COS Node Image Not Used
- Query id: 8a893e46-e267-485a-8690-51f39951de58
- Query name: COS Node Image Not Used
- Platform: Terraform
- Severity: Medium
- Category: Insecure Configurations
- URL: Github
Description¶
The node image should be Container-Optimized OS(COS)
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "google_container_cluster" "positive1" {
name = "my-gke-cluster"
location = "us-central1"
remove_default_node_pool = true
initial_node_count = 1
}
resource "google_container_node_pool" "positive2" {
project = "gcp_project"
name = "primary-pool"
region = "us-west1"
cluster = google_container_cluster.primary.name
node_config {
image_type = "WINDOWS_LTSC"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "google_container_cluster" "negative1" {
name = "my-gke-cluster"
location = "us-central1"
remove_default_node_pool = true
initial_node_count = 1
}
resource "google_container_node_pool" "negative2" {
project = "gcp_project"
name = "primary-pool"
region = "us-west1"
cluster = google_container_cluster.primary.name
node_config {
image_type = "COS"
}
}
resource "google_container_node_pool" "negative3" {
project = "gcp_project"
name = "primary-pool2"
region = "us-west1"
cluster = google_container_cluster.primary.name
}
resource "google_container_node_pool" "negative4" {
project = "gcp_project"
name = "primary-pool2"
region = "us-west1"
cluster = google_container_cluster.primary.name
node_config {
image_type = "COS_CONTAINERD"
}
}