Network Policy Disabled
- Query id: 11e7550e-c4b6-472e-adff-c698f157cdd7
- Query name: Network Policy Disabled
- Platform: Terraform
- Severity: Medium
- Category: Insecure Configurations
- CWE: 1188
- URL: Github
Description¶
Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
#this is a problematic code where the query should report a result(s)
resource "google_container_cluster" "positive1" {
name = "marcellus-wallace"
location = "us-central1-a"
initial_node_count = 3
network_policy {
enabled = true
}
timeouts {
create = "30m"
update = "40m"
}
}
resource "google_container_cluster" "positive2" {
name = "marcellus-wallace"
location = "us-central1-a"
initial_node_count = 3
network_policy {
enabled = true
}
timeouts {
create = "30m"
update = "40m"
}
}
resource "google_container_cluster" "positive3" {
name = "marcellus-wallace"
location = "us-central1-a"
initial_node_count = 3
timeouts {
create = "30m"
update = "40m"
}
}
resource "google_container_cluster" "positive4" {
name = "marcellus-wallace"
location = "us-central1-a"
initial_node_count = 3
network_policy {
enabled = true
}
addons_config {
}
timeouts {
create = "30m"
update = "40m"
}
}
resource "google_container_cluster" "positive5" {
name = "marcellus-wallace"
location = "us-central1-a"
initial_node_count = 3
network_policy {
enabled = false
}
addons_config {
network_policy_config {
disabled = false
}
}
timeouts {
create = "30m"
update = "40m"
}
}
resource "google_container_cluster" "positive6" {
name = "marcellus-wallace"
location = "us-central1-a"
initial_node_count = 3
network_policy {
enabled = true
}
addons_config {
network_policy_config {
disabled = true
}
}
timeouts {
create = "30m"
update = "40m"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
#this code is a correct code for which the query should not find any result
resource "google_container_cluster" "negative1" {
name = "marcellus-wallace"
location = "us-central1-a"
initial_node_count = 3
network_policy {
enabled = true
}
addons_config {
network_policy_config {
disabled = false
}
}
networking_mode = "VPC_NATIVE"
timeouts {
create = "30m"
update = "40m"
}
}