You need to create a firewall rule in GCP to allow exposing port 8443 from master to worker nodes.
gcloud compute firewall-rules create pinniped-apiservice-rule \ --source-ranges 172.16.0.0/28 \ --target-tags $WORKER_NODES_TAG \ --allow TCP:8443 --network $NETWORK
OR
You can also edit the existing firewall rule which has a name - gke-<cluster-name>-<uid>-master to include the tcp port 8443 along with the existing 10250/443 ports.
Additional Information:-
If the Private cluster with "Public endpoint access enabled" then one has to just disable the "authorized networks" to attach the cluster without any fail.