More Info:

Control Plane endpoint access should be limited to authorized networks only

Risk Level

Critical

Address

Security, Reliability, Best Practice

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the control plane endpoint access misconfiguration in GCP, you can follow these steps:
  1. Open the Google Cloud Console and navigate to the VPC network page.
  2. Select the VPC network that you want to configure.
  3. Click on the “Firewall rules” tab.
  4. Click on the “Create Firewall Rule” button.
  5. In the “Name” field, enter a name for the firewall rule.
  6. In the “Targets” field, select “All instances in the network”.
  7. In the “Source IP ranges” field, enter the IP address range of the authorized networks that should have access to the control plane endpoint.
  8. In the “Protocols and ports” section, select “Specified protocols and ports”.
  9. In the “Specified protocols and ports” field, enter “tcp:443”.
  10. Click on the “Create” button to create the firewall rule.
This will create a firewall rule that will restrict access to the control plane endpoint to only the authorized networks that you specified.

To remediate the misconfiguration “Control Plane Endpoint Access Should Be Limited To Authorized Networks” for GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell in the GCP Console.
  2. Run the following command to list the current authorized networks: 
gcloud container clusters describe [CLUSTER_NAME] --zone [ZONE] --format="value(masterAuthorizedNetworksConfig.cidrBlocks)"
Replace [CLUSTER_NAME] and [ZONE] with the name and zone of your cluster.
  1. If the output shows that there are no authorized networks, or if the authorized networks are not correct, run the following command to add authorized networks:
gcloud container clusters update [CLUSTER_NAME] --zone [ZONE] --update-master --master-authorized-networks=[CIDR_BLOCK]
Replace [CLUSTER_NAME], [ZONE], and [CIDR_BLOCK] with your own values. You can specify multiple CIDR blocks separated by commas.
  1. Verify that the authorized networks have been added by running the first command again.
  2. Repeat steps 2-4 for each cluster in your GCP project.
By following these steps, you will restrict access to the control plane endpoint to only the authorized networks, reducing the risk of unauthorized access.
To remediate “Control Plane Endpoint Access Should Be Limited To Authorized Networks” for GCP using python, you can follow these steps:
  1. Import necessary libraries:
from googleapiclient import discovery
from google.oauth2 import service_account
  1. Set up authentication using a service account:
credentials = service_account.Credentials.from_service_account_file(
    '/path/to/service_account_key.json')
  1. Initialize the GCP API client:
service = discovery.build('container', 'v1', credentials=credentials)
  1. Get the current cluster configuration:
project_id = 'your-project-id'
zone = 'your-zone'
cluster_id = 'your-cluster-id'

cluster = service.projects().zones().clusters().get(
    projectId=project_id, zone=zone, clusterId=cluster_id).execute()
  1. Update the cluster configuration to limit control plane endpoint access to authorized networks:
authorized_networks_config = {
    'enabled': True,
    'cidrBlocks': ['10.0.0.0/8', '172.16.0.0/12']
}

cluster['masterAuthorizedNetworksConfig'] = authorized_networks_config

response = service.projects().zones().clusters().update(
    projectId=project_id, zone=zone, clusterId=cluster_id, body=cluster).execute()
In this example, we are limiting control plane endpoint access to the IP ranges ‘10.0.0.0/8’ and ‘172.16.0.0/12’. You can modify the cidrBlocks list to include the authorized networks for your specific use case.Note: This code assumes that you have the necessary permissions to modify the cluster configuration.