turbot/steampipe-mod-gcp-perimeter

Control: GKE cluster master authorized networks should not allow access from 0.0.0.0/0

Description

This control checks whether GKE cluster control plane (master) API server restricts access through master authorized networks. Clusters without authorized networks or those allowing 0.0.0.0/0 access expose the Kubernetes API server to the entire internet, potentially allowing unauthorized access to cluster.

Usage

Run the control in your terminal:

powerpipe control run gcp_perimeter.control.gke_cluster_master_authorized_networks_not_publicly_accessible

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_perimeter.control.gke_cluster_master_authorized_networks_not_publicly_accessible --share

Steampipe Tables

SQL

with master_networks as (
select
self_link,
title,
c ->> 'cidrBlock' as cidr_block
from
gcp_kubernetes_cluster,
jsonb_array_elements(master_authorized_networks_config -> 'cidrBlocks') as c
where
master_authorized_networks_config is not null
and master_authorized_networks_config ->> 'enabled' = 'true'
)
select
c.self_link as resource,
case
when master_authorized_networks_config is null then 'alarm'
when n.cidr_block = '0.0.0.0/0' then 'alarm'
else 'ok'
end as status,
case
when master_authorized_networks_config is null then c.title || ' has no master authorized networks configuration.'
when n.cidr_block = '0.0.0.0/0' then c.title || ' allows access from 0.0.0.0/0.'
else c.title || ' has restricted master access.'
end as reason
, location, project
from
gcp_kubernetes_cluster as c
left join master_networks as n on n.self_link = c.self_link;

Tags