Benchmark: Kubernetes
Description
This benchmark provides a set of controls that detect Terraform GCP Kubernetes Engine(GKE) resources deviating from security best practices.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-terraform-gcp-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Kubernetes.
Run this benchmark in your terminal:
powerpipe benchmark run terraform_gcp_compliance.benchmark.kubernetesSnapshot and share results via Turbot Pipes:
powerpipe benchmark run terraform_gcp_compliance.benchmark.kubernetes --shareControls
- GKE clusters alias IP ranges should be enabled
- GKE clusters authenticator group should be configured to manage RBAC users
- Ensure automatic node repair is enabled on all node pools in a GKE cluster
- Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes
- GKE clusters client binary authorizationn should be enabled
- GKE clusters client certificate authentication should be disabled
- GKE clusters control plane should restrict public access
- GKE clusters should use Container-Optimized OS(cos) node image
- GKE clusters intranodal visibility should be enabled
- Ensure Legacy Authorization is disabled on Kubernetes Engine Clusters
- Check that legacy metadata endpoints are disabled on Kubernetes clusters(disabled by default since GKE 1.12+)
- GKE clusters master authorized networks should be enabled
- GKE clusters GKE metadata server should be enabled
- Check that GKE clusters have a Network Policy installed
- GKE clusters should not use cluster level node pool
- Ensure Container-Optimized OS (cos) is used for Kubernetes engine clusters
- Verify all GKE clusters are Private Clusters
- GKE clusters release channel should be configured
- GKE clusters resource labels should be configured
- GKE clusters integrity monitoring should be enabled for shielded nodes
- GKE clusters secure boot should be enabled for shielded nodes
- GKE clusters shielded nodes should be enabled
- GKE clusters stackdriver logging should be enabled
- GKE clusters stackdriver monitoring should be enabled