Google Kubernetes Engine: Why can't the range for a master authorized networks be larger than /24

1/10/2019

I am creating a private kubernetes cluster on GKE. I see in the docs that the maximum size for any authorized network is /24. I am however, able to authorize a range larger than that. What is the reason for limiting this range?

-- robertb
devops
google-cloud-platform
google-kubernetes-engine
kubernetes
networking

1 Answer

1/11/2019

Authorized networks allow you to whitelist specific CIDR ranges and allow IP addresses in those ranges to access your cluster master.

Private clusters run nodes without external IP addresses, and optionally run their cluster master without a publicly-reachable endpoint. Additionally, private clusters do not allow GCP IP addresses to access the cluster master endpoint by default. Using private clusters with authorized networks makes your cluster master reachable only by the whitelisted CIDRs, by nodes within your cluster's VPC, and by Google's internal production jobs that manage your master.

A cluster can have no more than 20 authorized network CIDR ranges.

There is no limit on setting the flag --master-authorized-networks to authorize ranges, you can even authorize (0.0.0.0/0), but This allows the public Internet to reach your cluster master endpoint through HTTPS.

-- Alioua
Source: StackOverflow