turbot/ibm_compliance

Control: 7.1.4 Ensure that clusters are accessible only by using private endpoints

Description

Disable the public service endpoint so that communication to the master from both the worker nodes and cluster users is established over the private network through the private service endpoint.

Remediation

From Console

  1. Log in to the IBM Cloud console at https://cloud.ibm.com/.
  2. To view a list of your resources, go to Menu > Resource List.
  3. From your IBM Cloud resource list, select your cluster.
  4. From the Overview tab, click the Disable button for the public service endpoint.
  5. In the modal, click Disable to confirm.
  6. In the next modal, click Refresh to initiate an API server refresh.
  7. Optional: Add capacity to your cluster by resizing the worker pool. The pods on the worker node can be rescheduled and continue running on the added worker nodes during the update.
  8. From the Worker Nodes tab, select your worker nodes and click Replace.
  9. In the modal, click Replace to confirm.

From Command Line:

  1. Disable the public service endpoint.
ibmcloud ks cluster feature disable public-service-endpoint --cluster
<cluster_name_or_ID>
  1. Confirm the action by clicking yes.
  2. Optional: Add capacity to your cluster by resizing the worker pool. The pods on the worker node can be rescheduled and continue running on the added worker nodes during the update.
  3. Replace the worker nodes so that their configuration is updated to remove the public service endpoint.
ibmcloud ks worker replace --cluster <cluster_name_or_ID> --worker
<worker_node_ID>

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_7_1_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_7_1_4 --share

SQL

This control uses a named query:

manual_control

Tags