Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-perimeter
Overview
3Dashboards
33Benchmarks
0Queries
6Variables
GitHub

Control: GKE clusters nodes should not be publicly accessible

Description

This control checks whether GKE cluster worker nodes have private IP addresses only. Worker nodes with public IP addresses can be directly accessed from the internet, exposing node-level vulnerabilities.

Usage

Run the control in your terminal:

powerpipe control run gcp_perimeter.control.gke_cluster_nodes_not_publicly_accessible

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_perimeter.control.gke_cluster_nodes_not_publicly_accessible --share

Steampipe Tables

gcp_kubernetes_cluster
GCP plugin

SQL

select
  self_link as resource,
  case
    when private_cluster_config ->> 'enablePrivateNodes' = 'true' or network_config ->> 'DefaultEnablePrivateNodes' = 'true' then 'ok'
    else 'alarm'
  end as status,
  case
    when private_cluster_config ->> 'enablePrivateNodes' = 'true' or network_config ->> 'DefaultEnablePrivateNodes' = 'true' then title || ' nodes do not have public access.'
    else title || ' nodes have public access.'
  end as reason
  
  , location, project
from
  gcp_kubernetes_cluster;

Tags

category = Perimeter
plugin = gcp
service = GCP/GKE