Resource Type: GCP > Kubernetes Engine > Region Cluster

Resource Context

Region Cluster is a part of the Kubernetes Engine service.

Each Region Cluster lives under a Region.

Controls

The primary controls for GCP > Kubernetes Engine > Region Cluster are:

• Active
• Approved
• CMDB
• Discovery
• Kubernetes Dashboard Enabled
• Labels
• Legacy Abac
• Logging
• Master Authorized Networks Config
• Network Policy Enabled
• Pod Security Policy Config
• Set Monitoring
• Usage
• Use IP Aliases

It is also targeted by these controls:

• GCP > CIS v1 > 7 Kubernetes Engine > 7.01 Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.02 Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.03 Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.04 Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters (Not Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.05 Ensure Kubernetes Clusters are configured with Labels (Not Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.06 Ensure Kubernetes web UI / Dashboard is disabled (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.07 Ensure `Automatic node repair` is enabled for Kubernetes Clusters (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.10 Ensure Basic Authentication is disabled on Kubernetes Engine Clusters (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.11 Ensure Network policy is enabled on Kubernetes Engine Clusters (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.12 Ensure Kubernetes Cluster is created with Client Certificate enabled (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.13 Ensure Kubernetes Cluster is created with Alias IP ranges enabled (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.14 Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.15 Ensure Kubernetes Cluster is created with Private cluster enabled (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.17 Ensure default Service account is not used for Project access in Kubernetes Clusters (Scored)
• GCP > Kubernetes Engine > Region Node Pool > Discovery
• GCP > Kubernetes Engine > Zone Cluster > Network Policy Enabled

Quick Actions

• Delete
• Router
• Set Desired Master Authorized Network Config
• Set Kubernetes Dashboard
• Set Labels
• Set Legacy Abac
• Set Logging
• Set Monitoring
• Set Network Policy
• Set Pod Security Policy Config

Category

• Container

In Your Workspace

• Controls by Resource Type report
• Policy Settings by Resource Type report
• Resources by Resource Type report

Developers

Resource Type URI

tmod:@turbot/gcp-kubernetesengine#/resource/types/regionCluster

Category URI

tmod:@turbot/turbot#/resource/categories/container

GraphQL

query resource(id: "tmod:@turbot/gcp-kubernetesengine#/resource/types/regionCluster") { … }

query resourceActivities(filter: "resourceId:'tmod:@turbot/gcp-kubernetesengine#/resource/types/regionCluster'") { … }

mutation createResource(input: { … })

mutation updateResource(input: { … })

CLI

Get Resource

turbot graphql resource --id "tmod:@turbot/gcp-kubernetesengine#/resource/types/regionCluster"

Steampipe Query

Get Resource

select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/gcp-kubernetesengine#/resource/types/regionCluster';

Get Policy Settings (By Resource ID)

select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/gcp-kubernetesengine#/resource/types/regionCluster"';

Get Resource Notification

select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/gcp-kubernetesengine#/resource/types/regionCluster' and notification_type in ('resource_updated', 'resource_created');