GKE Using Default Service Account
- Query id: 1c8eef02-17b1-4a3e-b01d-dcc3292d2c38
- Query name: GKE Using Default Service Account
- Platform: Terraform
- Severity: Medium
- Category: Insecure Defaults
- CWE: Ongoing
- URL: Github
Description¶
Kubernetes Engine Clusters should not be configured to use the default service account
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "google_container_cluster" "positive1" {
name = "my-gke-cluster"
location = "us-central1"
remove_default_node_pool = true
initial_node_count = 1
node_config {
oauth_scopes = [
"https://www.googleapis.com/auth/cloud-platform"
]
labels = {
foo = "bar"
}
tags = ["foo", "bar"]
}
timeouts {
create = "30m"
update = "40m"
}
}
Positive test num. 2 - tf file
resource "google_container_cluster" "positive2" {
name = "my-gke-cluster"
location = "us-central1"
remove_default_node_pool = true
initial_node_count = 1
node_config {
service_account = google_service_account.default.email
oauth_scopes = [
"https://www.googleapis.com/auth/cloud-platform"
]
labels = {
foo = "bar"
}
tags = ["foo", "bar"]
}
timeouts {
create = "30m"
update = "40m"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "google_container_cluster" "negative1" {
name = "my-gke-cluster"
location = "us-central1"
remove_default_node_pool = true
initial_node_count = 1
node_config {
service_account = google_service_account.myserviceaccount.email
oauth_scopes = [
"https://www.googleapis.com/auth/cloud-platform"
]
labels = {
foo = "bar"
}
tags = ["foo", "bar"]
}
timeouts {
create = "30m"
update = "40m"
}
}