🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
13Dashboards
1311Benchmarks
430Queries
2Variables
GitHub

Control: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version

Description

Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.kubernetes_cluster_upgraded_with_non_vulnerable_version

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.kubernetes_cluster_upgraded_with_non_vulnerable_version --share

SQL

This control uses a named query:

select
  a.id as resource,
  case
    when
      a.kubernetes_version ~ '1\.13\.[0-4]'
      or a.kubernetes_version ~ '1\.12\.[0-6]'
      or a.kubernetes_version ~ '1\.11\.[0-8]'
      or a.kubernetes_version ~ '1.([0-9]|10).[0-9]{1,2}' then 'alarm'
    else 'ok'
  end as status,
  case
    when
      a.kubernetes_version ~ '1\.13\.[0-4]'
      or a.kubernetes_version ~ '1\.12\.[0-6]'
      or a.kubernetes_version ~ '1\.11\.[0-8]'
      or a.kubernetes_version ~ '1.([0-9]|10).[0-9]{1,2}' then a.name || ' not upgraded to a non-vulnerable Kubernetes version.'
    else a.name || ' upgraded to a non-vulnerable Kubernetes version.'
  end as reason
  
  , a.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_kubernetes_cluster as a,
  azure_subscription as sub
where
  sub.subscription_id = a.subscription_id;

Tags

fedramp_high = true
nist_sp_800_171_rev_2 = true
nist_sp_800_53_rev_5 = true
rbi_itf_nbfc_v2017 = true
service = Azure/KubernetesService