github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/gke/no_legacy_authentication.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/gke/no_legacy_authentication.go (about)

     1  package gke
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckNoLegacyAuthentication = rules.Register(
    12  	scan.Rule{
    13  		AVDID:      "AVD-GCP-0064",
    14  		Provider:   providers.GoogleProvider,
    15  		Service:    "gke",
    16  		ShortCode:  "no-legacy-authentication",
    17  		Summary:    "Legacy client authentication methods utilized.",
    18  		Impact:     "Username/password or certificate authentication methods are less secure",
    19  		Resolution: "Use service account or OAuth for authentication",
    20  		Explanation: `It is recommended to use Service Accounts and OAuth as authentication methods for accessing the master in the container cluster. 
    21  
    22  Basic authentication should be disabled by explicitly unsetting the <code>username</code> and <code>password</code> on the <code>master_auth</code> block.`,
    23  		Links: []string{
    24  			"https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_authn_methods",
    25  		},
    26  		Terraform: &scan.EngineMetadata{
    27  			GoodExamples:        terraformNoLegacyAuthenticationGoodExamples,
    28  			BadExamples:         terraformNoLegacyAuthenticationBadExamples,
    29  			Links:               terraformNoLegacyAuthenticationLinks,
    30  			RemediationMarkdown: terraformNoLegacyAuthenticationRemediationMarkdown,
    31  		},
    32  		Severity: severity.High,
    33  	},
    34  	func(s *state.State) (results scan.Results) {
    35  		for _, cluster := range s.Google.GKE.Clusters {
    36  			if cluster.Metadata.IsUnmanaged() {
    37  				continue
    38  			}
    39  			if cluster.MasterAuth.ClientCertificate.IssueCertificate.IsTrue() {
    40  				results.Add(
    41  					"Cluster allows the use of certificates for master authentication.",
    42  					cluster.MasterAuth.ClientCertificate.IssueCertificate,
    43  				)
    44  			} else if cluster.MasterAuth.Username.NotEqualTo("") {
    45  				results.Add(
    46  					"Cluster allows the use of basic auth for master authentication.",
    47  					cluster.MasterAuth.Username,
    48  				)
    49  			} else {
    50  				results.AddPassed(&cluster)
    51  			}
    52  
    53  		}
    54  		return
    55  	},
    56  )