Beta - Cluster Without Network Policy Support Enabled

• Query id: 99976ba0-aa37-4745-93a6-5f1d55997f67
• Query name: Beta - Cluster Without Network Policy Support Enabled
• Platform: Terraform
• Severity: Medium
• Category: Networking and Firewall
• CWE: 406
• Risk score: 3.0
• URL: Github

Description

All 'google_container_cluster' resources should enable network policy support. Network policies can provide better security by limiting connections between pods thus reducing compromise radius
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "google_container_cluster" "positive1" {
  name     = "gke-network-policy-cluster"
  location = "us-central1"

  initial_node_count = 3

  # missing "network_policy"
}

resource "google_container_cluster" "positive2" {
  name     = "gke-network-policy-cluster"
  location = "us-central1"

  initial_node_count = 3

  network_policy {
    enabled  = false
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "google_container_cluster" "negative1" {
  name     = "gke-network-policy-cluster"
  location = "us-central1"

  initial_node_count = 3

  network_policy {
    enabled  = true
  }
}

resource "google_container_cluster" "negative2" {
  name     = "gke-network-policy-cluster"
  location = "us-central1"

  initial_node_count = 3

  network_policy {
    enabled  = true
    provider = "CALICO"
  }
}