github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/digitalocean/compute/auto_upgrade_no_maintenance_policy.go (about) 1 package compute 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckAutoUpgrade = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-DIG-0008", 14 Provider: providers.DigitalOceanProvider, 15 Service: "compute", 16 ShortCode: "kubernetes-auto-upgrades-not-enabled", 17 Summary: "Kubernetes clusters should be auto-upgraded to ensure that they always contain the latest security patches.", 18 Impact: "Not running the latest security patches on your Kubernetes cluster can make it a target for penetration.", 19 Resolution: "Set maintenance policy deterministically when auto upgrades are enabled", 20 Explanation: ``, 21 Links: []string{ 22 "https://docs.digitalocean.com/products/kubernetes/resources/best-practices/", 23 }, 24 Terraform: &scan.EngineMetadata{ 25 GoodExamples: terraformKubernetesClusterAutoUpgradeGoodExample, 26 BadExamples: terraformKubernetesClusterAutoUpgradeBadExample, 27 Links: terraformKubernetesClusterAutoUpgradeLinks, 28 RemediationMarkdown: terraformKubernetesAutoUpgradeMarkdown, 29 }, 30 Severity: severity.Critical, 31 }, 32 func(s *state.State) (results scan.Results) { 33 for _, kc := range s.DigitalOcean.Compute.KubernetesClusters { 34 if kc.Metadata.IsUnmanaged() { 35 continue 36 } 37 if kc.AutoUpgrade.IsFalse() { 38 results.Add( 39 "Kubernetes Cluster does not enable auto upgrades enabled", 40 kc.AutoUpgrade, 41 ) 42 } else { 43 results.AddPassed(&kc) 44 } 45 } 46 return 47 }, 48 )