Pod Security Policy Disabled

  • Query id: 9192e0f9-eca5-4056-9282-ae2a736a4088
  • Query name: Pod Security Policy Disabled
  • Platform: Terraform
  • Severity: High
  • Category: Insecure Configurations
  • URL: Github

Description

Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - tf file
#this is a problematic code where the query should report a result(s)
resource "google_container_cluster" "positive1" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3

  timeouts {
    create = "30m"
    update = "40m"
  }
}

resource "google_container_cluster" "positive2" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  pod_security_policy_config {
        enabled = false
  }

  timeouts {
    create = "30m"
    update = "40m"
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
#this code is a correct code for which the query should not find any result
resource "google_container_cluster" "negative1" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  pod_security_policy_config {
        enabled = "true"
  }

  timeouts {
    create = "30m"
    update = "40m"
  }
}