Adding authorized networks for control plane access

This page explains how to grant authorized network access to cluster control planes (masters) in Google Kubernetes Engine (GKE) clusters. For general information about GKE networking, visit the Network overview.

Overview

Authorized networks allow you to specify CIDR ranges and allow IP addresses in those ranges to access your cluster control plane endpoint using HTTPS. Authorized networks are compatible with all clusters.

GKE uses both Transport Layer Security (TLS) and authentication to provide secure access to your cluster control plane endpoint from the public internet. This provides you the flexibility to administer your cluster from anywhere. By using authorized networks, you can further restrict access to specified sets of IP addresses.

Benefits

Adding authorized networks can provide additional security benefits for your cluster. Authorized networks grant access to a specific set of addresses that you designate, such as those that originate from your environment. This can help protect access to your cluster in the case of a vulnerability in the cluster's authentication or authorization mechanisms.

Benefits with private clusters

Private clusters run nodes without external IP addresses, and optionally run their cluster control plane without a publicly-reachable endpoint. Additionally, private clusters do not allow Google Cloud IP addresses to access the control plane endpoint by default. Using private clusters with authorized networks makes your control plane reachable only by the allowed CIDRs, by nodes within your cluster's VPC, and by Google's internal production jobs that manage your control plane.

Limitations

  • Public clusters can have up to 50 authorized network CIDR ranges; private clusters can have up to 100.
  • If you expand a subnet that is used by a cluster with authorized networks, you must update the authorized network to include the expanded IP address range.

Before you begin

Before you start, make sure you have performed the following tasks:

Set up default gcloud settings using one of the following methods:

  • Using gcloud init, if you want to be walked through setting defaults.
  • Using gcloud config, to individually set your project ID, zone, and region.

Using gcloud init

If you receive the error One of [--zone, --region] must be supplied: Please specify location, complete this section.

  1. Run gcloud init and follow the directions:

    gcloud init

    If you are using SSH on a remote server, use the --console-only flag to prevent the command from launching a browser:

    gcloud init --console-only
  2. Follow the instructions to authorize gcloud to use your Google Cloud account.
  3. Create a new configuration or select an existing one.
  4. Choose a Google Cloud project.
  5. Choose a default Compute Engine zone for zonal clusters or a region for regional or Autopilot clusters.

Using gcloud config

  • Set your default project ID:
    gcloud config set project PROJECT_ID
  • If you are working with zonal clusters, set your default compute zone:
    gcloud config set compute/zone COMPUTE_ZONE
  • If you are working with Autopilot or regional clusters, set your default compute region:
    gcloud config set compute/region COMPUTE_REGION
  • Update gcloud to the latest version:
    gcloud components update

Creating a cluster with authorized networks

You can create a cluster with one or more authorized networks by using the gcloud tool, the Google Cloud Console, or the GKE API.

gcloud

Run the following command:

gcloud container clusters create cluster-name \
    --enable-master-authorized-networks \
    --master-authorized-networks cidr1,cidr2...

Replace the following:

  • cluster-name: is the name of your existing cluster.
  • cidr1, cidr2: The CIDR values for the authorized networks.

With the --master-authorized-networks flag, you can specify comma-delimited CIDRs (such as 8.8.8.0/24) that you'd like to grant access your cluster control plane endpoint through HTTPS.

For example:

gcloud container clusters create example-cluster \
    --enable-master-authorized-networks \
    --master-authorized-networks 8.8.8.8/32,8.8.8.0/24

Console

  1. Go to the Google Kubernetes Engine page in the Cloud Console.

    Go to Google Kubernetes Engine

  2. Click Create.

  3. Configure your cluster as desired.

  4. From the navigation pane, under Cluster, click Networking.

  5. Under Advanced networking options, select the Enable control plane authorized networks checkbox.

  6. Click Add authorized network.

  7. Enter a Name for the network.

  8. For Network, enter a CIDR range that you want to grant access to your cluster control plane.

  9. Click Done. Add additional authorized networks as desired.

  10. Click Create.

API

Specify the masterAuthorizedNetworksConfig object in your cluster create request:

"masterAuthorizedNetworksConfig": {
  "enabled": true,
  "cidrBlocks": [
  {
      "displayName": string,
      "cidrBlock": string
  }
]
}

For more information, refer to MasterAuthorizedNetworksConfig.

Creating a private cluster with authorized networks

To learn how to create a private cluster with one or more authorized networks, refer to Private Clusters.

Add an authorized network to an existing cluster

You can add an authorized network to an existing cluster using the gcloud command-line tool, or by using Cloud Console.

gcloud

Run the following command:

gcloud container clusters update cluster-name \
    --enable-master-authorized-networks \
    --master-authorized-networks cidr1,cidr2...

Replace the following:

  • cluster-name: is the name of your existing cluster.
  • cidr1, cidr2: The CIDR values for the authorized networks.

With the --master-authorized-networks flag, you can specify comma-delimited CIDRs (such as 8.8.8.0/24) that you'd like to grant access your cluster control plane endpoint through HTTPS.

For example:

gcloud container clusters update example-cluster \
    --enable-master-authorized-networks \
    --master-authorized-networks 8.8.8.8/32,8.8.8.0/24

Console

  1. Go to the Google Kubernetes Engine page in Cloud Console.

    Go to Google Kubernetes Engine

  2. Click the name of the cluster you want to modify.

  3. Under Networking, in the Control plane authorized networks field, click Edit control plane authorized networks.

  4. Select the Enable control plane authorized networks checkbox.

  5. Click Add authorized network.

  6. Enter a Name for the network.

  7. For Network, enter a CIDR range that you want to grant access to your cluster control plane.

  8. Click Done. Add additional authorized networks as desired.

  9. Click Save Changes.

API

Specify the desiredMasterAuthorizedNetworksConfig field in your cluster update request. In the field, specify a MasterAuthorizedNetworksConfig object:

"desiredMasterAuthorizedNetworksConfig": {
    object(MasterAuthorizedNetworksConfig)
  }

Verifying an authorized network

You can verify an authorized network in an existing cluster using the gcloud command-line tool, or by using Cloud Console.

gcloud

Run the following command:

gcloud container clusters describe cluster-name

In the command output, look for the masterAuthorizedNetworksConfig field:

  ...
masterAuthorizedNetworksConfig:
  cidrBlocks:
  - cidrBlock: 8.8.8.8/32
  - cidrBlock: 8.8.4.4/32
  enabled: true
  ...

Console

  1. Go to the Google Kubernetes Engine page in Cloud Console.

    Go to Google Kubernetes Engine

  2. Click the name of the cluster you want to modify.

  3. Under Networking, note that the Control plane authorized networks field displays the allowed CIDRs.

API

Send a get request. Look for the CIDR blocks under the masterAuthorizedNetworksConfig field. For example:

"masterAuthorizedNetworksConfig": {
"enabled": true,
"cidrBlocks": [
  {
    "displayName": "Office",
    "cidrBlock": "192.0.2.0/24"
  }
]
}

Disable authorized networks

You can disable authorized networks for an existing cluster using the gcloud command-line tool, or by using Cloud Console.

gcloud

Run the following command:

gcloud container clusters update cluster-name \
    --no-enable-master-authorized-networks

Console

  1. Go to the Google Kubernetes Engine page in Cloud Console.

    Go to Google Kubernetes Engine

  2. Click the name of the cluster you want to modify.

  3. Under Networking, in the Control plane authorized networks field, click Edit control plane authorized networks.

  4. Clear the Enable control plane authorized networks checkbox.

  5. Click Save Changes.

Removing authorized networks

You can remove all custom authorized networks for an existing cluster using the gcloud command-line tool, or by using Cloud Console.

gloud

Run the following command:

gcloud container clusters update cluster-name \
    --enable-master-authorized-networks

Console

  1. Visit the Google Kubernetes Engine menu in Cloud Console.

    Visit the Google Kubernetes Engine menu

  2. Click the name of the cluster you want to modify.

  3. Under Networking, in the Control plane authorized networks field, click Edit control plane authorized networks.

  4. Remove the CIDRs you wish to remove by clicking the Delete icon.

  5. Click Save Changes.

Troubleshooting

The following sections explain how to resolve common issues with authorized networks.

Too many CIDR blocks

gcloud returns the following error when attempting to create or update a cluster with more than 50 CIDR blocks:

ERROR: (gcloud.container.clusters.update) argument --master-authorized-networks: too many args

To resolve this issue, if your cluster is public, ensure that you specify no more than 50 CIDR blocks. If your cluster is private, specify no more than 100 CIDR blocks.

Unable to connect to the server

kubectl commands time out due to incorrectly configured CIDR blocks:

Unable to connect to the server: dial tcp MASTER_IP: getsockopt: connection timed out

When you create or update a cluster, ensure that you specify the correct CIDR blocks.

What's next