GKE Authorized Networks bypass via Cloud Functions or Cloud Run

Published Tue, Jun 7th, 2022


Executing Cloud Functions or Cloud Run in any project and in any organization allowed bypassing the GKE Authorized Networks (aka Kubernetes control plane firewalls) of a cluster in a different project or organization.

Affected Services



Run the following command on existing clusters to block traffic to the GKE control plane from Google Cloud VMs or Cloud Run sourced with Google Cloud public IPs (the same flag can be used at cluster creation time as well): `gcloud container clusters update CLUSTER_NAME --no-enable-google-cloud-access`

Tracked CVEs

No tracked CVEs


Disclosure Date
Wed, Mar 9th, 2022
Exploitablity Period
Until 2022/09/30
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Peter Collins