checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

checkov GCP container cluster checks do not take node_pool into account

Open hazcod opened this issue 4 years ago • 4 comments

Describe the bug

CKV_GCP_69 and CKV_GCP_67 are triggered when node_config is not defined In a google_container_cluster. However, this is often defined in the google_container_node_pool which is attached to the cluster via the cluster attribute.

To Reproduce Steps to reproduce the behavior:

  1. Create a simple google_container_cluster block without a node_config block.
  2. Create a google_container_node_pool with the node_config block and assign it to the cluster.
  3. See errors CKV_GCP_69/CKV_GCP_67 in Checkov

Expected behavior Checkov should take the attached node_pool into account.

Example

resource "google_container_cluster" "main_cluster" {
  project  = var.project_id
  name     = var.cluster_name
  location = var.cluster_location
}

resource "google_container_node_pool" "main_preemptible_nodes" {
  name    = "gke-${var.cluster_name}-preempt-nodepool"
  cluster = google_container_cluster.main_cluster.id

  node_config {
    machine_type = var.node_machine_type
    image_type   = "cos_containerd"

    sandbox_config {
      sandbox_type = "gvisor"
    }

    service_account = google_service_account.node_default.email
    oauth_scopes = [
      "https://www.googleapis.com/auth/cloud-platform"
    ]

    workload_metadata_config {
      node_metadata = "GKE_METADATA_SERVER"
    }

    shielded_instance_config {
      enable_integrity_monitoring = true
      enable_secure_boot          = true
    }
  }
}

hazcod avatar Sep 28 '21 06:09 hazcod

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Jun 26 '22 16:06 stale[bot]

Unstale

hazcod avatar Jun 26 '22 18:06 hazcod

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Dec 25 '22 08:12 stale[bot]

Unstale

hazcod avatar Dec 25 '22 09:12 hazcod

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Jun 23 '23 17:06 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

stale[bot] avatar Jul 09 '23 14:07 stale[bot]