steampipe plugin install gcp

Table: gcp_kubernetes_cluster - Query Google Cloud Platform Kubernetes Clusters using SQL

A Kubernetes Cluster in Google Cloud Platform is a managed environment for deploying, managing, and scaling your containerized applications using Google infrastructure. The cluster consists of at least one cluster control plane and multiple worker machines called nodes. These nodes are Google Compute Engine virtual machines that run the Kubernetes processes necessary to make them part of the cluster.

Table Usage Guide

The gcp_kubernetes_cluster table provides insights into Kubernetes Clusters within Google Cloud Platform. As a DevOps engineer, explore cluster-specific details through this table, including configurations, node pools, network settings, and more. Utilize it to uncover information about clusters, such as their status, zones, and the associated services and workloads.

Examples

Basic info

Explore which Kubernetes clusters in your Google Cloud Platform (GCP) are active and where they are located. This can help you manage resources and understand your network's geographical distribution.

select
id,
name,
location_type,
status,
cluster_ipv4_cidr,
max_pods_per_node,
current_node_count,
endpoint,
location
from
gcp_kubernetes_cluster;
select
id,
name,
location_type,
status,
cluster_ipv4_cidr,
max_pods_per_node,
current_node_count,
endpoint,
location
from
gcp_kubernetes_cluster;

List zonal clusters

Explore which Kubernetes clusters in your Google Cloud Platform are configured as zonal. This is useful to understand the geographical distribution of your resources and plan for redundancy or disaster recovery.

select
name,
location_type
from
gcp_kubernetes_cluster
where
location_type = 'ZONAL';
select
name,
location_type
from
gcp_kubernetes_cluster
where
location_type = 'ZONAL';

List clusters with node auto-upgrade enabled

Explore clusters that have the node auto-upgrade feature enabled. This is useful for ensuring your systems are always up-to-date with the latest features and security updates.

select
name,
location_type,
n -> 'management' ->> 'autoUpgrade' node_auto_upgrade
from
gcp_kubernetes_cluster,
jsonb_array_elements(node_pools) as n
where
n -> 'management' ->> 'autoUpgrade' = 'true';
select
name,
location_type,
json_extract(n.value, '$.management.autoUpgrade') as node_auto_upgrade
from
gcp_kubernetes_cluster,
json_each(node_pools) as n
where
json_extract(n.value, '$.management.autoUpgrade') = 'true';

List clusters with default service account

Identify instances where clusters are using the default service account in Google Cloud Platform's Kubernetes service. This can help in improving security by ensuring each cluster uses a unique service account.

select
name,
location_type,
node_config ->> 'ServiceAccount' service_account
from
gcp_kubernetes_cluster
where
node_config ->> 'ServiceAccount' = 'default';
select
name,
location_type,
json_extract(node_config, '$.ServiceAccount') service_account
from
gcp_kubernetes_cluster
where
json_extract(node_config, '$.ServiceAccount') = 'default';

List clusters with legacy authorization enabled

Determine the areas in which legacy authorization is still enabled on clusters. This is useful to identify potential security risks and areas for improvement in your Google Cloud Platform Kubernetes setup.

select
name,
location_type,
legacy_abac_enabled
from
gcp_kubernetes_cluster
where
legacy_abac_enabled;
select
name,
location_type,
legacy_abac_enabled
from
gcp_kubernetes_cluster
where
legacy_abac_enabled = 1;

List clusters with shielded nodes features disabled

Discover the segments that have the shielded nodes feature disabled in your Kubernetes clusters. This can help you identify potential security risks and enhance the protection of your clusters.

select
name,
location_type,
shielded_nodes_enabled
from
gcp_kubernetes_cluster
where
not shielded_nodes_enabled;
select
name,
location_type,
shielded_nodes_enabled
from
gcp_kubernetes_cluster
where
shielded_nodes_enabled = 0;

List clusters where secrets in etcd are not encrypted

Determine the areas in which sensitive information in your clusters is not secured. This is useful for identifying potential security vulnerabilities and ensuring data protection standards are met.

select
name,
database_encryption_state
from
gcp_kubernetes_cluster
where
database_encryption_state <> 'ENCRYPTED';
select
name,
database_encryption_state
from
gcp_kubernetes_cluster
where
database_encryption_state <> 'ENCRYPTED';

Node configuration of clusters

Explore the configuration settings of your clusters to understand their disk size, machine type, and other important parameters. This can be useful for optimizing your resources, ensuring security measures are in place, and maintaining efficient operation of your clusters.

select
name,
node_config ->> 'Disksizegb' as disk_size_gb,
node_config ->> 'Disktype' as disk_type,
node_config ->> 'Imagetype' as image_type,
node_config ->> 'Machinetype' as machine_type,
node_config ->> 'Disktype' as disk_type,
node_config -> 'Metadata' ->> 'disable-legacy-endpoints' as disable_legacy_endpoints,
node_config ->> 'Serviceaccount' as service_account,
node_config -> 'Shieldedinstanceconfig' ->> 'EnableIntegrityMonitoring' as enable_integrity_monitoring
from
gcp_kubernetes_cluster;
select
name,
json_extract(node_config, '$.Disksizegb') as disk_size_gb,
json_extract(node_config, '$.Disktype') as disk_type,
json_extract(node_config, '$.Imagetype') as image_type,
json_extract(node_config, '$.Machinetype') as machine_type,
json_extract(node_config, '$.Disktype') as disk_type,
json_extract(
json_extract(node_config, '$.Metadata'),
'$.disable-legacy-endpoints'
) as disable_legacy_endpoints,
json_extract(node_config, '$.ServiceAccount') as service_account,
json_extract(
json_extract(node_config, '$.ShieldedInstanceConfig'),
'$.EnableIntegrityMonitoring'
) as enable_integrity_monitoring
from
gcp_kubernetes_cluster;

Control examples

Schema for gcp_kubernetes_cluster

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
addons_configjsonbConfigurations for the various addons available to run in the cluster.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
authenticator_groups_configjsonbConfiguration controlling RBAC group membership information.
autopilot_enabledbooleanDenotes whether autopilot configuration is enabled for the cluster.
autoscalingjsonbCluster-level autoscaling configuration.
binary_authorizationjsonbConfiguration for Binary Authorization.
cluster_ipv4_cidrcidrThe IP address range of the container pods in this cluster, in CIDR notation.
conditionsjsonbWhich conditions caused the current cluster state.
create_timetimestamp with time zoneThe time the cluster was created, in RFC3339 text format.
current_master_versiontextThe current software version of the master endpoint.
current_node_countbigintThe number of nodes currently in the cluster.
current_node_versiontextThe current version of the node software components.
database_encryption_key_nametextName of CloudKMS key to use for the encryption.
database_encryption_statetextDenotes the state of etcd encryption.
descriptiontextAn optional description of this cluster.
enable_kubernetes_alphabooleanIndicates whether kubernetes alpha features are enabled on this cluster.
enable_tpubooleanEnable the ability to use Cloud TPUs in this cluster.
endpointtextThe IP address of this cluster's master endpoint.
expire_timetimestamp with time zoneThe time the cluster will be automatically deleted.
idtextUnique ID of the cluster.
initial_cluster_versiontextThe initial Kubernetes version for this cluster.
initial_node_countbigintThe number of nodes to create in this cluster.
instance_group_urlsjsonbList of urls for instance groups.
ip_allocation_policyjsonbConfiguration for cluster IP allocation.
label_fingerprinttextThe fingerprint of the set of labels for this cluster.
legacy_abac_enabledbooleanConfiguration for the legacy ABAC authorization mode.
locationtext=The GCP multi-region, region, or zone in which the resource is located.
location_typetextLocation type of the cluster i.e REGIONAL/ZONAL.
locationsjsonbThe list of Google Compute Engine zones in which the cluster's nodes should be located.
logging_servicetextThe logging service the cluster should use to write logs.
maintenance_policyjsonbConfigure the maintenance policy for this cluster.
master_authjsonbThe authentication information for accessing the master endpoint.
master_authorized_networks_configjsonbThe configuration options for master authorized networks feature.
max_pods_per_nodebigintConstraint enforced on the max num of pods per node.
monitoring_servicetextThe monitoring service the cluster should use to write metrics.
nametext=The name of this cluster.
networktextThe name of the Google Compute Engine network to which the cluster is connected.
network_configjsonbConfiguration for cluster networking.
network_policyjsonbConfiguration options for the NetworkPolicy feature.
node_configjsonbParameters used in creating the cluster's nodes.
node_ipv4_cidr_sizebigintThe size of the address space on each node for hosting containers.
node_poolsjsonbThe node pools associated with this cluster.
notification_configjsonbNotification configuration of the cluster.
private_cluster_configjsonbConfiguration for private cluster.
projecttext=, !=, ~~, ~~*, !~~, !~~*The GCP Project in which the resource is located.
release_channeljsonbRelease channel configuration.
resource_labelsjsonbThe resource labels for the cluster to use to annotate any related Google Compute Engine resources.
resource_usage_export_configjsonbConfiguration for exporting resource usages.
self_linktextServer-defined URL for the resource.
services_ipv4_cidrcidrThe IP address range of the Kubernetes services in this cluster, in CIDR notation.
shielded_nodes_enabledbooleanDenotes whether Shielded Nodes features are enabled on all nodes in this cluster.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
statustextThe current status of this cluster.
status_messagetextAdditional information about the current status of this cluster, if available.
subnetworktextThe name of the Google Compute Engine subnetwork to which the cluster is connected.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.
tpu_ipv4_cidr_blockcidrThe IP address range of the Cloud TPUs in this cluster, in CIDR notation.
vertical_pod_autoscalingjsonbCluster-level Vertical Pod Autoscaling configuration.
workload_identity_configjsonbConfiguration for the use of Kubernetes Service Accounts in GCP IAM policies.
zonetextThe name of the Google Compute Engine zone in which the cluster resides.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_kubernetes_cluster