github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/gke/node_metadata_security.go (about)

     1  package gke
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckNodeMetadataSecurity = rules.Register(
    12  	scan.Rule{
    13  		AVDID:      "AVD-GCP-0057",
    14  		Provider:   providers.GoogleProvider,
    15  		Service:    "gke",
    16  		ShortCode:  "node-metadata-security",
    17  		Summary:    "Node metadata value disables metadata concealment.",
    18  		Impact:     "Metadata that isn't concealed potentially risks leakage of sensitive data",
    19  		Resolution: "Set node metadata to SECURE or GKE_METADATA_SERVER",
    20  		Explanation: `If the <code>workload_metadata_config</code> block within <code>node_config</code> is included, the <code>node_metadata</code> attribute should be configured securely.
    21  
    22  The attribute should be set to <code>SECURE</code> to use metadata concealment, or <code>GKE_METADATA_SERVER</code> if workload identity is enabled. This ensures that the VM metadata is not unnecessarily exposed to pods.`,
    23  		Links: []string{
    24  			"https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#create-concealed",
    25  		},
    26  		Terraform: &scan.EngineMetadata{
    27  			GoodExamples:        terraformNodeMetadataSecurityGoodExamples,
    28  			BadExamples:         terraformNodeMetadataSecurityBadExamples,
    29  			Links:               terraformNodeMetadataSecurityLinks,
    30  			RemediationMarkdown: terraformNodeMetadataSecurityRemediationMarkdown,
    31  		},
    32  		Severity: severity.High,
    33  	},
    34  	func(s *state.State) (results scan.Results) {
    35  		for _, cluster := range s.Google.GKE.Clusters {
    36  			if cluster.Metadata.IsManaged() {
    37  				metadata := cluster.NodeConfig.WorkloadMetadataConfig.NodeMetadata
    38  				if metadata.EqualTo("UNSPECIFIED") || metadata.EqualTo("EXPOSE") {
    39  					results.Add(
    40  						"Cluster exposes node metadata of pools by default.",
    41  						metadata,
    42  					)
    43  				} else {
    44  					results.AddPassed(&cluster)
    45  				}
    46  
    47  			}
    48  			for _, pool := range cluster.NodePools {
    49  				metadata := pool.NodeConfig.WorkloadMetadataConfig.NodeMetadata
    50  				if metadata.EqualTo("UNSPECIFIED") || metadata.EqualTo("EXPOSE") {
    51  					results.Add(
    52  						"Node pool exposes node metadata.",
    53  						metadata,
    54  					)
    55  				} else {
    56  					results.AddPassed(&pool)
    57  				}
    58  
    59  			}
    60  		}
    61  		return
    62  	},
    63  )