terraform-google-kubernetes-engine icon indicating copy to clipboard operation
terraform-google-kubernetes-engine copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

How to forbid access to GKE ? master_authorized_networks = [] is disabling the feature, not the access.

Open lchastel opened this issue 4 years ago • 7 comments
trafficstars

I want to secure the access to a GKE so I need to enable "Control plane authorized networks", but I don't have any network to authorize at the moment.

According to the documentation I need to use master_authorized_networks, and to set it to [] to disallow external connection. But it's not working. "Control plane authorized networks" is disabled on the cluster.

If I put a cidr block in master_authorized_networks, then "Control plane authorized networks" is enabled.

Could you please help me to enable "Control plane authorized networks" without specifying a cidr block ?

lchastel avatar May 19 '21 13:05 lchastel

If you want to lock down access entirely, you can use the cluster CIDR in the master authorized networks list.

morgante avatar May 19 '21 15:05 morgante

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

github-actions[bot] avatar Jul 18 '21 23:07 github-actions[bot]

Hi, can we get this reopened? The documentation doesn't match the module behaviour here. If you don't define master_authorized_networks, the module defaults to disabling authorized networks, and the API endpoint is publicly available.

smlx avatar Jul 27 '21 23:07 smlx

According to the provider docs, master_authorized_networks_config option is optional and if nested cidr_blocks are omitted, it should disallow external access, which in my case, is exactly what I am trying to accomplish. However if I omit master_authorized_networks or set it to [] in this module I get:

│ Error: googleapi: Error 400: Master authorized networks must be enabled if private endpoint is enabled., badRequest
│
│   with module.gke.module.gke.google_container_cluster.primary,
│   on .terraform/modules/gke.gke/modules/private-cluster-update-variant/cluster.tf line 22, in resource "google_container_cluster" "primary":
│   22: resource "google_container_cluster" "primary" {
│
╵

chiefy avatar Dec 01 '21 15:12 chiefy

I was able to make master_authorized_networks_config disabled by having no block for master_authorized_networks_config and having enable_private_nodes = true in private_cluster_config but not having enable_private_endpoint argument. The private cluster is still enabled when checking the console.

anna-tek avatar Dec 12 '22 15:12 anna-tek

@anna-tek enable_private_endpoint is false by default, so by omitting it, together with the empty master_authorized_networks block, you're opening your control plane endpoint.

antoineco avatar May 17 '23 11:05 antoineco

Exactly the same problem as chiefy.

If I fill the master_authorized_networks variable with a totally random IP, it works. That's strange behavior.

tanguynicolas avatar Aug 25 '23 16:08 tanguynicolas