github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/gke/node_pool_uses_cos.go (about)

     1  package gke
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  	"github.com/khulnasoft-lab/defsec/pkg/types"
    10  )
    11  
    12  var CheckNodePoolUsesCos = rules.Register(
    13  	scan.Rule{
    14  		AVDID:       "AVD-GCP-0054",
    15  		Provider:    providers.GoogleProvider,
    16  		Service:     "gke",
    17  		ShortCode:   "node-pool-uses-cos",
    18  		Summary:     "Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image",
    19  		Impact:      "COS is the recommended OS image to use on cluster nodes",
    20  		Resolution:  "Use the COS image type",
    21  		Explanation: `GKE supports several OS image types but COS is the recommended OS image to use on cluster nodes for enhanced security`,
    22  		Links:       []string{},
    23  		Terraform: &scan.EngineMetadata{
    24  			GoodExamples:        terraformNodePoolUsesCosGoodExamples,
    25  			BadExamples:         terraformNodePoolUsesCosBadExamples,
    26  			Links:               terraformNodePoolUsesCosLinks,
    27  			RemediationMarkdown: terraformNodePoolUsesCosRemediationMarkdown,
    28  		},
    29  		Severity: severity.Low,
    30  	},
    31  	func(s *state.State) (results scan.Results) {
    32  		for _, cluster := range s.Google.GKE.Clusters {
    33  			if cluster.Metadata.IsManaged() {
    34  				if cluster.NodeConfig.ImageType.NotEqualTo("") && cluster.NodeConfig.ImageType.NotEqualTo("COS_CONTAINERD", types.IgnoreCase) && cluster.NodeConfig.ImageType.NotEqualTo("COS", types.IgnoreCase) {
    35  					results.Add(
    36  						"Cluster is not configuring node pools to use the COS containerd image type by default.",
    37  						cluster.NodeConfig.ImageType,
    38  					)
    39  				} else {
    40  					results.AddPassed(&cluster)
    41  				}
    42  			}
    43  			for _, pool := range cluster.NodePools {
    44  				if pool.NodeConfig.ImageType.NotEqualTo("COS_CONTAINERD", types.IgnoreCase) && pool.NodeConfig.ImageType.NotEqualTo("COS", types.IgnoreCase) {
    45  					results.Add(
    46  						"Node pool is not using the COS containerd image type.",
    47  						pool.NodeConfig.ImageType,
    48  					)
    49  				} else {
    50  					results.AddPassed(&pool)
    51  				}
    52  
    53  			}
    54  		}
    55  		return
    56  	},
    57  )