Google Container Node Pool Auto Repair Disabled

  • Query id: d58c6f24-3763-4269-9f5b-86b2569a003b
  • Query name: Google Container Node Pool Auto Repair Disabled
  • Platform: Ansible
  • Severity: Medium
  • Category: Insecure Configurations
  • CWE: 693
  • URL: Github

Description

Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: create a node pool
  google.cloud.gcp_container_node_pool:
    name: my-pool
    initial_node_count: 4
    cluster: "{{ cluster }}"
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    management:
      auto_repair: no

- name: create a node pool2
  google.cloud.gcp_container_node_pool:
    name: my-pool
    initial_node_count: 4
    cluster: "{{ cluster }}"
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    management:
      auto_repair: false

- name: create a node pool3
  google.cloud.gcp_container_node_pool:
    name: my-pool
    initial_node_count: 4
    cluster: "{{ cluster }}"
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: create a node pool
  google.cloud.gcp_container_node_pool:
    name: my-pool
    initial_node_count: 4
    cluster: '{{ cluster }}'
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    management:
      auto_repair: yes

- name: create a node pool
  google.cloud.gcp_container_node_pool:
    name: my-pool
    initial_node_count: 4
    cluster: '{{ cluster }}'
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    management:
      auto_repair: true