github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/gke/use_rbac_permissions.go (about) 1 package gke 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckUseRbacPermissions = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-GCP-0062", 14 Provider: providers.GoogleProvider, 15 Service: "gke", 16 ShortCode: "use-rbac-permissions", 17 Summary: "Legacy ABAC permissions are enabled.", 18 Impact: "ABAC permissions are less secure than RBAC permissions", 19 Resolution: "Switch to using RBAC permissions", 20 Explanation: `You should disable Attribute-Based Access Control (ABAC), and instead use Role-Based Access Control (RBAC) in GKE. 21 22 RBAC has significant security advantages and is now stable in Kubernetes, so it’s time to disable ABAC.`, 23 Links: []string{ 24 "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#leave_abac_disabled_default_for_110", 25 }, 26 Terraform: &scan.EngineMetadata{ 27 GoodExamples: terraformUseRbacPermissionsGoodExamples, 28 BadExamples: terraformUseRbacPermissionsBadExamples, 29 Links: terraformUseRbacPermissionsLinks, 30 RemediationMarkdown: terraformUseRbacPermissionsRemediationMarkdown, 31 }, 32 Severity: severity.High, 33 }, 34 func(s *state.State) (results scan.Results) { 35 for _, cluster := range s.Google.GKE.Clusters { 36 if cluster.Metadata.IsUnmanaged() { 37 continue 38 } 39 if cluster.EnableLegacyABAC.IsTrue() { 40 results.Add( 41 "Cluster has legacy ABAC enabled.", 42 cluster.EnableLegacyABAC, 43 ) 44 } else { 45 results.AddPassed(&cluster) 46 } 47 } 48 return 49 }, 50 )