      gcloud config set compute/region COMPUTE_REGION
    3. Set your default Compute Engine zone (for example, us-central1-c):
      gcloud config set compute/zone COMPUTE_ZONE
    4. Update gcloud to the latest version:
      gcloud components update

    By setting default locations, you can avoid errors in gcloud tool like the following: One of [--zone, --region] must be supplied: Please specify location.

Create a cluster with authorized networks

You can create a cluster with one or more authorized networks by using the gcloud command-line tool, the Google Cloud Console, or the GKE API.

gcloud

Run the following command:

gcloud container clusters create CLUSTER_NAME \
    --enable-master-authorized-networks \
    --master-authorized-networks CIDR1,CIDR2,...

Replace the following:

  • CLUSTER_NAME: the name of your existing cluster.
  • CIDR1,CIDR2,...: A comma-delimited list of the CIDR values for the authorized networks. For example, 8.8.8.8/32,8.8.8.0/24.

Console

  1. Go to the Google Kubernetes Engine page in the Cloud Console.

    Go to Google Kubernetes Engine

  2. Click Create.

  3. Configure your cluster as needed.

  4. In the navigation menu, under Cluster, click Networking.

  5. Under Advanced networking options, select the Enable control plane authorized networks checkbox.

  6. Click Add authorized network.

  7. Enter a Name for the network.

  8. For Network, enter a CIDR range that you want to grant access to your cluster control plane.

  9. Click Done. Add additional authorized networks as needed.

  10. Click Create.

API

Specify the masterAuthorizedNetworksConfig object in your cluster create request:

"masterAuthorizedNetworksConfig": {
  "enabled": true,
  "cidrBlocks": [
    {
      "displayName": string,
      "cidrBlock": string
    }
  ]
}

For more information, refer to MasterAuthorizedNetworksConfig.

Create a private cluster with authorized networks

To learn how to create a private cluster with one or more authorized networks, refer to Private clusters.

Add an authorized network to an existing cluster

You can add an authorized network to an existing cluster using the gcloud tool or the Cloud Console.

gcloud

Run the following command:

gcloud container clusters update CLUSTER_NAME \
    --enable-master-authorized-networks \
    --master-authorized-networks CIDR1,CIDR2,...

Replace the following:

  • CLUSTER_NAME: the name of your existing cluster.
  • CIDR1,CIDR2,...: A comma-delimited list of the CIDR values for the authorized networks. For example, 8.8.8.8/32,8.8.8.0/24.

Console

  1. Go to the Google Kubernetes Engine page in Cloud Console.

    Go to Google Kubernetes Engine

  2. Click the name of the cluster you want to modify.

  3. Under Networking, in the Control plane authorized networks field, click Edit control plane authorized networks.

  4. Select the Enable control plane authorized networks checkbox.

  5. Click Add authorized network.

  6. Enter a Name for the network.

  7. For Network, enter a CIDR range that you want to grant access to your cluster control plane.

  8. Click Done. Add additional authorized networks as needed.

  9. Click Save Changes.

API

Specify the desiredMasterAuthorizedNetworksConfig field in your cluster update request. In the field, specify a MasterAuthorizedNetworksConfig object:

"desiredMasterAuthorizedNetworksConfig": {
    object(MasterAuthorizedNetworksConfig)
  }

Verify an authorized network

You can verify an authorized network in an existing cluster using the gcloud tool or the Cloud Console.

gcloud

Run the following command:

gcloud container clusters describe CLUSTER_NAME

The output is similar to the following:

...
masterAuthorizedNetworksConfig:
  cidrBlocks:
  - cidrBlock: 8.8.8.8/32
  - cidrBlock: 8.8.4.4/32
  enabled: true
...

Console

  1. Go to the Google Kubernetes Engine page in Cloud Console.

    Go to Google Kubernetes Engine

  2. Click the name of the cluster you want to modify.

  3. Under Networking, the Control plane authorized networks field displays the allowed CIDRs.

API

Send a get request. Look for the CIDR blocks under the masterAuthorizedNetworksConfig field. For example:

"masterAuthorizedNetworksConfig": {
"enabled": true,
 "cidrBlocks": [
  {
    "displayName": "Office",
    "cidrBlock": "192.0.2.0/24"
  }
]
}

Disable authorized networks

You can disable authorized networks for an existing cluster using the gcloud tool or the Cloud Console.

gcloud

Run the following command:

gcloud container clusters update CLUSTER_NAME \
    --no-enable-master-authorized-networks

Console

  1. Go to the Google Kubernetes Engine page in Cloud Console.

    Go to Google Kubernetes Engine

  2. Click the name of the cluster you want to modify.

  3. Under Networking, in the Control plane authorized networks field, click Edit control plane authorized networks.

  4. Clear the Enable control plane authorized networks checkbox.

  5. Click Save Changes.

Remove authorized networks

You can remove all custom authorized networks for an existing cluster using the gcloud tool or the Cloud Console.

gcloud

Run the following command:

gcloud container clusters update CLUSTER_NAME \
    --enable-master-authorized-networks
  ```

Console

  1. Go to the Google Kubernetes Engine page in the Cloud Console.

    Go to Google Kubernetes Engine

  2. Click the name of the cluster you want to modify.

  3. Under Networking, in the Control plane authorized networks field, click Edit control plane authorized networks.

  4. To remove CIDRs, click Delete.

  5. Click Save Changes.

Troubleshooting

The following sections explain how to resolve common issues with authorized networks.

Too many CIDR blocks

gcloud returns the following error when attempting to create or update a cluster with more than 50 CIDR blocks:

ERROR: (gcloud.container.clusters.update) argument --master-authorized-networks: too many args

To resolve this issue, if your cluster is public, ensure that you specify no more than 50 CIDR blocks. If your cluster is private, specify no more than 100 CIDR blocks.

Unable to connect to the server

kubectl commands time out due to incorrectly configured CIDR blocks:

Unable to connect to the server: dial tcp MASTER_IP: getsockopt: connection timed out

When you create or update a cluster, ensure that you specify the correct CIDR blocks.

What's next