github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/gke/use_service_account.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/gke/use_service_account.go (about)

     1  package gke
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckUseServiceAccount = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-GCP-0050",
    14  		Provider:    providers.GoogleProvider,
    15  		Service:     "gke",
    16  		ShortCode:   "use-service-account",
    17  		Summary:     "Checks for service account defined for GKE nodes",
    18  		Impact:      "Service accounts with wide permissions can increase the risk of compromise",
    19  		Resolution:  "Use limited permissions for service accounts to be effective",
    20  		Explanation: `You should create and use a minimally privileged service account to run your GKE cluster instead of using the Compute Engine default service account.`,
    21  		Links: []string{
    22  			"https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa",
    23  		},
    24  		Terraform: &scan.EngineMetadata{
    25  			GoodExamples:        terraformUseServiceAccountGoodExamples,
    26  			BadExamples:         terraformUseServiceAccountBadExamples,
    27  			Links:               terraformUseServiceAccountLinks,
    28  			RemediationMarkdown: terraformUseServiceAccountRemediationMarkdown,
    29  		},
    30  		Severity: severity.Medium,
    31  	},
    32  	func(s *state.State) (results scan.Results) {
    33  		for _, cluster := range s.Google.GKE.Clusters {
    34  			if cluster.Metadata.IsManaged() {
    35  				if cluster.RemoveDefaultNodePool.IsFalse() {
    36  					if cluster.NodeConfig.ServiceAccount.IsEmpty() {
    37  						results.Add(
    38  							"Cluster does not override the default service account.",
    39  							cluster.NodeConfig.ServiceAccount,
    40  						)
    41  					}
    42  				} else {
    43  					results.AddPassed(&cluster)
    44  				}
    45  			}
    46  			for _, pool := range cluster.NodePools {
    47  				if pool.NodeConfig.ServiceAccount.IsEmpty() {
    48  					results.Add(
    49  						"Node pool does not override the default service account.",
    50  						pool.NodeConfig.ServiceAccount,
    51  					)
    52  				} else {
    53  					results.AddPassed(&pool)
    54  				}
    55  			}
    56  		}
    57  		return
    58  	},
    59  )