Control: 7.9 Ensure Kubernetes Cluster is created with Private cluster enabled
Description
A private cluster is a cluster that makes your master inaccessible from the public internet. In a private cluster, nodes do not have public IP addresses, so your workloads run in an environment that is isolated from the internet. Nodes have addresses only in the private address space. Nodes and masters communicate with each other privately using VPC peering.
Remediation
Using the management console:
- Logon to ACK console.
- Click the
Create Kubernetes Clusterbutton and make surePublic Accessisnot enabled.
Default Value:
By default, public access is not enabled when creating new cluster.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v200_7_9Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v200_7_9 --shareSQL
This control uses a named query:
select arn as resource, case when state != 'running' then 'skip' when master_url is not null and (master_url::jsonb->>'api_server_endpoint') is not null and (master_url::jsonb->>'api_server_endpoint') != '' then 'alarm' else 'ok' end as status, case when state != 'running' then title || ' is in ' || state || ' state.' when master_url is not null and (master_url::jsonb->>'api_server_endpoint') is not null and (master_url::jsonb->>'api_server_endpoint') != '' then title || ' has a public API server endpoint configured.' else title || ' is configured as a private cluster with no public API server endpoint.' end as reason , account_id as account_id, region as regionfrom alicloud_cs_kubernetes_cluster;