Beta - TKE Cluster Encryption Protection Disabled
- Query id: 3ed47402-e322-465f-a0f0-8681135a17b0
- Query name: Beta - TKE Cluster Encryption Protection Disabled
- Platform: Terraform
- Severity: High
- Category: Encryption
- CWE: Ongoing
- URL: Github
Description¶
TKE Cluster should have encryption protection enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
data "tencentcloud_vpc_subnets" "vpc" {
is_default = true
availability_zone = "ap-guangzhou-3"
}
resource "tencentcloud_kubernetes_cluster" "none_encryption_protection" {
vpc_id = data.tencentcloud_vpc_subnets.vpc.instance_list.0.vpc_id
cluster_cidr = "10.32.0.0/16"
cluster_max_pod_num = 32
cluster_name = "tf_example_cluster"
cluster_desc = "a tf example cluster for the kms test"
cluster_max_service_num = 32
cluster_deploy_type = "MANAGED_CLUSTER"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
data "tencentcloud_vpc_subnets" "vpc" {
is_default = true
availability_zone = "ap-guangzhou-3"
}
resource "tencentcloud_kubernetes_cluster" "has_encryption_protection" {
vpc_id = data.tencentcloud_vpc_subnets.vpc.instance_list.0.vpc_id
cluster_cidr = "10.32.0.0/16"
cluster_max_pod_num = 32
cluster_name = "tf_example_cluster"
cluster_desc = "a tf example cluster for the kms test"
cluster_max_service_num = 32
cluster_deploy_type = "MANAGED_CLUSTER"
}
resource "tencentcloud_kms_key" "example" {
alias = "tf-example-kms-key"
description = "example of kms key instance"
key_usage = "ENCRYPT_DECRYPT"
is_enabled = true
}
resource "tencentcloud_kubernetes_encryption_protection" "example" {
cluster_id = tencentcloud_kubernetes_cluster.has_encryption_protection.id
kms_configuration {
key_id = tencentcloud_kms_key.example.id
kms_region = "ap-guangzhou"
}
}