Control: GKE clusters nodes should not be publicly accessible
Description
This control checks whether GKE cluster worker nodes have private IP addresses only. Worker nodes with public IP addresses can be directly accessed from the internet, exposing node-level vulnerabilities.
Usage
Run the control in your terminal:
powerpipe control run gcp_perimeter.control.gke_cluster_nodes_not_publicly_accessible
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_perimeter.control.gke_cluster_nodes_not_publicly_accessible --share
Steampipe Tables
SQL
select self_link as resource, case when private_cluster_config ->> 'enablePrivateNodes' = 'true' or network_config ->> 'DefaultEnablePrivateNodes' = 'true' then 'ok' else 'alarm' end as status, case when private_cluster_config ->> 'enablePrivateNodes' = 'true' or network_config ->> 'DefaultEnablePrivateNodes' = 'true' then title || ' nodes do not have public access.' else title || ' nodes have public access.' end as reason , location, projectfrom gcp_kubernetes_cluster;