Control: GKE clusters control plane should restrict public access
Description
This control checks that GKE clusters control plane restricts public access.
Usage
Run the control in your terminal:
powerpipe control run terraform_gcp_compliance.control.kubernetes_cluster_control_plane_restrict_public_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_gcp_compliance.control.kubernetes_cluster_control_plane_restrict_public_access --shareSQL
This control uses a named query:
with public_control_plane as ( select distinct address from terraform_resource, jsonb_array_elements( case jsonb_typeof(attributes_std -> 'master_authorized_networks_config' -> 'cidr_blocks') when 'array' then (attributes_std -> 'master_authorized_networks_config' -> 'cidr_blocks') when 'object' then jsonb_build_array(attributes_std -> 'master_authorized_networks_config' -> 'cidr_blocks') else null end ) as s where type = 'google_container_cluster' and s ->> 'cidr_block' = '0.0.0.0/0')select r.address as resource, case when p.address is null then 'ok' else 'alarm' end as status, split_part(r.address, '.', 2) || case when p.address is null then ' control plane not publicly accessible' else ' control plane publicly accessible' end || '.' reason , path || ':' || start_linefrom terraform_resource as r left join public_control_plane as p on p.address = r.addresswhere type = 'google_container_cluster';