Beta - TKE Cluster Has Public Access
- Query id: df6928ed-02f4-421f-9a67-a529860dd7e7
- Query name: Beta - TKE Cluster Has Public Access
- Platform: Terraform
- Severity: Medium
- Category: Insecure Configurations
- CWE: Ongoing
- URL: Github
Description¶
TKE Cluster 'public_ip_assigned' should be set to false
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
locals {
first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id
first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id
second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id
second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id
sg_id = tencentcloud_security_group.sg.id
image_id = data.tencentcloud_images.default.image_id
}
data "tencentcloud_vpc_subnets" "vpc_one" {
is_default = true
availability_zone = "ap-guangzhou-3"
}
data "tencentcloud_vpc_subnets" "vpc_two" {
is_default = true
availability_zone = "ap-guangzhou-4"
}
resource "tencentcloud_security_group" "sg" {
name = "tf-example-sg"
}
resource "tencentcloud_security_group_lite_rule" "sg_rule" {
security_group_id = tencentcloud_security_group.sg.id
ingress = [
"ACCEPT#10.0.0.0/16#ALL#ALL",
"ACCEPT#172.16.0.0/22#ALL#ALL",
"DROP#0.0.0.0/0#ALL#ALL",
]
egress = [
"ACCEPT#172.16.0.0/22#ALL#ALL",
]
}
data "tencentcloud_images" "default" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
resource "tencentcloud_kubernetes_cluster" "example" {
vpc_id = local.first_vpc_id
cluster_cidr = "10.31.0.0/16"
cluster_max_pod_num = 32
cluster_name = "tf_example_cluster"
cluster_desc = "example for tke cluster"
cluster_max_service_num = 32
cluster_internet = true
cluster_internet_security_group = local.sg_id
cluster_version = "1.22.5"
cluster_deploy_type = "MANAGED_CLUSTER"
master_config {
count = 1
availability_zone = "ap-guangzhou-3"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR"
internet_max_bandwidth_out = 100
public_ip_assigned = true
subnet_id = local.first_subnet_id
img_id = local.image_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
}
worker_config {
count = 1
availability_zone = "ap-guangzhou-4"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR"
internet_max_bandwidth_out = 100
public_ip_assigned = true
subnet_id = local.second_subnet_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
cam_role_name = "CVM_QcsRole"
}
labels = {
"test1" = "test1",
"test2" = "test2",
}
}
Positive test num. 2 - tf file
locals {
first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id
first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id
second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id
second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id
sg_id = tencentcloud_security_group.sg.id
image_id = data.tencentcloud_images.default.image_id
}
data "tencentcloud_vpc_subnets" "vpc_one" {
is_default = true
availability_zone = "ap-guangzhou-3"
}
data "tencentcloud_vpc_subnets" "vpc_two" {
is_default = true
availability_zone = "ap-guangzhou-4"
}
resource "tencentcloud_security_group" "sg" {
name = "tf-example-sg"
}
resource "tencentcloud_security_group_lite_rule" "sg_rule" {
security_group_id = tencentcloud_security_group.sg.id
ingress = [
"ACCEPT#10.0.0.0/16#ALL#ALL",
"ACCEPT#172.16.0.0/22#ALL#ALL",
"DROP#0.0.0.0/0#ALL#ALL",
]
egress = [
"ACCEPT#172.16.0.0/22#ALL#ALL",
]
}
data "tencentcloud_images" "default" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
resource "tencentcloud_kubernetes_cluster" "example" {
vpc_id = local.first_vpc_id
cluster_cidr = "10.31.0.0/16"
cluster_max_pod_num = 32
cluster_name = "tf_example_cluster"
cluster_desc = "example for tke cluster"
cluster_max_service_num = 32
cluster_internet = true
cluster_internet_security_group = local.sg_id
cluster_version = "1.22.5"
cluster_deploy_type = "MANAGED_CLUSTER"
master_config {
count = 1
availability_zone = "ap-guangzhou-3"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR"
internet_max_bandwidth_out = 100
subnet_id = local.first_subnet_id
img_id = local.image_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
user_data = "dGVzdA=="
}
worker_config {
count = 1
availability_zone = "ap-guangzhou-4"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR"
internet_max_bandwidth_out = 100
subnet_id = local.second_subnet_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
cam_role_name = "CVM_QcsRole"
}
labels = {
"test1" = "test1",
"test2" = "test2",
}
}
Positive test num. 3 - tf file
locals {
first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id
first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id
second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id
second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id
sg_id = tencentcloud_security_group.sg.id
image_id = data.tencentcloud_images.default.image_id
}
data "tencentcloud_vpc_subnets" "vpc_one" {
is_default = true
availability_zone = "ap-guangzhou-3"
}
data "tencentcloud_vpc_subnets" "vpc_two" {
is_default = true
availability_zone = "ap-guangzhou-4"
}
resource "tencentcloud_security_group" "sg" {
name = "tf-example-sg"
}
resource "tencentcloud_security_group_lite_rule" "sg_rule" {
security_group_id = tencentcloud_security_group.sg.id
ingress = [
"ACCEPT#10.0.0.0/16#ALL#ALL",
"ACCEPT#172.16.0.0/22#ALL#ALL",
"DROP#0.0.0.0/0#ALL#ALL",
]
egress = [
"ACCEPT#172.16.0.0/22#ALL#ALL",
]
}
data "tencentcloud_images" "default" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
resource "tencentcloud_kubernetes_cluster" "example" {
vpc_id = local.first_vpc_id
cluster_cidr = "10.31.0.0/16"
cluster_max_pod_num = 32
cluster_name = "tf_example_cluster"
cluster_desc = "example for tke cluster"
cluster_max_service_num = 32
cluster_internet = true
cluster_internet_security_group = local.sg_id
cluster_version = "1.22.5"
cluster_deploy_type = "MANAGED_CLUSTER"
master_config {
count = 1
availability_zone = "ap-guangzhou-3"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR"
internet_max_bandwidth_out = 100
public_ip_assigned = true
subnet_id = local.first_subnet_id
img_id = local.image_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
}
master_config {
count = 1
availability_zone = "ap-guangzhou-3"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR"
internet_max_bandwidth_out = 100
public_ip_assigned = true
subnet_id = local.first_subnet_id
img_id = local.image_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
}
worker_config {
count = 1
availability_zone = "ap-guangzhou-4"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR"
internet_max_bandwidth_out = 100
public_ip_assigned = true
subnet_id = local.second_subnet_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
cam_role_name = "CVM_QcsRole"
}
worker_config {
count = 1
availability_zone = "ap-guangzhou-4"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR"
internet_max_bandwidth_out = 100
public_ip_assigned = true
subnet_id = local.second_subnet_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
cam_role_name = "CVM_QcsRole"
}
labels = {
"test1" = "test1",
"test2" = "test2",
}
}
Positive test num. 4 - tf file
locals {
first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id
first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id
second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id
second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id
sg_id = tencentcloud_security_group.sg.id
image_id = data.tencentcloud_images.default.image_id
}
data "tencentcloud_vpc_subnets" "vpc_one" {
is_default = true
availability_zone = "ap-guangzhou-3"
}
data "tencentcloud_vpc_subnets" "vpc_two" {
is_default = true
availability_zone = "ap-guangzhou-4"
}
resource "tencentcloud_security_group" "sg" {
name = "tf-example-sg"
}
resource "tencentcloud_security_group_lite_rule" "sg_rule" {
security_group_id = tencentcloud_security_group.sg.id
ingress = [
"ACCEPT#10.0.0.0/16#ALL#ALL",
"ACCEPT#172.16.0.0/22#ALL#ALL",
"DROP#0.0.0.0/0#ALL#ALL",
]
egress = [
"ACCEPT#172.16.0.0/22#ALL#ALL",
]
}
data "tencentcloud_images" "default" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
resource "tencentcloud_kubernetes_cluster" "example" {
vpc_id = local.first_vpc_id
cluster_cidr = "10.31.0.0/16"
cluster_max_pod_num = 32
cluster_name = "tf_example_cluster"
cluster_desc = "example for tke cluster"
cluster_max_service_num = 32
cluster_internet = true
cluster_internet_security_group = local.sg_id
cluster_version = "1.22.5"
cluster_deploy_type = "MANAGED_CLUSTER"
master_config {
count = 1
availability_zone = "ap-guangzhou-3"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR"
internet_max_bandwidth_out = 100
subnet_id = local.first_subnet_id
img_id = local.image_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
user_data = "dGVzdA=="
}
master_config {
count = 1
availability_zone = "ap-guangzhou-3"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR"
internet_max_bandwidth_out = 100
subnet_id = local.first_subnet_id
img_id = local.image_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
user_data = "dGVzdA=="
}
worker_config {
count = 1
availability_zone = "ap-guangzhou-4"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR"
internet_max_bandwidth_out = 100
subnet_id = local.second_subnet_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
cam_role_name = "CVM_QcsRole"
}
worker_config {
count = 1
availability_zone = "ap-guangzhou-4"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR"
internet_max_bandwidth_out = 100
subnet_id = local.second_subnet_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
cam_role_name = "CVM_QcsRole"
}
labels = {
"test1" = "test1",
"test2" = "test2",
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
locals {
first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id
first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id
second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id
second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id
sg_id = tencentcloud_security_group.sg.id
image_id = data.tencentcloud_images.default.image_id
}
data "tencentcloud_vpc_subnets" "vpc_one" {
is_default = true
availability_zone = "ap-guangzhou-3"
}
data "tencentcloud_vpc_subnets" "vpc_two" {
is_default = true
availability_zone = "ap-guangzhou-4"
}
resource "tencentcloud_security_group" "sg" {
name = "tf-example-sg"
}
resource "tencentcloud_security_group_lite_rule" "sg_rule" {
security_group_id = tencentcloud_security_group.sg.id
ingress = [
"ACCEPT#10.0.0.0/16#ALL#ALL",
"ACCEPT#172.16.0.0/22#ALL#ALL",
"DROP#0.0.0.0/0#ALL#ALL",
]
egress = [
"ACCEPT#172.16.0.0/22#ALL#ALL",
]
}
data "tencentcloud_images" "default" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
resource "tencentcloud_kubernetes_cluster" "example" {
vpc_id = local.first_vpc_id
cluster_cidr = "10.31.0.0/16"
cluster_max_pod_num = 32
cluster_name = "tf_example_cluster"
cluster_desc = "example for tke cluster"
cluster_max_service_num = 32
cluster_internet = false
cluster_internet_security_group = local.sg_id
cluster_version = "1.22.5"
cluster_deploy_type = "MANAGED_CLUSTER"
master_config {
count = 1
availability_zone = "ap-guangzhou-3"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
subnet_id = local.first_subnet_id
img_id = local.image_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
}
worker_config {
count = 1
availability_zone = "ap-guangzhou-4"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
subnet_id = local.second_subnet_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
cam_role_name = "CVM_QcsRole"
}
labels = {
"test1" = "test1",
"test2" = "test2",
}
}
Negative test num. 2 - tf file
locals {
first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id
first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id
second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id
second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id
sg_id = tencentcloud_security_group.sg.id
image_id = data.tencentcloud_images.default.image_id
}
data "tencentcloud_vpc_subnets" "vpc_one" {
is_default = true
availability_zone = "ap-guangzhou-3"
}
data "tencentcloud_vpc_subnets" "vpc_two" {
is_default = true
availability_zone = "ap-guangzhou-4"
}
resource "tencentcloud_security_group" "sg" {
name = "tf-example-sg"
}
resource "tencentcloud_security_group_lite_rule" "sg_rule" {
security_group_id = tencentcloud_security_group.sg.id
ingress = [
"ACCEPT#10.0.0.0/16#ALL#ALL",
"ACCEPT#172.16.0.0/22#ALL#ALL",
"DROP#0.0.0.0/0#ALL#ALL",
]
egress = [
"ACCEPT#172.16.0.0/22#ALL#ALL",
]
}
data "tencentcloud_images" "default" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
resource "tencentcloud_kubernetes_cluster" "example" {
vpc_id = local.first_vpc_id
cluster_cidr = "10.31.0.0/16"
cluster_max_pod_num = 32
cluster_name = "tf_example_cluster"
cluster_desc = "example for tke cluster"
cluster_max_service_num = 32
cluster_internet = false
cluster_internet_security_group = local.sg_id
cluster_version = "1.22.5"
cluster_deploy_type = "MANAGED_CLUSTER"
master_config {
count = 1
availability_zone = "ap-guangzhou-3"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
public_ip_assigned = false
subnet_id = local.first_subnet_id
img_id = local.image_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
}
worker_config {
count = 1
availability_zone = "ap-guangzhou-4"
instance_type = "SA2.2XLARGE16"
system_disk_type = "CLOUD_SSD"
system_disk_size = 60
public_ip_assigned = false
subnet_id = local.second_subnet_id
data_disk {
disk_type = "CLOUD_PREMIUM"
disk_size = 50
}
enhanced_security_service = false
enhanced_monitor_service = false
cam_role_name = "CVM_QcsRole"
}
labels = {
"test1" = "test1",
"test2" = "test2",
}
}