GKE Legacy Authorization Enabled

• Query id: 300a9964-b086-41f7-9378-b6de3ba1c32b
• Query name: GKE Legacy Authorization Enabled
• Platform: Ansible
• Severity: High
• Category: Insecure Configurations
• URL: Github

Description

Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

#this is a problematic code where the query should report a result(s)
- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: my-cluster
    initial_node_count: 2
    master_auth:
      username: cluster_admin
      password: my-secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    legacy_abac:
      enabled: yes

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

#this code is a correct code for which the query should not find any result
- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: my-cluster
    initial_node_count: 2
    master_auth:
      username: cluster_admin
      password: my-secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    legacy_abac:
      enabled: no