Control: Kubernetes cluster nodes should prohibit public access
Description
Ensure Kubernetes cluster nodes do not have public IP addresses. This control is non-compliant if Kubernetes cluster nodes have a public IP address assigned.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.kubernetes_cluster_node_restrict_public_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.kubernetes_cluster_node_restrict_public_access --shareSQL
This control uses a named query:
with public_node as ( select distinct id from azure_kubernetes_cluster, jsonb_array_elements(agent_pool_profiles) as p where p ->> 'enableNodePublicIP' = 'true' group by id)select c.id as resource, case when n.id is null then 'ok' else 'alarm' end as status, case when n.id is null then c.name || ' has no public node.' else c.name || ' has public node.' end as reason , c.resource_group as resource_group , sub.display_name as subscriptionfrom azure_kubernetes_cluster c left join public_node as n on n.id = c.id, azure_subscription subwhere sub.subscription_id = c.subscription_id;