This page explains how to grant authorized network access to cluster masters in Google Kubernetes Engine clusters. For general information about GKE networking, visit the Network Overview.
Overview
Authorized networks allow you to whitelist specific CIDR ranges and allow IP addresses in those ranges to access your cluster master endpoint using HTTPS. Authorized networks are compatible with all clusters.
GKE uses both Transport Layer Security (TLS) and authentication to provide secure access to your cluster master endpoint from the public Internet. This provides you the flexibility to administer your cluster from anywhere. By using authorized networks, you can further restrict access to specified sets of IP addresses.
Benefits
Adding authorized networks can provide additional security benefits for your cluster. Authorized networks grant access to a specific set of addresses that you designate, such as those that originate from your environment. This can help protect access to your cluster in the case of a vulnerability in the cluster's authentication or authorization mechanisms.
Benefits with private clusters
Private clusters run nodes without external IP addresses, and optionally run their cluster master without a publicly-reachable endpoint. Additionally, private clusters do not allow GCP IP addresses to access the cluster master endpoint by default. Using private clusters with authorized networks makes your cluster master reachable only by the whitelisted CIDRs, by nodes within your cluster's VPC, and by Google's internal production jobs that manage your master.
Limitations
- A cluster can have no more than 50 authorized network CIDR ranges.
Before you begin
To prepare for this task, perform the following steps:
- Ensure that you have enabled the Google Kubernetes Engine API. Enable Google Kubernetes Engine API
- Ensure that you have installed the Cloud SDK.
- Set your default project ID:
gcloud config set project [PROJECT_ID]
- If you are working with zonal clusters, set your default compute zone:
gcloud config set compute/zone [COMPUTE_ZONE]
- If you are working with regional clusters, set your default compute region:
gcloud config set compute/region [COMPUTE_REGION]
- Update
gcloudto the latest version:gcloud components update
Creating a cluster with authorized networks
You can create a cluster with one or more authorized networks using the
gcloud command-line tool, or by using [Google Cloud Platform Console].
gcloud
Run the following command:
gcloud container clusters create [CLUSTER_NAME] \
--enable-master-authorized-networks \
--master-authorized-networks [CIDR],[CIDR]...
With the --master-authorized-networks flag, you can specify up to 50
comma-delimited CIDRs (such as 8.8.8.0/24) that you'd like to grant
access your cluster master endpoint through HTTPS.
For example:
gcloud container clusters create example-cluster \
--enable-master-authorized-networks \
--master-authorized-networks 8.8.8.8/32,8.8.8.0/24Console
Visit the Google Kubernetes Engine menu in GCP Console.
Click Create cluster.
Configure your cluster as desired. Then, click Advanced options.
In the Network security section, select Enable master authorized networks.
Click Add authorized network.
Fill Name with the desired name for the network.
Fill Network with a CIDR range that you want to grant whitelisted access to your cluster master.
Click Done. Add additional authorized networks as desired.
Click Create at the bottom of the menu.
API
Specify the masterAuthorizedNetworksConfig object in your cluster
create request:
"masterAuthorizedNetworksConfig": {
"enabled": true,
"cidrBlocks": [
{
"displayName": string,
"cidrBlock": string
}
]
}
For more information, refer to MasterAuthorizedNetworksConfig.
Creating a private cluster with authorized networks
To learn how to create a private cluster with one or more authorized networks, refer to Private Clusters.
Add an authorized network to an existing cluster
You can add an authorized network to an existing cluster using the gcloud
command-line tool, or by using [GCP Console].
gcloud
Run the following command:
gcloud container clusters update [CLUSTER_NAME] \
--enable-master-authorized-networks \
--master-authorized-networks [CIDR],[CIDR]...
With the --master-authorized-networks flag, you can specify up to 50
comma-delimited CIDRs (such as 8.8.8.0/24) that you'd like to grant
access your cluster master endpoint through HTTPS.
For example:
gcloud container clusters update example-cluster \
--enable-master-authorized-networks \
--master-authorized-networks 8.8.8.8/32,8.8.8.0/24Console
Visit the Google Kubernetes Engine menu in GCP Console.
Select the desired cluster.
Click Edit.
From the Master authorized networks drop-down menu, select Enabled, if it isn't already enabled.
Click Add authorized network.
Fill Name with the desired name for the network.
Fill Network with a CIDR range that you want to grant whitelisted access to your cluster master.
Click Done. Add additional authorized networks as desired.
Click Save at the bottom of the menu.
API
Specify the desiredMasterAuthorizedNetworksConfig field in your cluster
update request. In the field, specify a
MasterAuthorizedNetworksConfig object:
"desiredMasterAuthorizedNetworksConfig": {
object(MasterAuthorizedNetworksConfig)
}
Verifying an authorized network
You can verify an authorized network in an existing cluster using the gcloud
command-line tool, or by using [GCP Console].
gcloud
Run the following command:
gcloud container clusters describe [CLUSTER_NAME]
In the command output, look for the masterAuthorizedNetworksConfig
field:
...
masterAuthorizedNetworksConfig:
cidrBlocks:
- cidrBlock: 8.8.8.8/32
- cidrBlock: 8.8.4.4/32
enabled: true
...
Console
Visit the Google Kubernetes Engine menu in GCP Console.
Select the desired cluster.
The Master authorized networks field displays the whitelisted CIDRs.
API
Send a get request. Look for the CIDR blocks under the
masterAuthorizedNetworksConfig field. For example:
"masterAuthorizedNetworksConfig": {
"enabled": true,
"cidrBlocks": [
{
"displayName": "Office",
"cidrBlock": "192.0.2.0/24"
}
]
}
Disable authorized networks
You can disable authorized networks for an existing cluster using the gcloud
command-line tool, or by using [GCP Console].
gcloud
Run the following command:
gcloud container clusters update [CLUSTER_NAME] \ --no-enable-master-authorized-networks
Console
Visit the Google Kubernetes Engine menu in GCP Console.
Select the desired cluster.
Click Edit.
From the Master authorized networks drop-down menu, select Disabled.
Click Save.
Troubleshooting
The following sections explain how to resolve common issues with authorized networks.
Too many CIDR blocks
gcloud returns the following error when attempting to create or update a
cluster with more than 50 CIDR blocks:
ERROR: (gcloud.container.clusters.update) argument --master-authorized-networks: too many args
To resolve this issue, ensure that you specify fewer than 50 CIDR blocks.
Unable to connect to master
kubectl commands time out due to incorrectly configured CIDR blocks:
Unable to connect to the server: dial tcp MASTER_IP: getsockopt: connection timed out
When you create or update a cluster, ensure that you specify the correct CIDR blocks.
