For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/gcp/gke_master_authorized_networks_disabled.md. A documentation index is available at /llms.txt.

GKE master authorized networks disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: d43366c5-80b0-45de-bbe8-2338f4ab0a83

Cloud Provider: GCP

Platform: Ansible

Severity: Medium

Category: Networking and Firewall

Learn More

Description

GKE clusters must enable master authorized networks to restrict access to the Kubernetes control plane to trusted network ranges. Without this restriction, unauthorized or network-based access could lead to cluster compromise.

For Ansible resources using google.cloud.gcp_container_cluster or gcp_container_cluster, the master_authorized_networks_config property must be defined and its enabled field set to true. Resources missing master_authorized_networks_config or with master_authorized_networks_config.enabled set to false are flagged as insecure. Optionally, include CIDR entries to specify allowed client networks via master_authorized_networks_config.cidr_blocks.

Secure Ansible example:

- name: Create secure GKE cluster with master authorized networks
  google.cloud.gcp_container_cluster:
    name: my-cluster
    location: us-central1
    master_authorized_networks_config:
      enabled: true
      cidr_blocks:
        - cidr_block: 203.0.113.0/24
          display_name: office-network

Compliant Code Examples

- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: my-cluster
    initial_node_count: 2
    location: us-central1-a
    auth_kind: serviceaccount
    master_authorized_networks_config:
      cidr_blocks:
      - cidr_block: 192.0.2.0/24
      enabled: yes
    state: present

Non-Compliant Code Examples

---
- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: my-cluster
    location: us-central1-a
    auth_kind: serviceaccount
    master_authorized_networks_config:
      cidr_blocks:
        - cidr_block: 192.0.2.0/24
      enabled: no
    state: present
- name: create a second cluster
  google.cloud.gcp_container_cluster:
    name: my-second-cluster
    location: us-central1-a
    auth_kind: serviceaccount
    master_authorized_networks_config:
      cidr_blocks:
        - cidr_block: 192.0.2.0/24
    state: present
- name: create a third cluster
  google.cloud.gcp_container_cluster:
    name: my-third-cluster
    location: us-central1-a
    auth_kind: serviceaccount
    state: present