Control: GKE clusters nodes should not use default service account

Description

This control ensures that GKE clusters nodes does not uses default service account. It is recommended to create and use a least privileged service account to run your GKE cluster instead of using the default service account.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.kubernetes_cluster_node_no_default_service_account

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.kubernetes_cluster_node_no_default_service_account --share

SQL

This control uses a named query:

select
  self_link resource,
  case
    when np -> 'config' ->> 'serviceAccount' = 'default' then 'alarm'
    else 'ok'
  end as status,
  case
    when np -> 'config' ->> 'serviceAccount' = 'default' then title || ' cluster ' || ( np ->> 'name' ) || ' uses default service account.'
    else title || ' cluster ' || ( np ->> 'name' ) || ' does not uses default service account.'
  end as reason
  
  , location as location, project as project
from
  gcp_kubernetes_cluster,
  jsonb_array_elements(node_pools) as np;

Control: GKE clusters nodes should not use default service account

Description

Usage

SQL

Tags