Beta - TKE Cluster Log Agent Is Not Enabled

  • Query id: fe405074-7e18-40f9-9aef-024aa1d0a889
  • Query name: Beta - TKE Cluster Log Agent Is Not Enabled
  • Platform: Terraform
  • Severity: Low
  • Category: Observability
  • CWE: 778
  • URL: Github

Description

TKE cluster log agent should be enabled
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "tencentcloud_vpc" "vpc" {
  name       = "vpc"
  cidr_block = "10.0.0.0/16"
}

resource "tencentcloud_kubernetes_cluster" "managed_cluster" {
  vpc_id                  = tencentcloud_vpc.vpc.id
  cluster_max_pod_num     = 32
  cluster_name            = "test"
  cluster_desc            = "test cluster desc"
  cluster_max_service_num = 256
  cluster_internet        = true
  cluster_deploy_type     = "MANAGED_CLUSTER"
  network_type            = "VPC-CNI"
  eni_subnet_ids          = ["subnet-bk1etlyu"]
  service_cidr            = "10.1.0.0/24"

  worker_config {
    count                      = 1
    availability_zone          = "ap-guangzhou-7"
    instance_type              = "S2.LARGE16"
    system_disk_type           = "CLOUD_PREMIUM"
    system_disk_size           = 60
    internet_charge_type       = "TRAFFIC_POSTPAID_BY_HOUR"
    internet_max_bandwidth_out = 100
    public_ip_assigned         = true
    subnet_id                  = "subnet-t5dv27rs"

    data_disk {
      disk_type = "CLOUD_PREMIUM"
      disk_size = 50
    }

    enhanced_security_service = false
    enhanced_monitor_service  = false
  }

  log_agent {
    enabled = false
  }

  labels = {
    "test1" = "test1",
    "test2" = "test2",
  }
}
Positive test num. 2 - tf file
resource "tencentcloud_vpc" "vpc" {
  name       = "vpc"
  cidr_block = "10.0.0.0/16"
}

resource "tencentcloud_kubernetes_cluster" "managed_cluster" {
  vpc_id                  = tencentcloud_vpc.vpc.id
  cluster_max_pod_num     = 32
  cluster_name            = "test"
  cluster_desc            = "test cluster desc"
  cluster_max_service_num = 256
  cluster_internet        = true
  cluster_deploy_type     = "MANAGED_CLUSTER"
  network_type            = "VPC-CNI"
  eni_subnet_ids          = ["subnet-bk1etlyu"]
  service_cidr            = "10.1.0.0/24"

  worker_config {
    count                      = 1
    availability_zone          = "ap-guangzhou-7"
    instance_type              = "S2.LARGE16"
    system_disk_type           = "CLOUD_PREMIUM"
    system_disk_size           = 60
    internet_charge_type       = "TRAFFIC_POSTPAID_BY_HOUR"
    internet_max_bandwidth_out = 100
    public_ip_assigned         = true
    subnet_id                  = "subnet-t5dv27rs"

    data_disk {
      disk_type = "CLOUD_PREMIUM"
      disk_size = 50
    }

    enhanced_security_service = false
    enhanced_monitor_service  = false
  }

  labels = {
    "test1" = "test1",
    "test2" = "test2",
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "tencentcloud_vpc" "vpc" {
  name       = "vpc"
  cidr_block = "10.0.0.0/16"
}

resource "tencentcloud_kubernetes_cluster" "managed_cluster" {
  vpc_id                  = tencentcloud_vpc.vpc.id
  cluster_max_pod_num     = 32
  cluster_name            = "test"
  cluster_desc            = "test cluster desc"
  cluster_max_service_num = 256
  cluster_internet        = true
  cluster_deploy_type     = "MANAGED_CLUSTER"
  network_type            = "VPC-CNI"
  eni_subnet_ids          = ["subnet-bk1etlyu"]
  service_cidr            = "10.1.0.0/24"

  worker_config {
    count                      = 1
    availability_zone          = "ap-guangzhou-7"
    instance_type              = "S2.LARGE16"
    system_disk_type           = "CLOUD_PREMIUM"
    system_disk_size           = 60
    internet_charge_type       = "TRAFFIC_POSTPAID_BY_HOUR"
    internet_max_bandwidth_out = 100
    public_ip_assigned         = true
    subnet_id                  = "subnet-t5dv27rs"

    data_disk {
      disk_type = "CLOUD_PREMIUM"
      disk_size = 50
    }

    enhanced_security_service = false
    enhanced_monitor_service  = false
  }

  log_agent {
    enabled = true
  }

  labels = {
    "test1" = "test1",
    "test2" = "test2",
  }
}