Steampipe mods are now Powerpipe →

Plugins Docs Home

turbot/alicloud_compliance

action_trail_enabled action_trail_oss_bucket_not_public cs_kubernetes_cluster_ipvlan_enabled cs_kubernetes_cluster_network_policy_enabled ecs_disk_encryption_enabled ecs_instance_with_no_legacy_network ecs_security_group_remote_administration ecs_security_group_restrict_ingress_rdp_all ecs_security_group_restrict_ingress_ssh_all ecs_unattached_disk_encryption_enabled manual_control oss_bucket_encrypted_with_byok oss_bucket_encrypted_with_servcie_key oss_bucket_enforces_ssl oss_bucket_logging_enabled oss_bucket_public_access_blocked ram_account_password_policy_min_length_14 ram_account_password_policy_one_lowercase_letter ram_account_password_policy_one_number ram_account_password_policy_one_symbol ram_account_password_policy_one_uppercase_letter ram_account_password_policy_reuse_5 ram_password_policy_expire_90 ram_password_policy_max_login_attempts_5 ram_root_account_mfa_enabled ram_root_account_no_access_keys ram_root_account_unused ram_user_access_key_rotated_90 ram_user_console_access_mfa_enabled ram_user_no_policies ram_user_unused_90 rds_instance_postgresql_log_connections_parameter_on rds_instance_postgresql_log_disconnections_parameter_on rds_instance_postgresql_log_duration_parameter_on rds_instance_restrict_access_to_internet rds_instance_sql_audit_enabled rds_instance_sql_audit_retention_period_180_days rds_instance_ssl_enabled rds_instance_tde_enabled security_center_advanced_or_enterprise_edition

Query: cs_kubernetes_cluster_network_policy_enabled

Usage

powerpipe query alicloud_compliance.query.cs_kubernetes_cluster_network_policy_enabled

Steampipe Tables

alicloud_cs_kubernetes_cluster

Alibaba Cloud plugin

SQL

with network_policy_enabled as (
  select
    cluster_id
  from
    alicloud_cs_kubernetes_cluster,
    jsonb_array_elements(meta_data -> 'Addons') as a
  where
    a ->> 'name' = 'terway-eniip'
    and regexp_replace(a ->> 'config', '\\"', '"', 'g') :: jsonb @> '{"NetworkPolicy":"true"}'
)
select
  arn as resource,
  case
    when a.meta_data -> 'Addons' @> '[{"name": "flannel"}]' then 'skip'
    when n.cluster_id is null then 'alarm'
    else 'ok'
  end as status,
  case
    when a.meta_data -> 'Addons' @> '[{"name": "flannel"}]' then a.title || ' does not support network policy.'
    when n.cluster_id is null then a.title || ' network policy disabled.'
    else a.title || ' network policy enabled.'
  end as reason,
  a.account_id as account_id,
  a.region as region
from
  alicloud_cs_kubernetes_cluster a
  left join network_policy_enabled n on a.cluster_id = n.cluster_id;

Controls

The query is being used by the following controls:

7.7 Ensure Network policy is enabled on Kubernetes Engine Clusters