Improper Access Control
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The GKE control plane is publicly accessible because ‘master_authorized_networks_config’ is not set, leaving it open to connections from any IP address. This exposes the Kubernetes API server to the internet without network restrictions.
Impact#
If left public, attackers could attempt unauthorized access to your Kubernetes cluster, potentially gaining control, exfiltrating data, or disrupting services. This increases the risk of compromise and may violate organizational or compliance requirements.