Control: 7.1.4 Ensure that clusters are accessible only by using private endpoints
Description
Disable the public service endpoint so that communication to the master from both the worker nodes and cluster users is established over the private network through the private service endpoint.
Remediation
From Console
- Log in to the IBM Cloud console at https://cloud.ibm.com/.
- To view a list of your resources, go to Menu > Resource List.
- From your IBM Cloud resource list, select your cluster.
- From the Overview tab, click the Disable button for the public service endpoint.
- In the modal, click Disable to confirm.
- In the next modal, click Refresh to initiate an API server refresh.
- Optional: Add capacity to your cluster by resizing the worker pool. The pods on the worker node can be rescheduled and continue running on the added worker nodes during the update.
- From the Worker Nodes tab, select your worker nodes and click Replace.
- In the modal, click Replace to confirm.
From Command Line:
- Disable the public service endpoint.
ibmcloud ks cluster feature disable public-service-endpoint --cluster<cluster_name_or_ID>
- Confirm the action by clicking yes.
- Optional: Add capacity to your cluster by resizing the worker pool. The pods on the worker node can be rescheduled and continue running on the added worker nodes during the update.
- Replace the worker nodes so that their configuration is updated to remove the public service endpoint.
ibmcloud ks worker replace --cluster <cluster_name_or_ID> --worker<worker_node_ID>
Usage
Run the control in your terminal:
powerpipe control run ibm_compliance.control.cis_v100_7_1_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run ibm_compliance.control.cis_v100_7_1_4 --shareSQL
This control uses a named query:
manual_control