Control: Kubernetes API should serve on secure port
Description
Kubernetes API should serve on port 443 or port 6443, protected by TLS. Once TLS is established, the HTTP request moves to the authentication step. If the request cannot be authenticated, it is rejected with HTTP status code 401.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.endpoint_api_serve_on_secure_portSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.endpoint_api_serve_on_secure_port --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when p ->> 'name' = 'https' and (p ->> 'port' = '443' or p ->> 'port' = '6443') then 'ok' else 'alarm' end as status, case when p ->> 'name' = 'https' and (p ->> 'port' = '443' or p ->> 'port' = '6443') then name || ' Kubernetes API serving on secure port.' else name || ' Kubernetes API not serving on secure port.' end as reason, name as endpoint_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_endpoint, jsonb_array_elements(subsets) as s, jsonb_array_elements(s -> 'ports') as p where name = 'kubernetes';