github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/container/limit_authorized_ips.go (about) 1 package container 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckLimitAuthorizedIps = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AZU-0041", 14 Provider: providers.AzureProvider, 15 Service: "container", 16 ShortCode: "limit-authorized-ips", 17 Summary: "Ensure AKS has an API Server Authorized IP Ranges enabled", 18 Impact: "Any IP can interact with the API server", 19 Resolution: "Limit the access to the API server to a limited IP range", 20 Explanation: `The API server is the central way to interact with and manage a cluster. To improve cluster security and minimize attacks, the API server should only be accessible from a limited set of IP address ranges.`, 21 Links: []string{ 22 "https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges", 23 }, 24 Terraform: &scan.EngineMetadata{ 25 GoodExamples: terraformLimitAuthorizedIpsGoodExamples, 26 BadExamples: terraformLimitAuthorizedIpsBadExamples, 27 Links: terraformLimitAuthorizedIpsLinks, 28 RemediationMarkdown: terraformLimitAuthorizedIpsRemediationMarkdown, 29 }, 30 Severity: severity.Critical, 31 }, 32 func(s *state.State) (results scan.Results) { 33 for _, cluster := range s.Azure.Container.KubernetesClusters { 34 if cluster.Metadata.IsUnmanaged() { 35 continue 36 } 37 if cluster.EnablePrivateCluster.IsTrue() { 38 continue 39 } 40 if len(cluster.APIServerAuthorizedIPRanges) == 0 { 41 results.Add( 42 "Cluster does not limit API access to specific IP addresses.", 43 cluster.EnablePrivateCluster, 44 ) 45 } else { 46 results.AddPassed(&cluster) 47 } 48 } 49 return 50 }, 51 )