CS Kubernetes Node Pool Auto Repair Disabled
- Query id: 81ce9394-013d-4731-8fcc-9d229b474073
- Query name: CS Kubernetes Node Pool Auto Repair Disabled
- Platform: Terraform
- Severity: Medium
- Category: Insecure Configurations
- URL: Github
Description¶
Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "alicloud_cs_kubernetes_node_pool" "default2" {
name = var.name
cluster_id = alicloud_cs_managed_kubernetes.default.0.id
vswitch_ids = [alicloud_vswitch.default.id]
instance_types = [data.alicloud_instance_types.default.instance_types.0.id]
system_disk_category = "cloud_efficiency"
system_disk_size = 40
key_name = alicloud_key_pair.default.key_name
# comment out node_count and specify a new field desired_size
# node_count = 1
desired_size = 1
}
Positive test num. 2 - tf file
resource "alicloud_cs_kubernetes_node_pool" "default3" {
name = var.name
cluster_id = alicloud_cs_managed_kubernetes.default.0.id
vswitch_ids = [alicloud_vswitch.default.id]
instance_types = [data.alicloud_instance_types.default.instance_types.0.id]
system_disk_category = "cloud_efficiency"
system_disk_size = 40
# only key_name is supported in the management node pool
key_name = alicloud_key_pair.default.key_name
# you need to specify the number of nodes in the node pool, which can be zero
desired_size = 1
# management node pool configuration.
management {
auto_repair = false
auto_upgrade = true
surge = 1
max_unavailable = 1
}
}
Positive test num. 3 - tf file
resource "alicloud_cs_kubernetes_node_pool" "default4" {
name = var.name
cluster_id = alicloud_cs_managed_kubernetes.default.0.id
vswitch_ids = [alicloud_vswitch.default.id]
instance_types = [data.alicloud_instance_types.default.instance_types.0.id]
system_disk_category = "cloud_efficiency"
system_disk_size = 40
# only key_name is supported in the management node pool
key_name = alicloud_key_pair.default.key_name
# you need to specify the number of nodes in the node pool, which can be zero
desired_size = 1
# management node pool configuration.
management {
auto_upgrade = true
surge = 1
max_unavailable = 1
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "alicloud_cs_kubernetes_node_pool" "default1" {
name = var.name
cluster_id = alicloud_cs_managed_kubernetes.default.0.id
vswitch_ids = [alicloud_vswitch.default.id]
instance_types = [data.alicloud_instance_types.default.instance_types.0.id]
system_disk_category = "cloud_efficiency"
system_disk_size = 40
# only key_name is supported in the management node pool
key_name = alicloud_key_pair.default.key_name
# you need to specify the number of nodes in the node pool, which can be zero
desired_size = 1
# management node pool configuration.
management {
auto_repair = true
auto_upgrade = true
surge = 1
max_unavailable = 1
}
}