Control: GKE clusters should not allow incoming traffic from all sources across the internet
Description
This control ensures that GKE clusters do not allow incoming traffic from all sources across the internet.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.kubernetes_cluster_incoming_traffic_open_to_allSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.kubernetes_cluster_incoming_traffic_open_to_all --shareSQL
This control uses a named query:
with network_open_to_all as ( select distinct network from gcp_compute_firewall where direction = 'INGRESS' and action = 'Allow' and source_ranges ?& array['0.0.0.0/0'])select distinct self_link resource, case when a.network is not null then 'alarm' else 'ok' end as status, case when a.network is not null then title || ' allows incoming traffic from any source on the internet across all protocols.' else title || ' restrict incoming traffic from any source on the internet across all protocols.' end as reason , location as location, project as projectfrom gcp_kubernetes_cluster as c left join network_open_to_all as a on c.network_config ->> 'network' = concat('projects/' || split_part(a.network, 'projects/', 2));