🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
13Dashboards
1311Benchmarks
430Queries
2Variables
GitHub

Control: Authorized IP ranges should be defined on Kubernetes Services

Description

ARestrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.kubernetes_cluster_authorized_ip_range_defined

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.kubernetes_cluster_authorized_ip_range_defined --share

SQL

This control uses a named query:

select
  c.id as resource,
  case
    when api_server_access_profile -> 'AuthorizedIPRanges' is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when api_server_access_profile -> 'AuthorizedIPRanges' is not null then c.title || ' authorized IP ranges defined.'
    else c.title || ' authorized IP ranges not defined.'
  end as reason
  
  , c.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_kubernetes_cluster as c,
  azure_subscription as sub
where
  sub.subscription_id = c.subscription_id;

Tags

fedramp_high = true
nist_sp_800_171_rev_2 = true
nist_sp_800_53_rev_5 = true
service = Azure/KubernetesService