---
title: GKE control plane is public
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > GKE control plane is public
---

# GKE control plane is public

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `terraform-gcp-gke-control-plane-is-public` 

**Provider:** GCP

**Platform:** Terraform

**Severity:** High

**Category:** Networking and Firewall

#### Learn More{% #learn-more %}

- [Provider Reference](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#master_authorized_networks_config)

### Description{% #description %}

Google Kubernetes Engine (GKE) control plane is the management layer that controls the Kubernetes cluster. When the control plane is publicly accessible, it increases the attack surface and risk of unauthorized access to your cluster's management functionality. Exposing the control plane to the public internet (using `0.0.0.0/0` CIDR block) enables potential attackers to attempt brute force attacks or exploit vulnerabilities in the API server.

To secure your GKE cluster, restrict access to the control plane by specifying known private IP ranges in the `master_authorized_networks_config` block. For example, instead of using a public CIDR block like `cidr_block = "0.0.0.0/0"`, use a private network range such as `cidr_block = "10.0.0.0/8"` to limit access to your internal networks only.

## Compliant Code Examples{% #compliant-code-examples %}

```terraform
resource "google_container_cluster" "good_example" {
  name     = "good-cluster"
  location = "us-central1"

  master_authorized_networks_config {
    cidr_blocks {
      cidr_block = "10.0.0.0/8" # ✅ Private network only
    }
  }
}
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```terraform
resource "google_container_cluster" "bad_example" {
  name     = "bad-cluster"
  location = "us-central1"

  master_authorized_networks_config {
    cidr_blocks {
      cidr_block = "0.0.0.0/0" # ❌ Public access
    }
  }
}
```