diff --git a/avd_docs/google/gke/AVD-GCP-0057/Terraform.md b/avd_docs/google/gke/AVD-GCP-0057/Terraform.md index e8afb19e..9aef8dde 100644 --- a/avd_docs/google/gke/AVD-GCP-0057/Terraform.md +++ b/avd_docs/google/gke/AVD-GCP-0057/Terraform.md @@ -2,7 +2,16 @@ Set node metadata to SECURE or GKE_METADATA_SERVER ```hcl +resource "google_container_cluster" "primary" { + name = "my-gke-cluster" + location = "us-central1" + + remove_default_node_pool = true + initial_node_count = 1 +} + resource "google_container_node_pool" "good_example" { + cluster = google_container_cluster.primary.id node_config { workload_metadata_config { node_metadata = "SECURE" diff --git a/checks/cloud/aws/elb/alb_not_public.rego b/checks/cloud/aws/elb/alb_not_public.rego index 712ad95f..b986aeea 100644 --- a/checks/cloud/aws/elb/alb_not_public.rego +++ b/checks/cloud/aws/elb/alb_not_public.rego @@ -32,6 +32,7 @@ import data.lib.cloud.metadata deny contains res if { some lb in input.aws.elb.loadbalancers + isManaged(lb) not is_gateway(lb) not lb.internal.value diff --git a/checks/cloud/aws/elb/drop_invalid_headers.rego b/checks/cloud/aws/elb/drop_invalid_headers.rego index f5962903..e8a6d562 100644 --- a/checks/cloud/aws/elb/drop_invalid_headers.rego +++ b/checks/cloud/aws/elb/drop_invalid_headers.rego @@ -35,6 +35,7 @@ import data.lib.cloud.metadata deny contains res if { some lb in input.aws.elb.loadbalancers + isManaged(lb) lb.type.value == "application" not lb.dropinvalidheaderfields.value res := result.new( diff --git a/checks/cloud/aws/lambda/enable_tracing.rego b/checks/cloud/aws/lambda/enable_tracing.rego index 5657e376..25ae7c5d 100644 --- a/checks/cloud/aws/lambda/enable_tracing.rego +++ b/checks/cloud/aws/lambda/enable_tracing.rego @@ -38,6 +38,7 @@ import data.lib.cloud.value deny contains res if { some func in input.aws.lambda.functions + isManaged(func) not is_active_mode(func) res := result.new( "Function does not have tracing enabled.", diff --git a/checks/cloud/google/gke/enable_auto_repair.rego b/checks/cloud/google/gke/enable_auto_repair.rego index 6b46c8d0..4c559ace 100644 --- a/checks/cloud/google/gke/enable_auto_repair.rego +++ b/checks/cloud/google/gke/enable_auto_repair.rego @@ -28,9 +28,15 @@ package builtin.google.gke.google0063 import rego.v1 +import data.lib.cloud.metadata + deny contains res if { some cluster in input.google.gke.clusters + isManaged(cluster) some pool in cluster.nodepools - pool.management.enableautorepair.value == false - res := result.new("Node pool does not have auto-repair enabled.", pool.management.enableautorepair) + not pool.management.enableautorepair.value + res := result.new( + "Node pool does not have auto-repair enabled.", + metadata.obj_by_path(pool, ["management", "enableautorepair"]), + ) } diff --git a/checks/cloud/google/gke/enable_auto_upgrade.rego b/checks/cloud/google/gke/enable_auto_upgrade.rego index 7a57f674..a588e3db 100644 --- a/checks/cloud/google/gke/enable_auto_upgrade.rego +++ b/checks/cloud/google/gke/enable_auto_upgrade.rego @@ -28,9 +28,15 @@ package builtin.google.gke.google0058 import rego.v1 +import data.lib.cloud.metadata + deny contains res if { some cluster in input.google.gke.clusters + isManaged(cluster) some pool in cluster.nodepools - pool.management.enableautoupgrade.value == false - res := result.new("Node pool does not have auto-upgraade enabled.", pool.management.enableautoupgrade) + not pool.management.enableautoupgrade.value + res := result.new( + "Node pool does not have auto-upgraade enabled.", + metadata.obj_by_path(pool, ["management", "enableautoupgrade"]), + ) } diff --git a/checks/cloud/google/gke/enable_ip_aliasing.rego b/checks/cloud/google/gke/enable_ip_aliasing.rego index d324ed19..f14bede8 100644 --- a/checks/cloud/google/gke/enable_ip_aliasing.rego +++ b/checks/cloud/google/gke/enable_ip_aliasing.rego @@ -28,8 +28,14 @@ package builtin.google.gke.google0049 import rego.v1 +import data.lib.cloud.metadata + deny contains res if { some cluster in input.google.gke.clusters - cluster.ipallocationpolicy.enabled.value == false - res := result.new("Cluster has IP aliasing disabled.", cluster.ipallocationpolicy.enabled) + isManaged(cluster) + not cluster.ipallocationpolicy.enabled.value + res := result.new( + "Cluster has IP aliasing disabled.", + metadata.obj_by_path(cluster, ["ipallocationpolicy", "enabled"]), + ) } diff --git a/checks/cloud/google/gke/enable_master_networks.rego b/checks/cloud/google/gke/enable_master_networks.rego index e441c73f..2ed7e616 100644 --- a/checks/cloud/google/gke/enable_master_networks.rego +++ b/checks/cloud/google/gke/enable_master_networks.rego @@ -28,11 +28,14 @@ package builtin.google.gke.google0061 import rego.v1 +import data.lib.cloud.metadata + deny contains res if { some cluster in input.google.gke.clusters - cluster.masterauthorizednetworks.enabled.value == false + isManaged(cluster) + not cluster.masterauthorizednetworks.enabled.value res := result.new( "Cluster does not have master authorized networks enabled.", - cluster.masterauthorizednetworks.enabled, + metadata.obj_by_path(cluster, ["masterauthorizednetworks", "enabled"]), ) } diff --git a/checks/cloud/google/gke/enable_private_cluster.rego b/checks/cloud/google/gke/enable_private_cluster.rego index 7715710e..d924e4c7 100644 --- a/checks/cloud/google/gke/enable_private_cluster.rego +++ b/checks/cloud/google/gke/enable_private_cluster.rego @@ -28,11 +28,14 @@ package builtin.google.gke.google0059 import rego.v1 +import data.lib.cloud.metadata + deny contains res if { some cluster in input.google.gke.clusters - cluster.privatecluster.enableprivatenodes.value == false + isManaged(cluster) + not cluster.privatecluster.enableprivatenodes.value res := result.new( "Cluster does not have private nodes.", - cluster.privatecluster.enableprivatenodes, + metadata.obj_by_path(cluster, ["privatecluster", "enableprivatenodes"]), ) } diff --git a/checks/cloud/google/gke/enable_stackdriver_logging.rego b/checks/cloud/google/gke/enable_stackdriver_logging.rego index 495a0944..683bc34c 100644 --- a/checks/cloud/google/gke/enable_stackdriver_logging.rego +++ b/checks/cloud/google/gke/enable_stackdriver_logging.rego @@ -28,8 +28,14 @@ package builtin.google.gke.google0060 import rego.v1 +import data.lib.cloud.metadata + deny contains res if { some cluster in input.google.gke.clusters + isManaged(cluster) cluster.loggingservice.value != "logging.googleapis.com/kubernetes" - res := result.new("Cluster does not use the logging.googleapis.com/kubernetes StackDriver logging service.", cluster.loggingservice) + res := result.new( + "Cluster does not use the logging.googleapis.com/kubernetes StackDriver logging service.", + metadata.obj_by_path(cluster, ["loggingservice"]), + ) } diff --git a/checks/cloud/google/gke/enable_stackdriver_monitoring.rego b/checks/cloud/google/gke/enable_stackdriver_monitoring.rego index 514951ca..fb5a68c3 100644 --- a/checks/cloud/google/gke/enable_stackdriver_monitoring.rego +++ b/checks/cloud/google/gke/enable_stackdriver_monitoring.rego @@ -28,11 +28,16 @@ package builtin.google.gke.google0052 import rego.v1 +import data.lib.cloud.metadata + deny contains res if { some cluster in input.google.gke.clusters - cluster.monitoringservice.value != "monitoring.googleapis.com/kubernetes" + isManaged(cluster) + not use_kub_service(cluster) res := result.new( "Cluster does not use the monitoring.googleapis.com/kubernetes StackDriver monitoring service.", - cluster.monitoringservice, + metadata.obj_by_path(cluster, ["monitoringservice"]), ) } + +use_kub_service(cluster) if cluster.monitoringservice.value == "monitoring.googleapis.com/kubernetes" diff --git a/checks/cloud/google/gke/metadata_endpoints_disabled.rego b/checks/cloud/google/gke/metadata_endpoints_disabled.rego index 3c59c589..e6b06b32 100644 --- a/checks/cloud/google/gke/metadata_endpoints_disabled.rego +++ b/checks/cloud/google/gke/metadata_endpoints_disabled.rego @@ -38,6 +38,7 @@ import rego.v1 deny contains res if { some cluster in input.google.gke.clusters + isManaged(cluster) cluster.removedefaultnodepool.value == true some pool in cluster.nodepools pool.nodeconfig.enablelegacyendpoints.value == true @@ -49,6 +50,7 @@ deny contains res if { deny contains res if { some cluster in input.google.gke.clusters + isManaged(cluster) not cluster.removedefaultnodepool.value cluster.nodeconfig.enablelegacyendpoints.value == true res := result.new( diff --git a/checks/cloud/google/gke/no_legacy_authentication.rego b/checks/cloud/google/gke/no_legacy_authentication.rego index 1aa98a6b..e939f346 100644 --- a/checks/cloud/google/gke/no_legacy_authentication.rego +++ b/checks/cloud/google/gke/no_legacy_authentication.rego @@ -36,6 +36,7 @@ import data.lib.cloud.value deny contains res if { some cluster in input.google.gke.clusters + isManaged(cluster) cluster.masterauth.clientcertificate.issuecertificate.value res := result.new( "Cluster allows the use of certificates for master authentication.", @@ -45,6 +46,7 @@ deny contains res if { deny contains res if { some cluster in input.google.gke.clusters + isManaged(cluster) not cluster.masterauth.clientcertificate.issuecertificate.value value.is_not_empty(cluster.masterauth.username) res := result.new( diff --git a/checks/cloud/google/gke/node_metadata_security.rego b/checks/cloud/google/gke/node_metadata_security.rego index 95ac58d0..719f0914 100644 --- a/checks/cloud/google/gke/node_metadata_security.rego +++ b/checks/cloud/google/gke/node_metadata_security.rego @@ -34,6 +34,7 @@ import rego.v1 deny contains res if { some cluster in input.google.gke.clusters + isManaged(cluster) metadata := cluster.nodeconfig.workloadmetadataconfig.nodemetadata is_exposes(metadata.value) res := result.new("Cluster exposes node metadata of pools by default.", metadata) @@ -41,6 +42,7 @@ deny contains res if { deny contains res if { some cluster in input.google.gke.clusters + isManaged(cluster) some pool in cluster.nodepools metadata := pool.nodeconfig.workloadmetadataconfig.nodemetadata is_exposes(metadata.value) diff --git a/checks/cloud/google/gke/node_metadata_security.yaml b/checks/cloud/google/gke/node_metadata_security.yaml index 694ae2e9..4d920d7d 100644 --- a/checks/cloud/google/gke/node_metadata_security.yaml +++ b/checks/cloud/google/gke/node_metadata_security.yaml @@ -1,7 +1,16 @@ terraform: good: - |- + resource "google_container_cluster" "primary" { + name = "my-gke-cluster" + location = "us-central1" + + remove_default_node_pool = true + initial_node_count = 1 + } + resource "google_container_node_pool" "good_example" { + cluster = google_container_cluster.primary.id node_config { workload_metadata_config { node_metadata = "SECURE" @@ -10,7 +19,16 @@ terraform: } bad: - |- + resource "google_container_cluster" "primary" { + name = "my-gke-cluster" + location = "us-central1" + + remove_default_node_pool = true + initial_node_count = 1 + } + resource "google_container_node_pool" "bad_example" { + cluster = google_container_cluster.primary.id node_config { workload_metadata_config { node_metadata = "EXPOSE" diff --git a/checks/cloud/google/gke/node_pool_uses_cos.rego b/checks/cloud/google/gke/node_pool_uses_cos.rego index 1b296e8b..369e2bb2 100644 --- a/checks/cloud/google/gke/node_pool_uses_cos.rego +++ b/checks/cloud/google/gke/node_pool_uses_cos.rego @@ -30,6 +30,7 @@ import rego.v1 deny contains res if { some cluster in input.google.gke.clusters + isManaged(cluster) image_type := cluster.nodeconfig.imagetype not lower(image_type.value) in {"cos", "cos_containerd", ""} res := result.new( @@ -40,6 +41,7 @@ deny contains res if { deny contains res if { some cluster in input.google.gke.clusters + isManaged(cluster) some pool in cluster.nodepools image_type := pool.nodeconfig.imagetype not lower(image_type.value) in {"cos", "cos_containerd"} diff --git a/checks/cloud/google/gke/node_shielding_enabled.rego b/checks/cloud/google/gke/node_shielding_enabled.rego index b9610f85..a357d52d 100644 --- a/checks/cloud/google/gke/node_shielding_enabled.rego +++ b/checks/cloud/google/gke/node_shielding_enabled.rego @@ -32,8 +32,14 @@ package builtin.google.gke.google0055 import rego.v1 +import data.lib.cloud.metadata + deny contains res if { some cluster in input.google.gke.clusters - cluster.enableshieldednodes.value == false - res := result.new("Cluster has shielded nodes disabled.", cluster.enableshieldednodes) + isManaged(cluster) + not cluster.enableshieldednodes.value + res := result.new( + "Cluster has shielded nodes disabled.", + metadata.obj_by_path(cluster, ["enableshieldednodes"]), + ) } diff --git a/checks/cloud/google/gke/use_cluster_labels.rego b/checks/cloud/google/gke/use_cluster_labels.rego index 2dd914d2..e7df5112 100644 --- a/checks/cloud/google/gke/use_cluster_labels.rego +++ b/checks/cloud/google/gke/use_cluster_labels.rego @@ -28,8 +28,14 @@ package builtin.google.gke.google0051 import rego.v1 +import data.lib.cloud.metadata + deny contains res if { some cluster in input.google.gke.clusters + isManaged(cluster) count(cluster.resourcelabels.value) == 0 - res := result.new("Cluster does not use GCE resource labels.", cluster.resourcelabels) + res := result.new( + "Cluster does not use GCE resource labels.", + metadata.obj_by_path(cluster, ["resourcelabels"]), + ) } diff --git a/checks/cloud/google/gke/use_rbac_permissions.rego b/checks/cloud/google/gke/use_rbac_permissions.rego index 0f007899..b07a8cf1 100644 --- a/checks/cloud/google/gke/use_rbac_permissions.rego +++ b/checks/cloud/google/gke/use_rbac_permissions.rego @@ -34,6 +34,7 @@ import rego.v1 deny contains res if { some cluster in input.google.gke.clusters + isManaged(cluster) cluster.enablelegacyabac.value == true res := result.new("Cluster has legacy ABAC enabled.", cluster.enablelegacyabac) } diff --git a/checks/cloud/google/gke/use_service_account.rego b/checks/cloud/google/gke/use_service_account.rego index b1a73a52..4a19f790 100644 --- a/checks/cloud/google/gke/use_service_account.rego +++ b/checks/cloud/google/gke/use_service_account.rego @@ -35,6 +35,7 @@ import data.lib.cloud.value deny contains res if { some cluster in input.google.gke.clusters + isManaged(cluster) value.is_false(cluster.removedefaultnodepool) default_account_is_not_overrided(cluster.nodeconfig) res := result.new( @@ -45,6 +46,7 @@ deny contains res if { deny contains res if { some cluster in input.google.gke.clusters + isManaged(cluster) some pool in cluster.nodepools default_account_is_not_overrided(pool.nodeconfig) res := result.new(