github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/gke/node_shielding_enabled.go (about) 1 package gke 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckNodeShieldingEnabled = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-GCP-0055", 14 Provider: providers.GoogleProvider, 15 Service: "gke", 16 ShortCode: "node-shielding-enabled", 17 Summary: "Shielded GKE nodes not enabled.", 18 Impact: "Node identity and integrity can't be verified without shielded GKE nodes", 19 Resolution: "Enable node shielding", 20 Explanation: `CIS GKE Benchmark Recommendation: 6.5.5. Ensure Shielded GKE Nodes are Enabled 21 22 Shielded GKE Nodes provide strong, verifiable node identity and integrity to increase the security of GKE nodes and should be enabled on all GKE clusters.`, 23 Links: []string{ 24 "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#shielded_nodes", 25 }, 26 Terraform: &scan.EngineMetadata{ 27 GoodExamples: terraformNodeShieldingEnabledGoodExamples, 28 BadExamples: terraformNodeShieldingEnabledBadExamples, 29 Links: terraformNodeShieldingEnabledLinks, 30 RemediationMarkdown: terraformNodeShieldingEnabledRemediationMarkdown, 31 }, 32 Severity: severity.High, 33 }, 34 func(s *state.State) (results scan.Results) { 35 for _, cluster := range s.Google.GKE.Clusters { 36 if cluster.Metadata.IsUnmanaged() { 37 continue 38 } 39 if cluster.EnableShieldedNodes.IsFalse() { 40 results.Add( 41 "Cluster has shielded nodes disabled.", 42 cluster.EnableShieldedNodes, 43 ) 44 } else { 45 results.AddPassed(&cluster) 46 } 47 48 } 49 return 50 }, 51 )