github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/gke/no_public_control_plane.go (about) 1 package gke 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/cidr" 5 "github.com/khulnasoft-lab/defsec/internal/rules" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoPublicControlPlane = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-GCP-0053", 15 Provider: providers.GoogleProvider, 16 Service: "gke", 17 ShortCode: "no-public-control-plane", 18 Summary: "GKE Control Plane should not be publicly accessible", 19 Impact: "GKE control plane exposed to public internet", 20 Resolution: "Use private nodes and master authorised networks to prevent exposure", 21 Explanation: `The GKE control plane is exposed to the public internet by default.`, 22 Links: []string{}, 23 Terraform: &scan.EngineMetadata{ 24 GoodExamples: terraformNoPublicControlPlaneGoodExamples, 25 BadExamples: terraformNoPublicControlPlaneBadExamples, 26 Links: terraformNoPublicControlPlaneLinks, 27 RemediationMarkdown: terraformNoPublicControlPlaneRemediationMarkdown, 28 }, 29 Severity: severity.High, 30 }, 31 func(s *state.State) (results scan.Results) { 32 for _, cluster := range s.Google.GKE.Clusters { 33 if cluster.Metadata.IsUnmanaged() { 34 continue 35 } 36 for _, block := range cluster.MasterAuthorizedNetworks.CIDRs { 37 if cidr.IsPublic(block.Value()) { 38 results.Add( 39 "Cluster exposes control plane to the public internet.", 40 block, 41 ) 42 } else { 43 results.AddPassed(&cluster) 44 } 45 46 } 47 } 48 return 49 }, 50 )