Control: GKE cluster master authorized networks should not allow access from 0.0.0.0/0
Description
This control checks whether GKE cluster control plane (master) API server restricts access through master authorized networks. Clusters without authorized networks or those allowing 0.0.0.0/0 access expose the Kubernetes API server to the entire internet, potentially allowing unauthorized access to cluster.
Usage
Run the control in your terminal:
powerpipe control run gcp_perimeter.control.gke_cluster_master_authorized_networks_not_publicly_accessibleSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_perimeter.control.gke_cluster_master_authorized_networks_not_publicly_accessible --shareSteampipe Tables
SQL
with master_networks as ( select self_link, title, c ->> 'cidrBlock' as cidr_block from gcp_kubernetes_cluster, jsonb_array_elements(master_authorized_networks_config -> 'cidrBlocks') as c where master_authorized_networks_config is not null and master_authorized_networks_config ->> 'enabled' = 'true')select c.self_link as resource, case when master_authorized_networks_config is null then 'alarm' when n.cidr_block = '0.0.0.0/0' then 'alarm' else 'ok' end as status, case when master_authorized_networks_config is null then c.title || ' has no master authorized networks configuration.' when n.cidr_block = '0.0.0.0/0' then c.title || ' allows access from 0.0.0.0/0.' else c.title || ' has restricted master access.' end as reason , location, projectfrom gcp_kubernetes_cluster as c left join master_networks as n on n.self_link = c.self_link;