GKE Legacy Authorization Enabled
- Query id: 300a9964-b086-41f7-9378-b6de3ba1c32b
- Query name: GKE Legacy Authorization Enabled
- Platform: Ansible
- Severity: High
- Category: Insecure Configurations
- CWE: 284
- URL: Github
Description¶
Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: create a cluster
google.cloud.gcp_container_cluster:
name: my-cluster
initial_node_count: 2
master_auth:
username: cluster_admin
password: my-secret-password
node_config:
machine_type: n1-standard-4
disk_size_gb: 500
location: us-central1-a
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
legacy_abac:
enabled: yes
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
- name: create a cluster
google.cloud.gcp_container_cluster:
name: my-cluster
initial_node_count: 2
master_auth:
username: cluster_admin
password: my-secret-password
node_config:
machine_type: n1-standard-4
disk_size_gb: 500
location: us-central1-a
project: test_project
auth_kind: serviceaccount
service_account_file: /tmp/auth.pem
state: present
legacy_abac:
enabled: no