gcp_alloydb_clustergcp_alloydb_instancegcp_apikeys_keygcp_app_engine_applicationgcp_artifact_registry_repositorygcp_audit_policygcp_bigquery_datasetgcp_bigquery_jobgcp_bigquery_tablegcp_bigtable_instancegcp_billing_accountgcp_billing_budgetgcp_cloud_assetgcp_cloud_identity_groupgcp_cloud_identity_group_membershipgcp_cloud_run_servicegcp_cloudfunctions_functiongcp_composer_environmentgcp_compute_addressgcp_compute_autoscalergcp_compute_backend_bucketgcp_compute_backend_servicegcp_compute_diskgcp_compute_disk_metric_read_opsgcp_compute_disk_metric_read_ops_dailygcp_compute_disk_metric_read_ops_hourlygcp_compute_disk_metric_write_opsgcp_compute_disk_metric_write_ops_dailygcp_compute_disk_metric_write_ops_hourlygcp_compute_firewallgcp_compute_forwarding_rulegcp_compute_global_addressgcp_compute_global_forwarding_rulegcp_compute_ha_vpn_gatewaygcp_compute_imagegcp_compute_instancegcp_compute_instance_groupgcp_compute_instance_metric_cpu_utilizationgcp_compute_instance_metric_cpu_utilization_dailygcp_compute_instance_metric_cpu_utilization_hourlygcp_compute_instance_templategcp_compute_machine_imagegcp_compute_machine_typegcp_compute_networkgcp_compute_node_groupgcp_compute_node_templategcp_compute_project_metadatagcp_compute_regiongcp_compute_resource_policygcp_compute_routegcp_compute_routergcp_compute_snapshotgcp_compute_ssl_policygcp_compute_subnetworkgcp_compute_target_https_proxygcp_compute_target_poolgcp_compute_target_ssl_proxygcp_compute_target_vpn_gatewaygcp_compute_url_mapgcp_compute_vpn_tunnelgcp_compute_zonegcp_dataplex_assetgcp_dataplex_lakegcp_dataplex_taskgcp_dataplex_zonegcp_dataproc_clustergcp_dataproc_metastore_servicegcp_dns_managed_zonegcp_dns_policygcp_dns_record_setgcp_iam_policygcp_iam_rolegcp_kms_keygcp_kms_key_ringgcp_kms_key_versiongcp_kubernetes_clustergcp_kubernetes_node_poolgcp_logging_bucketgcp_logging_exclusiongcp_logging_log_entrygcp_logging_metricgcp_logging_sinkgcp_monitoring_alert_policygcp_monitoring_groupgcp_monitoring_notification_channelgcp_organizationgcp_projectgcp_project_organization_policygcp_project_servicegcp_pubsub_snapshotgcp_pubsub_subscriptiongcp_pubsub_topicgcp_redis_instancegcp_secret_manager_secretgcp_service_accountgcp_service_account_keygcp_sql_backupgcp_sql_databasegcp_sql_database_instancegcp_sql_database_instance_metric_connectionsgcp_sql_database_instance_metric_connections_dailygcp_sql_database_instance_metric_connections_hourlygcp_sql_database_instance_metric_cpu_utilizationgcp_sql_database_instance_metric_cpu_utilization_dailygcp_sql_database_instance_metric_cpu_utilization_hourlygcp_storage_bucketgcp_storage_objectgcp_tag_bindinggcp_vertex_ai_endpointgcp_vertex_ai_modelgcp_vertex_ai_notebook_runtime_templategcp_vertex_ai_notebook_runtime_template,mdgcp_vpc_access_connector
Table: gcp_kubernetes_cluster - Query Google Cloud Platform Kubernetes Clusters using SQL
A Kubernetes Cluster in Google Cloud Platform is a managed environment for deploying, managing, and scaling your containerized applications using Google infrastructure. The cluster consists of at least one cluster control plane and multiple worker machines called nodes. These nodes are Google Compute Engine virtual machines that run the Kubernetes processes necessary to make them part of the cluster.
Table Usage Guide
The gcp_kubernetes_cluster table provides insights into Kubernetes Clusters within Google Cloud Platform. As a DevOps engineer, explore cluster-specific details through this table, including configurations, node pools, network settings, and more. Utilize it to uncover information about clusters, such as their status, zones, and the associated services and workloads.
Examples
Basic info
Explore which Kubernetes clusters in your Google Cloud Platform (GCP) are active and where they are located. This can help you manage resources and understand your network's geographical distribution.
select id, name, location_type, status, cluster_ipv4_cidr, max_pods_per_node, current_node_count, endpoint, locationfrom gcp_kubernetes_cluster;select id, name, location_type, status, cluster_ipv4_cidr, max_pods_per_node, current_node_count, endpoint, locationfrom gcp_kubernetes_cluster;List zonal clusters
Explore which Kubernetes clusters in your Google Cloud Platform are configured as zonal. This is useful to understand the geographical distribution of your resources and plan for redundancy or disaster recovery.
select name, location_typefrom gcp_kubernetes_clusterwhere location_type = 'ZONAL';select name, location_typefrom gcp_kubernetes_clusterwhere location_type = 'ZONAL';List clusters with node auto-upgrade enabled
Explore clusters that have the node auto-upgrade feature enabled. This is useful for ensuring your systems are always up-to-date with the latest features and security updates.
select name, location_type, n -> 'management' ->> 'autoUpgrade' node_auto_upgradefrom gcp_kubernetes_cluster, jsonb_array_elements(node_pools) as nwhere n -> 'management' ->> 'autoUpgrade' = 'true';select name, location_type, json_extract(n.value, '$.management.autoUpgrade') as node_auto_upgradefrom gcp_kubernetes_cluster, json_each(node_pools) as nwhere json_extract(n.value, '$.management.autoUpgrade') = 'true';List clusters with default service account
Identify instances where clusters are using the default service account in Google Cloud Platform's Kubernetes service. This can help in improving security by ensuring each cluster uses a unique service account.
select name, location_type, node_config ->> 'ServiceAccount' service_accountfrom gcp_kubernetes_clusterwhere node_config ->> 'ServiceAccount' = 'default';select name, location_type, json_extract(node_config, '$.ServiceAccount') service_accountfrom gcp_kubernetes_clusterwhere json_extract(node_config, '$.ServiceAccount') = 'default';List clusters with legacy authorization enabled
Determine the areas in which legacy authorization is still enabled on clusters. This is useful to identify potential security risks and areas for improvement in your Google Cloud Platform Kubernetes setup.
select name, location_type, legacy_abac_enabledfrom gcp_kubernetes_clusterwhere legacy_abac_enabled;select name, location_type, legacy_abac_enabledfrom gcp_kubernetes_clusterwhere legacy_abac_enabled = 1;List clusters with shielded nodes features disabled
Discover the segments that have the shielded nodes feature disabled in your Kubernetes clusters. This can help you identify potential security risks and enhance the protection of your clusters.
select name, location_type, shielded_nodes_enabledfrom gcp_kubernetes_clusterwhere not shielded_nodes_enabled;select name, location_type, shielded_nodes_enabledfrom gcp_kubernetes_clusterwhere shielded_nodes_enabled = 0;List clusters where secrets in etcd are not encrypted
Determine the areas in which sensitive information in your clusters is not secured. This is useful for identifying potential security vulnerabilities and ensuring data protection standards are met.
select name, database_encryption_statefrom gcp_kubernetes_clusterwhere database_encryption_state <> 'ENCRYPTED';select name, database_encryption_statefrom gcp_kubernetes_clusterwhere database_encryption_state <> 'ENCRYPTED';Node configuration of clusters
Explore the configuration settings of your clusters to understand their disk size, machine type, and other important parameters. This can be useful for optimizing your resources, ensuring security measures are in place, and maintaining efficient operation of your clusters.
select name, node_config ->> 'Disksizegb' as disk_size_gb, node_config ->> 'Disktype' as disk_type, node_config ->> 'Imagetype' as image_type, node_config ->> 'Machinetype' as machine_type, node_config ->> 'Disktype' as disk_type, node_config -> 'Metadata' ->> 'disable-legacy-endpoints' as disable_legacy_endpoints, node_config ->> 'Serviceaccount' as service_account, node_config -> 'Shieldedinstanceconfig' ->> 'EnableIntegrityMonitoring' as enable_integrity_monitoringfrom gcp_kubernetes_cluster;select name, json_extract(node_config, '$.Disksizegb') as disk_size_gb, json_extract(node_config, '$.Disktype') as disk_type, json_extract(node_config, '$.Imagetype') as image_type, json_extract(node_config, '$.Machinetype') as machine_type, json_extract(node_config, '$.Disktype') as disk_type, json_extract( json_extract(node_config, '$.Metadata'), '$.disable-legacy-endpoints' ) as disable_legacy_endpoints, json_extract(node_config, '$.ServiceAccount') as service_account, json_extract( json_extract(node_config, '$.ShieldedInstanceConfig'), '$.EnableIntegrityMonitoring' ) as enable_integrity_monitoringfrom gcp_kubernetes_cluster;Query examples
- compute_firewalls_for_kubernetes_cluster
- compute_instance_groups_for_kubernetes_cluster
- compute_instances_for_kubernetes_cluster
- compute_networks_for_kubernetes_cluster
- compute_subnets_for_kubernetes_cluster
- kms_keys_for_kubernetes_cluster
- kubernetes_cluster_1_year_count
- kubernetes_cluster_24_hours_count
- kubernetes_cluster_30_90_days_count
- kubernetes_cluster_30_days_count
- kubernetes_cluster_90_365_days_count
- kubernetes_cluster_addons_config
- kubernetes_cluster_auto_repair_disabled
- kubernetes_cluster_auto_repair_disabled_count
- kubernetes_cluster_autopilot_enabled
- kubernetes_cluster_by_creation_month
- kubernetes_cluster_by_location
- kubernetes_cluster_by_project
- kubernetes_cluster_count
- kubernetes_cluster_database_encryption
- kubernetes_cluster_database_encryption_count
- kubernetes_cluster_input
- kubernetes_cluster_ip_allocation_policy
- kubernetes_cluster_lm
- kubernetes_cluster_network_config
- kubernetes_cluster_node
- kubernetes_cluster_node_count
- kubernetes_cluster_node_detail
- kubernetes_cluster_notification_config
- kubernetes_cluster_overview
- kubernetes_cluster_private_cluster_config
- kubernetes_cluster_shielded_nodes_disabled
- kubernetes_cluster_shielded_nodes_disabled_count
- kubernetes_cluster_tags
- kubernetes_clusters_for_compute_instance_group
- kubernetes_clusters_for_compute_network
- kubernetes_clusters_for_compute_subnetwork
- kubernetes_clusters_for_kms_key
- kubernetes_clusters_for_pubsub_topic
- kubernetes_node_pools_for_kubernetes_cluster
- pubsub_topics_for_kubernetes_cluster
Control examples
- All Controls > Kubernetes > GKE clusters binary authorization should be enabled
- All Controls > Kubernetes > GKE clusters client certificate authentication should be enabled
- All Controls > Kubernetes > GKE clusters HTTP load balancing should be enabled
- All Controls > Kubernetes > GKE clusters intra node visibility should be enabled
- All Controls > Kubernetes > GKE clusters kubernetes alpha should be enabled
- All Controls > Kubernetes > GKE clusters monitoring should be enabled
- All Controls > Kubernetes > GKE clusters private nodes should be configured
- All Controls > Kubernetes > GKE clusters release channel should be configured
- All Controls > Kubernetes > GKE clusters release should be zone redundant
- All Controls > Kubernetes > GKE clusters shielded node secure boot should be enabled
- All Controls > Kubernetes > GKE clusters shielded nodes integrity monitoring should be enabled
- All Controls > Kubernetes > GKE clusters should have database encryption enabled
- All Controls > Kubernetes > GKE clusters should have resource labels
- All Controls > Kubernetes > GKE clusters should have shielded nodes enabled
- All Controls > Kubernetes > GKE clusters should not allow incoming traffic from all sources across the internet
- All Controls > Kubernetes > GKE clusters should not use default network
- All Controls > Kubernetes > GKE clusters with less than three nodes should have auto upgrade enabled
- Check that GKE clusters have a Network Policy installed
- Check that legacy metadata endpoints are disabled on Kubernetes clusters(disabled by default since GKE 1.12+)
- Ensure automatic node repair is enabled on all node pools in a GKE cluster
- Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes
- Ensure Container-Optimized OS (cos) is used for Kubernetes engine clusters
- Ensure default Service account is not used for Project access in Kubernetes Engine clusters
- Ensure Kubernetes Cluster is created with Alias IP ranges enabled
- Ensure Kubernetes web UI/Dashboard is disabled
- Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
- Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
- Ensure Private Google Access is enabled for all subnetworks in kubernetes cluster
- GKE clusters logging should be enabled
- GKE clusters network policy should be enabled
- GKE clusters nodes should not use default service account
- Verify all GKE clusters are Private Clusters
Schema for gcp_kubernetes_cluster
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| addons_config | jsonb | Configurations for the various addons available to run in the cluster. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| authenticator_groups_config | jsonb | Configuration controlling RBAC group membership information. | |
| autopilot_enabled | boolean | Denotes whether autopilot configuration is enabled for the cluster. | |
| autoscaling | jsonb | Cluster-level autoscaling configuration. | |
| binary_authorization | jsonb | Configuration for Binary Authorization. | |
| cluster_ipv4_cidr | cidr | The IP address range of the container pods in this cluster, in CIDR notation. | |
| conditions | jsonb | Which conditions caused the current cluster state. | |
| create_time | timestamp with time zone | The time the cluster was created, in RFC3339 text format. | |
| current_master_version | text | The current software version of the master endpoint. | |
| current_node_count | bigint | The number of nodes currently in the cluster. | |
| current_node_version | text | The current version of the node software components. | |
| database_encryption_key_name | text | Name of CloudKMS key to use for the encryption. | |
| database_encryption_state | text | Denotes the state of etcd encryption. | |
| description | text | An optional description of this cluster. | |
| enable_kubernetes_alpha | boolean | Indicates whether kubernetes alpha features are enabled on this cluster. | |
| enable_tpu | boolean | Enable the ability to use Cloud TPUs in this cluster. | |
| endpoint | text | The IP address of this cluster's master endpoint. | |
| expire_time | timestamp with time zone | The time the cluster will be automatically deleted. | |
| id | text | Unique ID of the cluster. | |
| initial_cluster_version | text | The initial Kubernetes version for this cluster. | |
| initial_node_count | bigint | The number of nodes to create in this cluster. | |
| instance_group_urls | jsonb | List of urls for instance groups. | |
| ip_allocation_policy | jsonb | Configuration for cluster IP allocation. | |
| label_fingerprint | text | The fingerprint of the set of labels for this cluster. | |
| legacy_abac_enabled | boolean | Configuration for the legacy ABAC authorization mode. | |
| location | text | = | The GCP multi-region, region, or zone in which the resource is located. |
| location_type | text | Location type of the cluster i.e REGIONAL/ZONAL. | |
| locations | jsonb | The list of Google Compute Engine zones in which the cluster's nodes should be located. | |
| logging_service | text | The logging service the cluster should use to write logs. | |
| maintenance_policy | jsonb | Configure the maintenance policy for this cluster. | |
| master_auth | jsonb | The authentication information for accessing the master endpoint. | |
| master_authorized_networks_config | jsonb | The configuration options for master authorized networks feature. | |
| max_pods_per_node | bigint | Constraint enforced on the max num of pods per node. | |
| monitoring_service | text | The monitoring service the cluster should use to write metrics. | |
| name | text | = | The name of this cluster. |
| network | text | The name of the Google Compute Engine network to which the cluster is connected. | |
| network_config | jsonb | Configuration for cluster networking. | |
| network_policy | jsonb | Configuration options for the NetworkPolicy feature. | |
| node_config | jsonb | Parameters used in creating the cluster's nodes. | |
| node_ipv4_cidr_size | bigint | The size of the address space on each node for hosting containers. | |
| node_pools | jsonb | The node pools associated with this cluster. | |
| notification_config | jsonb | Notification configuration of the cluster. | |
| private_cluster_config | jsonb | Configuration for private cluster. | |
| project | text | =, !=, ~~, ~~*, !~~, !~~* | The GCP Project in which the resource is located. |
| release_channel | jsonb | Release channel configuration. | |
| resource_labels | jsonb | The resource labels for the cluster to use to annotate any related Google Compute Engine resources. | |
| resource_usage_export_config | jsonb | Configuration for exporting resource usages. | |
| self_link | text | Server-defined URL for the resource. | |
| services_ipv4_cidr | cidr | The IP address range of the Kubernetes services in this cluster, in CIDR notation. | |
| shielded_nodes_enabled | boolean | Denotes whether Shielded Nodes features are enabled on all nodes in this cluster. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| status | text | The current status of this cluster. | |
| status_message | text | Additional information about the current status of this cluster, if available. | |
| subnetwork | text | The name of the Google Compute Engine subnetwork to which the cluster is connected. | |
| tags | jsonb | A map of tags for the resource. | |
| title | text | Title of the resource. | |
| tpu_ipv4_cidr_block | cidr | The IP address range of the Cloud TPUs in this cluster, in CIDR notation. | |
| vertical_pod_autoscaling | jsonb | Cluster-level Vertical Pod Autoscaling configuration. | |
| workload_identity_config | jsonb | Configuration for the use of Kubernetes Service Accounts in GCP IAM policies. | |
| zone | text | The name of the Google Compute Engine zone in which the cluster resides. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcpYou can pass the configuration to the command with the --config argument:
steampipe_export_gcp --config '<your_config>' gcp_kubernetes_cluster