github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/gke/metadata_endpoints_disabled.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/gke/metadata_endpoints_disabled.go (about)

     1  package gke
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckMetadataEndpointsDisabled = rules.Register(
    12  	scan.Rule{
    13  		AVDID:      "AVD-GCP-0048",
    14  		Provider:   providers.GoogleProvider,
    15  		Service:    "gke",
    16  		ShortCode:  "metadata-endpoints-disabled",
    17  		Summary:    "Legacy metadata endpoints enabled.",
    18  		Impact:     "Legacy metadata endpoints don't require metadata headers",
    19  		Resolution: "Disable legacy metadata endpoints",
    20  		Explanation: `The Compute Engine instance metadata server exposes legacy v0.1 and v1beta1 endpoints, which do not enforce metadata query headers. 
    21  
    22  This is a feature in the v1 APIs that makes it more difficult for a potential attacker to retrieve instance metadata. 
    23  
    24  Unless specifically required, we recommend you disable these legacy APIs.
    25  
    26  When setting the <code>metadata</code> block, the default value for <code>disable-legacy-endpoints</code> is set to true, they should not be explicitly enabled.`,
    27  		Links: []string{
    28  			"https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#protect_node_metadata_default_for_112",
    29  		},
    30  		Terraform: &scan.EngineMetadata{
    31  			GoodExamples:        terraformMetadataEndpointsDisabledGoodExamples,
    32  			BadExamples:         terraformMetadataEndpointsDisabledBadExamples,
    33  			Links:               terraformMetadataEndpointsDisabledLinks,
    34  			RemediationMarkdown: terraformMetadataEndpointsDisabledRemediationMarkdown,
    35  		},
    36  		Severity: severity.High,
    37  	},
    38  	func(s *state.State) (results scan.Results) {
    39  		for _, cluster := range s.Google.GKE.Clusters {
    40  			if cluster.Metadata.IsUnmanaged() {
    41  				continue
    42  			}
    43  			if cluster.RemoveDefaultNodePool.IsTrue() {
    44  				for _, pool := range cluster.NodePools {
    45  					if pool.NodeConfig.EnableLegacyEndpoints.IsTrue() {
    46  						results.Add(
    47  							"Cluster has legacy metadata endpoints enabled.",
    48  							pool.NodeConfig.EnableLegacyEndpoints,
    49  						)
    50  					}
    51  				}
    52  			} else if cluster.NodeConfig.EnableLegacyEndpoints.IsTrue() {
    53  				results.Add(
    54  					"Cluster has legacy metadata endpoints enabled.",
    55  					cluster.NodeConfig.EnableLegacyEndpoints,
    56  				)
    57  			} else {
    58  				results.AddPassed(&cluster)
    59  			}
    60  
    61  		}
    62  		return
    63  	},
    64  )