Beta - Shielded GKE Node Do Not Have Integrity Monitoring Enabled

• Query id: 4b5ee6a4-5682-4725-8a7a-d9e9a51986c8
• Query name: Beta - Shielded GKE Node Do Not Have Integrity Monitoring Enabled
• Platform: Terraform
• Severity: Medium
• Category: Observability
• CWE: 353
• Risk score: 3.0
• URL: Github

Description

Enabling Integrity Monitoring for Shielded GKE Nodes is necessary to be notified of inconsistencies during the node boot sequence.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "google_container_cluster" "positive1" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  node_config {
    service_account = google_service_account.default.email
    shielded_instance_config {
      enable_integrity_monitoring = false
    }
  }
}  

Positive test num. 2 - tf file

resource "google_container_node_pool" "positive2" {
  name       = "my-node-pool"
  cluster    = google_container_cluster.primary.id
  node_count = 1

  node_config {
    preemptible  = true
    machine_type = "e2-medium"

   shielded_instance_config {
     enable_integrity_monitoring = false
   }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "google_container_cluster" "negative1" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  node_config {
    service_account = google_service_account.default.email
    shielded_instance_config {
      enable_integrity_monitoring = true
    }
  }
}  

Negative test num. 2 - tf file

resource "google_container_cluster" "negative2" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  node_config {
    service_account = google_service_account.default.email
    shielded_instance_config {}
  }
}  

Negative test num. 3 - tf file

resource "google_container_cluster" "negative3" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  node_config {
    service_account = google_service_account.default.email
  }
}  

Negative test num. 4 - tf file

resource "google_container_cluster" "negative4" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
}  

Negative test num. 5 - tf file

resource "google_container_node_pool" "negative5" {
  name       = "my-node-pool"
  cluster    = google_container_cluster.primary.id
  node_count = 1

  node_config {
    preemptible  = true
    machine_type = "e2-medium"

   shielded_instance_config {
     enable_integrity_monitoring = true
   }
  }
}

Negative test num. 6 - tf file

resource "google_container_node_pool" "negative6" {
  name       = "my-node-pool"
  cluster    = google_container_cluster.primary.id
  node_count = 1

  node_config {
    preemptible  = true
    machine_type = "e2-medium"

   shielded_instance_config {}
  }
}

Negative test num. 7 - tf file

resource "google_container_node_pool" "negative7" {
  name       = "my-node-pool"
  cluster    = google_container_cluster.primary.id
  node_count = 1

  node_config {
    preemptible  = true
    machine_type = "e2-medium"
  }
}

Negative test num. 8 - tf file

resource "google_container_node_pool" "negative8" {
  name       = "my-node-pool"
  cluster    = google_container_cluster.primary.id
  node_count = 1
}