/
kubernetes.sp
248 lines (196 loc) · 10.7 KB
/
kubernetes.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
locals {
kubernetes_compliance_common_tags = merge(local.terraform_gcp_compliance_common_tags, {
service = "GCP/Kubernetes"
})
}
benchmark "kubernetes" {
title = "Kubernetes"
description = "This benchmark provides a set of controls that detect Terraform GCP Kubernetes Engine(GKE) resources deviating from security best practices."
children = [
control.kubernetes_cluster_alias_ip_range_enabled,
control.kubernetes_cluster_authenticator_group_configured,
control.kubernetes_cluster_auto_repair_enabled,
control.kubernetes_cluster_auto_upgrade_enabled,
control.kubernetes_cluster_binary_auth_enabled,
control.kubernetes_cluster_client_certificate_authentication_disabled,
control.kubernetes_cluster_control_plane_restrict_public_access,
control.kubernetes_cluster_cos_node_image,
control.kubernetes_cluster_intranodal_visibility_enabled,
control.kubernetes_cluster_legacy_abac_enabled,
control.kubernetes_cluster_legacy_endpoints_disabled,
control.kubernetes_cluster_master_authorized_network_enabled,
control.kubernetes_cluster_metadata_server_enabled,
control.kubernetes_cluster_network_policy_installed,
control.kubernetes_cluster_no_cluster_level_node_pool,
control.kubernetes_cluster_node_config_image_cos_containerd,
control.kubernetes_cluster_private_cluster_config_enabled,
control.kubernetes_cluster_release_channel_configured,
control.kubernetes_cluster_resource_label_configured,
control.kubernetes_cluster_shielded_node_integrity_monitoring_enabled,
control.kubernetes_cluster_shielded_node_secure_boot_enabled,
control.kubernetes_cluster_shielded_nodes_enabled,
control.kubernetes_cluster_stackdriver_logging_enabled,
control.kubernetes_cluster_stackdriver_monitoring_enabled
]
tags = merge(local.kubernetes_compliance_common_tags, {
type = "Benchmark"
})
}
control "kubernetes_cluster_private_cluster_config_enabled" {
title = "Verify all GKE clusters are Private Clusters"
description = "This control checks that all GKE clusters are Private Clusters."
query = query.kubernetes_cluster_private_cluster_config_enabled
tags = merge(local.kubernetes_compliance_common_tags, {
cft_scorecard_v1 = "true"
})
}
control "kubernetes_cluster_legacy_abac_enabled" {
title = "Ensure Legacy Authorization is disabled on Kubernetes Engine Clusters"
description = "This control checks that Legacy Authorization is disabled on Kubernetes Engine Clusters."
query = query.kubernetes_cluster_legacy_abac_enabled
tags = merge(local.kubernetes_compliance_common_tags, {
cft_scorecard_v1 = "true"
})
}
control "kubernetes_cluster_legacy_endpoints_disabled" {
title = "Check that legacy metadata endpoints are disabled on Kubernetes clusters(disabled by default since GKE 1.12+)"
description = "This control checks that legacy metadata endpoints are disabled on Kubernetes clusters(disabled by default since GKE 1.12+)."
query = query.kubernetes_cluster_legacy_endpoints_disabled
tags = merge(local.kubernetes_compliance_common_tags, {
cft_scorecard_v1 = "true"
})
}
control "kubernetes_cluster_auto_repair_enabled" {
title = "Ensure automatic node repair is enabled on all node pools in a GKE cluster"
description = "This control checks that automatic node repair is enabled on all node pools in a GKE cluster."
query = query.kubernetes_cluster_auto_repair_enabled
tags = merge(local.kubernetes_compliance_common_tags, {
cft_scorecard_v1 = "true"
})
}
control "kubernetes_cluster_auto_upgrade_enabled" {
title = "Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes"
description = "This control checks that Engine Clusters nodes have automatic node upgrades enabled."
query = query.kubernetes_cluster_auto_upgrade_enabled
tags = merge(local.kubernetes_compliance_common_tags, {
cft_scorecard_v1 = "true"
})
}
control "kubernetes_cluster_node_config_image_cos_containerd" {
title = "Ensure Container-Optimized OS (cos) is used for Kubernetes engine clusters"
description = "This control checks that GKE clusters use Container-Optimized OS (cos) for Kubernetes engine clusters."
query = query.kubernetes_cluster_node_config_image_cos_containerd
tags = merge(local.kubernetes_compliance_common_tags, {
cft_scorecard_v1 = "true"
})
}
control "kubernetes_cluster_network_policy_installed" {
title = "Check that GKE clusters have a Network Policy installed"
description = "This control checks that GKE clusters have a Network Policy installed."
query = query.kubernetes_cluster_network_policy_installed
tags = merge(local.kubernetes_compliance_common_tags, {
cft_scorecard_v1 = "true"
})
}
control "kubernetes_cluster_stackdriver_logging_enabled" {
title = "GKE clusters stackdriver logging should be enabled"
description = "This control checks that GKE clusters stackdriver logging is enabled."
query = query.kubernetes_cluster_stackdriver_logging_enabled
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_shielded_nodes_enabled" {
title = "GKE clusters shielded nodes should be enabled"
description = "This control checks that GKE clusters shielded nodes is enabled."
query = query.kubernetes_cluster_shielded_nodes_enabled
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_stackdriver_monitoring_enabled" {
title = "GKE clusters stackdriver monitoring should be enabled"
description = "This control checks that GKE clusters stackdriver monitoring is enabled."
query = query.kubernetes_cluster_stackdriver_monitoring_enabled
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_metadata_server_enabled" {
title = "GKE clusters GKE metadata server should be enabled"
description = "This control checks that GKE clusters GKE metadata server is enabled."
query = query.kubernetes_cluster_metadata_server_enabled
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_master_authorized_network_enabled" {
title = "GKE clusters master authorized networks should be enabled"
description = "This control checks that GKE clusters master authorized networks is enabled."
query = query.kubernetes_cluster_master_authorized_network_enabled
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_authenticator_group_configured" {
title = "GKE clusters authenticator group should be configured to manage RBAC users"
description = "This control checks that GKE clusters authenticator group is configured to manage RBAC users."
query = query.kubernetes_cluster_authenticator_group_configured
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_resource_label_configured" {
title = "GKE clusters resource labels should be configured"
description = "This control checks that GKE clusters resource labels are configured."
query = query.kubernetes_cluster_resource_label_configured
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_client_certificate_authentication_disabled" {
title = "GKE clusters client certificate authentication should be disabled"
description = "This control checks that GKE clusters client certificate authentication is disabled."
query = query.kubernetes_cluster_client_certificate_authentication_disabled
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_binary_auth_enabled" {
title = "GKE clusters client binary authorizationn should be enabled"
description = "This control checks that GKE clusters client binary authorization is enabled."
query = query.kubernetes_cluster_binary_auth_enabled
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_release_channel_configured" {
title = "GKE clusters release channel should be configured"
description = "This control checks that GKE clusters release channel is configured."
query = query.kubernetes_cluster_release_channel_configured
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_alias_ip_range_enabled" {
title = "GKE clusters alias IP ranges should be enabled"
description = "This control checks that GKE clusters alias IP ranges is enabled."
query = query.kubernetes_cluster_alias_ip_range_enabled
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_intranodal_visibility_enabled" {
title = "GKE clusters intranodal visibility should be enabled"
description = "This control checks that GKE clusters intranodal visibility is enabled."
query = query.kubernetes_cluster_intranodal_visibility_enabled
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_control_plane_restrict_public_access" {
title = "GKE clusters control plane should restrict public access"
description = "This control checks that GKE clusters control plane restricts public access."
query = query.kubernetes_cluster_control_plane_restrict_public_access
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_shielded_node_secure_boot_enabled" {
title = "GKE clusters secure boot should be enabled for shielded nodes"
description = "This control checks that GKE clusters secure boot is enabled for shielded nodes."
query = query.kubernetes_cluster_shielded_node_secure_boot_enabled
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_shielded_node_integrity_monitoring_enabled" {
title = "GKE clusters integrity monitoring should be enabled for shielded nodes"
description = "This control checks that GKE clusters integrity monitoring is enabled for shielded nodes."
query = query.kubernetes_cluster_shielded_node_integrity_monitoring_enabled
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_cos_node_image" {
title = "GKE clusters should use Container-Optimized OS(cos) node image"
description = "This control checks that GKE clusters use Container-Optimized OS(cos) node image."
query = query.kubernetes_cluster_cos_node_image
tags = local.kubernetes_compliance_common_tags
}
control "kubernetes_cluster_no_cluster_level_node_pool" {
title = "GKE clusters should not use cluster level node pool"
description = "This control checks if GKE clusters use separate node pool resources since node pools defined in cluster configuration cannot be added or removed without recreating the cluster."
query = query.kubernetes_cluster_no_cluster_level_node_pool
tags = local.kubernetes_compliance_common_tags
}