Repository | poseidon / typhoon |
Description | Minimal and free Kubernetes distribution with Terraform |
Stars | 1855 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:39:06,824 [MainThread ] [WARNI] Failed to download module git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19b59cc66f281a16fd488f9a36ab2bdac80b7952:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 889, Failed checks: 171, Skipped checks: 0
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.controllers[0]
File: /aws/fedora-coreos/kubernetes/controllers.tf:17-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
17 | resource "aws_instance" "controllers" {
18 | count = var.controller_count
19 |
20 | tags = {
21 | Name = "${var.cluster_name}-controller-${count.index}"
22 | }
23 |
24 | instance_type = var.controller_type
25 | ami = var.arch == "arm64" ? data.aws_ami.fedora-coreos-arm[0].image_id : data.aws_ami.fedora-coreos.image_id
26 | user_data = data.ct_config.controllers.*.rendered[count.index]
27 |
28 | # storage
29 | root_block_device {
30 | volume_type = var.disk_type
31 | volume_size = var.disk_size
32 | iops = var.disk_iops
33 | encrypted = true
34 | tags = {}
35 | }
36 |
37 | # network
38 | associate_public_ip_address = true
39 | subnet_id = element(aws_subnet.public.*.id, count.index)
40 | vpc_security_group_ids = [aws_security_group.controller.id]
41 |
42 | lifecycle {
43 | ignore_changes = [
44 | ami,
45 | user_data,
46 | ]
47 | }
48 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.controllers[0]
File: /aws/fedora-coreos/kubernetes/controllers.tf:17-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
17 | resource "aws_instance" "controllers" {
18 | count = var.controller_count
19 |
20 | tags = {
21 | Name = "${var.cluster_name}-controller-${count.index}"
22 | }
23 |
24 | instance_type = var.controller_type
25 | ami = var.arch == "arm64" ? data.aws_ami.fedora-coreos-arm[0].image_id : data.aws_ami.fedora-coreos.image_id
26 | user_data = data.ct_config.controllers.*.rendered[count.index]
27 |
28 | # storage
29 | root_block_device {
30 | volume_type = var.disk_type
31 | volume_size = var.disk_size
32 | iops = var.disk_iops
33 | encrypted = true
34 | tags = {}
35 | }
36 |
37 | # network
38 | associate_public_ip_address = true
39 | subnet_id = element(aws_subnet.public.*.id, count.index)
40 | vpc_security_group_ids = [aws_security_group.controller.id]
41 |
42 | lifecycle {
43 | ignore_changes = [
44 | ami,
45 | user_data,
46 | ]
47 | }
48 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.controllers[0]
File: /aws/fedora-coreos/kubernetes/controllers.tf:17-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
17 | resource "aws_instance" "controllers" {
18 | count = var.controller_count
19 |
20 | tags = {
21 | Name = "${var.cluster_name}-controller-${count.index}"
22 | }
23 |
24 | instance_type = var.controller_type
25 | ami = var.arch == "arm64" ? data.aws_ami.fedora-coreos-arm[0].image_id : data.aws_ami.fedora-coreos.image_id
26 | user_data = data.ct_config.controllers.*.rendered[count.index]
27 |
28 | # storage
29 | root_block_device {
30 | volume_type = var.disk_type
31 | volume_size = var.disk_size
32 | iops = var.disk_iops
33 | encrypted = true
34 | tags = {}
35 | }
36 |
37 | # network
38 | associate_public_ip_address = true
39 | subnet_id = element(aws_subnet.public.*.id, count.index)
40 | vpc_security_group_ids = [aws_security_group.controller.id]
41 |
42 | lifecycle {
43 | ignore_changes = [
44 | ami,
45 | user_data,
46 | ]
47 | }
48 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.controllers[0]
File: /aws/fedora-coreos/kubernetes/controllers.tf:17-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
17 | resource "aws_instance" "controllers" {
18 | count = var.controller_count
19 |
20 | tags = {
21 | Name = "${var.cluster_name}-controller-${count.index}"
22 | }
23 |
24 | instance_type = var.controller_type
25 | ami = var.arch == "arm64" ? data.aws_ami.fedora-coreos-arm[0].image_id : data.aws_ami.fedora-coreos.image_id
26 | user_data = data.ct_config.controllers.*.rendered[count.index]
27 |
28 | # storage
29 | root_block_device {
30 | volume_type = var.disk_type
31 | volume_size = var.disk_size
32 | iops = var.disk_iops
33 | encrypted = true
34 | tags = {}
35 | }
36 |
37 | # network
38 | associate_public_ip_address = true
39 | subnet_id = element(aws_subnet.public.*.id, count.index)
40 | vpc_security_group_ids = [aws_security_group.controller.id]
41 |
42 | lifecycle {
43 | ignore_changes = [
44 | ami,
45 | user_data,
46 | ]
47 | }
48 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public
File: /aws/fedora-coreos/kubernetes/network.tf:47-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
47 | resource "aws_subnet" "public" {
48 | count = length(data.aws_availability_zones.all.names)
49 |
50 | vpc_id = aws_vpc.network.id
51 | availability_zone = data.aws_availability_zones.all.names[count.index]
52 |
53 | cidr_block = cidrsubnet(var.host_cidr, 4, count.index)
54 | ipv6_cidr_block = cidrsubnet(aws_vpc.network.ipv6_cidr_block, 8, count.index)
55 | map_public_ip_on_launch = true
56 | assign_ipv6_address_on_creation = true
57 |
58 | tags = {
59 | "Name" = "${var.cluster_name}-public-${count.index}"
60 | }
61 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.nlb
File: /aws/fedora-coreos/kubernetes/nlb.tf:17-26
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
17 | resource "aws_lb" "nlb" {
18 | name = "${var.cluster_name}-nlb"
19 | load_balancer_type = "network"
20 | ip_address_type = "dualstack"
21 | internal = false
22 |
23 | subnets = aws_subnet.public.*.id
24 |
25 | enable_cross_zone_load_balancing = true
26 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.nlb
File: /aws/fedora-coreos/kubernetes/nlb.tf:17-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
17 | resource "aws_lb" "nlb" {
18 | name = "${var.cluster_name}-nlb"
19 | load_balancer_type = "network"
20 | ip_address_type = "dualstack"
21 | internal = false
22 |
23 | subnets = aws_subnet.public.*.id
24 |
25 | enable_cross_zone_load_balancing = true
26 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-icmp
File: /aws/fedora-coreos/kubernetes/security.tf:16-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
16 | resource "aws_security_group_rule" "controller-icmp" {
17 | count = var.networking == "cilium" ? 1 : 0
18 |
19 | security_group_id = aws_security_group.controller.id
20 |
21 | type = "ingress"
22 | protocol = "icmp"
23 | from_port = 8
24 | to_port = 0
25 | source_security_group_id = aws_security_group.worker.id
26 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-icmp-self
File: /aws/fedora-coreos/kubernetes/security.tf:28-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
28 | resource "aws_security_group_rule" "controller-icmp-self" {
29 | count = var.networking == "cilium" ? 1 : 0
30 |
31 | security_group_id = aws_security_group.controller.id
32 |
33 | type = "ingress"
34 | protocol = "icmp"
35 | from_port = 8
36 | to_port = 0
37 | self = true
38 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-ssh
File: /aws/fedora-coreos/kubernetes/security.tf:40-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
40 | resource "aws_security_group_rule" "controller-ssh" {
41 | security_group_id = aws_security_group.controller.id
42 |
43 | type = "ingress"
44 | protocol = "tcp"
45 | from_port = 22
46 | to_port = 22
47 | cidr_blocks = ["0.0.0.0/0"]
48 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group_rule.controller-ssh
File: /aws/fedora-coreos/kubernetes/security.tf:40-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
40 | resource "aws_security_group_rule" "controller-ssh" {
41 | security_group_id = aws_security_group.controller.id
42 |
43 | type = "ingress"
44 | protocol = "tcp"
45 | from_port = 22
46 | to_port = 22
47 | cidr_blocks = ["0.0.0.0/0"]
48 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-etcd
File: /aws/fedora-coreos/kubernetes/security.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
50 | resource "aws_security_group_rule" "controller-etcd" {
51 | security_group_id = aws_security_group.controller.id
52 |
53 | type = "ingress"
54 | protocol = "tcp"
55 | from_port = 2379
56 | to_port = 2380
57 | self = true
58 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-etcd-metrics
File: /aws/fedora-coreos/kubernetes/security.tf:61-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
61 | resource "aws_security_group_rule" "controller-etcd-metrics" {
62 | security_group_id = aws_security_group.controller.id
63 |
64 | type = "ingress"
65 | protocol = "tcp"
66 | from_port = 2381
67 | to_port = 2381
68 | source_security_group_id = aws_security_group.worker.id
69 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-cilium-health
File: /aws/fedora-coreos/kubernetes/security.tf:71-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
71 | resource "aws_security_group_rule" "controller-cilium-health" {
72 | count = var.networking == "cilium" ? 1 : 0
73 |
74 | security_group_id = aws_security_group.controller.id
75 |
76 | type = "ingress"
77 | protocol = "tcp"
78 | from_port = 4240
79 | to_port = 4240
80 | source_security_group_id = aws_security_group.worker.id
81 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-cilium-health-self
File: /aws/fedora-coreos/kubernetes/security.tf:83-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
83 | resource "aws_security_group_rule" "controller-cilium-health-self" {
84 | count = var.networking == "cilium" ? 1 : 0
85 |
86 | security_group_id = aws_security_group.controller.id
87 |
88 | type = "ingress"
89 | protocol = "tcp"
90 | from_port = 4240
91 | to_port = 4240
92 | self = true
93 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-vxlan
File: /aws/fedora-coreos/kubernetes/security.tf:96-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
96 | resource "aws_security_group_rule" "controller-vxlan" {
97 | count = var.networking == "flannel" ? 1 : 0
98 |
99 | security_group_id = aws_security_group.controller.id
100 |
101 | type = "ingress"
102 | protocol = "udp"
103 | from_port = 4789
104 | to_port = 4789
105 | source_security_group_id = aws_security_group.worker.id
106 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-vxlan-self
File: /aws/fedora-coreos/kubernetes/security.tf:108-118
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
108 | resource "aws_security_group_rule" "controller-vxlan-self" {
109 | count = var.networking == "flannel" ? 1 : 0
110 |
111 | security_group_id = aws_security_group.controller.id
112 |
113 | type = "ingress"
114 | protocol = "udp"
115 | from_port = 4789
116 | to_port = 4789
117 | self = true
118 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-apiserver
File: /aws/fedora-coreos/kubernetes/security.tf:120-128
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
120 | resource "aws_security_group_rule" "controller-apiserver" {
121 | security_group_id = aws_security_group.controller.id
122 |
123 | type = "ingress"
124 | protocol = "tcp"
125 | from_port = 6443
126 | to_port = 6443
127 | cidr_blocks = ["0.0.0.0/0"]
128 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-linux-vxlan
File: /aws/fedora-coreos/kubernetes/security.tf:131-141
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
131 | resource "aws_security_group_rule" "controller-linux-vxlan" {
132 | count = var.networking == "cilium" ? 1 : 0
133 |
134 | security_group_id = aws_security_group.controller.id
135 |
136 | type = "ingress"
137 | protocol = "udp"
138 | from_port = 8472
139 | to_port = 8472
140 | source_security_group_id = aws_security_group.worker.id
141 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-linux-vxlan-self
File: /aws/fedora-coreos/kubernetes/security.tf:143-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
143 | resource "aws_security_group_rule" "controller-linux-vxlan-self" {
144 | count = var.networking == "cilium" ? 1 : 0
145 |
146 | security_group_id = aws_security_group.controller.id
147 |
148 | type = "ingress"
149 | protocol = "udp"
150 | from_port = 8472
151 | to_port = 8472
152 | self = true
153 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-node-exporter
File: /aws/fedora-coreos/kubernetes/security.tf:156-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
156 | resource "aws_security_group_rule" "controller-node-exporter" {
157 | security_group_id = aws_security_group.controller.id
158 |
159 | type = "ingress"
160 | protocol = "tcp"
161 | from_port = 9100
162 | to_port = 9100
163 | source_security_group_id = aws_security_group.worker.id
164 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.kube-proxy-metrics
File: /aws/fedora-coreos/kubernetes/security.tf:167-175
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
167 | resource "aws_security_group_rule" "kube-proxy-metrics" {
168 | security_group_id = aws_security_group.controller.id
169 |
170 | type = "ingress"
171 | protocol = "tcp"
172 | from_port = 10249
173 | to_port = 10249
174 | source_security_group_id = aws_security_group.worker.id
175 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-kubelet
File: /aws/fedora-coreos/kubernetes/security.tf:178-186
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
178 | resource "aws_security_group_rule" "controller-kubelet" {
179 | security_group_id = aws_security_group.controller.id
180 |
181 | type = "ingress"
182 | protocol = "tcp"
183 | from_port = 10250
184 | to_port = 10250
185 | source_security_group_id = aws_security_group.worker.id
186 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-kubelet-self
File: /aws/fedora-coreos/kubernetes/security.tf:188-196
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
188 | resource "aws_security_group_rule" "controller-kubelet-self" {
189 | security_group_id = aws_security_group.controller.id
190 |
191 | type = "ingress"
192 | protocol = "tcp"
193 | from_port = 10250
194 | to_port = 10250
195 | self = true
196 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-scheduler-metrics
File: /aws/fedora-coreos/kubernetes/security.tf:199-207
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
199 | resource "aws_security_group_rule" "controller-scheduler-metrics" {
200 | security_group_id = aws_security_group.controller.id
201 |
202 | type = "ingress"
203 | protocol = "tcp"
204 | from_port = 10259
205 | to_port = 10259
206 | source_security_group_id = aws_security_group.worker.id
207 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-manager-metrics
File: /aws/fedora-coreos/kubernetes/security.tf:210-218
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
210 | resource "aws_security_group_rule" "controller-manager-metrics" {
211 | security_group_id = aws_security_group.controller.id
212 |
213 | type = "ingress"
214 | protocol = "tcp"
215 | from_port = 10257
216 | to_port = 10257
217 | source_security_group_id = aws_security_group.worker.id
218 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-bgp
File: /aws/fedora-coreos/kubernetes/security.tf:220-228
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
220 | resource "aws_security_group_rule" "controller-bgp" {
221 | security_group_id = aws_security_group.controller.id
222 |
223 | type = "ingress"
224 | protocol = "tcp"
225 | from_port = 179
226 | to_port = 179
227 | source_security_group_id = aws_security_group.worker.id
228 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-bgp-self
File: /aws/fedora-coreos/kubernetes/security.tf:230-238
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
230 | resource "aws_security_group_rule" "controller-bgp-self" {
231 | security_group_id = aws_security_group.controller.id
232 |
233 | type = "ingress"
234 | protocol = "tcp"
235 | from_port = 179
236 | to_port = 179
237 | self = true
238 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-ipip
File: /aws/fedora-coreos/kubernetes/security.tf:240-248
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
240 | resource "aws_security_group_rule" "controller-ipip" {
241 | security_group_id = aws_security_group.controller.id
242 |
243 | type = "ingress"
244 | protocol = 4
245 | from_port = 0
246 | to_port = 0
247 | source_security_group_id = aws_security_group.worker.id
248 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-ipip-self
File: /aws/fedora-coreos/kubernetes/security.tf:250-258
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
250 | resource "aws_security_group_rule" "controller-ipip-self" {
251 | security_group_id = aws_security_group.controller.id
252 |
253 | type = "ingress"
254 | protocol = 4
255 | from_port = 0
256 | to_port = 0
257 | self = true
258 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-ipip-legacy
File: /aws/fedora-coreos/kubernetes/security.tf:260-268
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
260 | resource "aws_security_group_rule" "controller-ipip-legacy" {
261 | security_group_id = aws_security_group.controller.id
262 |
263 | type = "ingress"
264 | protocol = 94
265 | from_port = 0
266 | to_port = 0
267 | source_security_group_id = aws_security_group.worker.id
268 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-ipip-legacy-self
File: /aws/fedora-coreos/kubernetes/security.tf:270-278
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
270 | resource "aws_security_group_rule" "controller-ipip-legacy-self" {
271 | security_group_id = aws_security_group.controller.id
272 |
273 | type = "ingress"
274 | protocol = 94
275 | from_port = 0
276 | to_port = 0
277 | self = true
278 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-egress
File: /aws/fedora-coreos/kubernetes/security.tf:280-289
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
280 | resource "aws_security_group_rule" "controller-egress" {
281 | security_group_id = aws_security_group.controller.id
282 |
283 | type = "egress"
284 | protocol = "-1"
285 | from_port = 0
286 | to_port = 0
287 | cidr_blocks = ["0.0.0.0/0"]
288 | ipv6_cidr_blocks = ["::/0"]
289 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-icmp
File: /aws/fedora-coreos/kubernetes/security.tf:304-314
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
304 | resource "aws_security_group_rule" "worker-icmp" {
305 | count = var.networking == "cilium" ? 1 : 0
306 |
307 | security_group_id = aws_security_group.worker.id
308 |
309 | type = "ingress"
310 | protocol = "icmp"
311 | from_port = 8
312 | to_port = 0
313 | source_security_group_id = aws_security_group.controller.id
314 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-icmp-self
File: /aws/fedora-coreos/kubernetes/security.tf:316-326
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
316 | resource "aws_security_group_rule" "worker-icmp-self" {
317 | count = var.networking == "cilium" ? 1 : 0
318 |
319 | security_group_id = aws_security_group.worker.id
320 |
321 | type = "ingress"
322 | protocol = "icmp"
323 | from_port = 8
324 | to_port = 0
325 | self = true
326 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-ssh
File: /aws/fedora-coreos/kubernetes/security.tf:328-336
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
328 | resource "aws_security_group_rule" "worker-ssh" {
329 | security_group_id = aws_security_group.worker.id
330 |
331 | type = "ingress"
332 | protocol = "tcp"
333 | from_port = 22
334 | to_port = 22
335 | cidr_blocks = ["0.0.0.0/0"]
336 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group_rule.worker-ssh
File: /aws/fedora-coreos/kubernetes/security.tf:328-336
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
328 | resource "aws_security_group_rule" "worker-ssh" {
329 | security_group_id = aws_security_group.worker.id
330 |
331 | type = "ingress"
332 | protocol = "tcp"
333 | from_port = 22
334 | to_port = 22
335 | cidr_blocks = ["0.0.0.0/0"]
336 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-http
File: /aws/fedora-coreos/kubernetes/security.tf:338-346
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
338 | resource "aws_security_group_rule" "worker-http" {
339 | security_group_id = aws_security_group.worker.id
340 |
341 | type = "ingress"
342 | protocol = "tcp"
343 | from_port = 80
344 | to_port = 80
345 | cidr_blocks = ["0.0.0.0/0"]
346 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group_rule.worker-http
File: /aws/fedora-coreos/kubernetes/security.tf:338-346
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
338 | resource "aws_security_group_rule" "worker-http" {
339 | security_group_id = aws_security_group.worker.id
340 |
341 | type = "ingress"
342 | protocol = "tcp"
343 | from_port = 80
344 | to_port = 80
345 | cidr_blocks = ["0.0.0.0/0"]
346 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-https
File: /aws/fedora-coreos/kubernetes/security.tf:348-356
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
348 | resource "aws_security_group_rule" "worker-https" {
349 | security_group_id = aws_security_group.worker.id
350 |
351 | type = "ingress"
352 | protocol = "tcp"
353 | from_port = 443
354 | to_port = 443
355 | cidr_blocks = ["0.0.0.0/0"]
356 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-cilium-health
File: /aws/fedora-coreos/kubernetes/security.tf:358-368
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
358 | resource "aws_security_group_rule" "worker-cilium-health" {
359 | count = var.networking == "cilium" ? 1 : 0
360 |
361 | security_group_id = aws_security_group.worker.id
362 |
363 | type = "ingress"
364 | protocol = "tcp"
365 | from_port = 4240
366 | to_port = 4240
367 | source_security_group_id = aws_security_group.controller.id
368 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-cilium-health-self
File: /aws/fedora-coreos/kubernetes/security.tf:370-380
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
370 | resource "aws_security_group_rule" "worker-cilium-health-self" {
371 | count = var.networking == "cilium" ? 1 : 0
372 |
373 | security_group_id = aws_security_group.worker.id
374 |
375 | type = "ingress"
376 | protocol = "tcp"
377 | from_port = 4240
378 | to_port = 4240
379 | self = true
380 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-vxlan
File: /aws/fedora-coreos/kubernetes/security.tf:383-393
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
383 | resource "aws_security_group_rule" "worker-vxlan" {
384 | count = var.networking == "flannel" ? 1 : 0
385 |
386 | security_group_id = aws_security_group.worker.id
387 |
388 | type = "ingress"
389 | protocol = "udp"
390 | from_port = 4789
391 | to_port = 4789
392 | source_security_group_id = aws_security_group.controller.id
393 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-vxlan-self
File: /aws/fedora-coreos/kubernetes/security.tf:395-405
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
395 | resource "aws_security_group_rule" "worker-vxlan-self" {
396 | count = var.networking == "flannel" ? 1 : 0
397 |
398 | security_group_id = aws_security_group.worker.id
399 |
400 | type = "ingress"
401 | protocol = "udp"
402 | from_port = 4789
403 | to_port = 4789
404 | self = true
405 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-linux-vxlan
File: /aws/fedora-coreos/kubernetes/security.tf:408-418
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
408 | resource "aws_security_group_rule" "worker-linux-vxlan" {
409 | count = var.networking == "cilium" ? 1 : 0
410 |
411 | security_group_id = aws_security_group.worker.id
412 |
413 | type = "ingress"
414 | protocol = "udp"
415 | from_port = 8472
416 | to_port = 8472
417 | source_security_group_id = aws_security_group.controller.id
418 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-linux-vxlan-self
File: /aws/fedora-coreos/kubernetes/security.tf:420-430
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
420 | resource "aws_security_group_rule" "worker-linux-vxlan-self" {
421 | count = var.networking == "cilium" ? 1 : 0
422 |
423 | security_group_id = aws_security_group.worker.id
424 |
425 | type = "ingress"
426 | protocol = "udp"
427 | from_port = 8472
428 | to_port = 8472
429 | self = true
430 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-node-exporter
File: /aws/fedora-coreos/kubernetes/security.tf:433-441
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
433 | resource "aws_security_group_rule" "worker-node-exporter" {
434 | security_group_id = aws_security_group.worker.id
435 |
436 | type = "ingress"
437 | protocol = "tcp"
438 | from_port = 9100
439 | to_port = 9100
440 | self = true
441 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-kube-proxy
File: /aws/fedora-coreos/kubernetes/security.tf:444-452
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
444 | resource "aws_security_group_rule" "worker-kube-proxy" {
445 | security_group_id = aws_security_group.worker.id
446 |
447 | type = "ingress"
448 | protocol = "tcp"
449 | from_port = 10249
450 | to_port = 10249
451 | self = true
452 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-kubelet
File: /aws/fedora-coreos/kubernetes/security.tf:455-463
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
455 | resource "aws_security_group_rule" "worker-kubelet" {
456 | security_group_id = aws_security_group.worker.id
457 |
458 | type = "ingress"
459 | protocol = "tcp"
460 | from_port = 10250
461 | to_port = 10250
462 | source_security_group_id = aws_security_group.controller.id
463 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-kubelet-self
File: /aws/fedora-coreos/kubernetes/security.tf:466-474
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
466 | resource "aws_security_group_rule" "worker-kubelet-self" {
467 | security_group_id = aws_security_group.worker.id
468 |
469 | type = "ingress"
470 | protocol = "tcp"
471 | from_port = 10250
472 | to_port = 10250
473 | self = true
474 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress-health
File: /aws/fedora-coreos/kubernetes/security.tf:476-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
476 | resource "aws_security_group_rule" "ingress-health" {
477 | security_group_id = aws_security_group.worker.id
478 |
479 | type = "ingress"
480 | protocol = "tcp"
481 | from_port = 10254
482 | to_port = 10254
483 | cidr_blocks = ["0.0.0.0/0"]
484 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-bgp
File: /aws/fedora-coreos/kubernetes/security.tf:486-494
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
486 | resource "aws_security_group_rule" "worker-bgp" {
487 | security_group_id = aws_security_group.worker.id
488 |
489 | type = "ingress"
490 | protocol = "tcp"
491 | from_port = 179
492 | to_port = 179
493 | source_security_group_id = aws_security_group.controller.id
494 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-bgp-self
File: /aws/fedora-coreos/kubernetes/security.tf:496-504
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
496 | resource "aws_security_group_rule" "worker-bgp-self" {
497 | security_group_id = aws_security_group.worker.id
498 |
499 | type = "ingress"
500 | protocol = "tcp"
501 | from_port = 179
502 | to_port = 179
503 | self = true
504 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-ipip
File: /aws/fedora-coreos/kubernetes/security.tf:506-514
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
506 | resource "aws_security_group_rule" "worker-ipip" {
507 | security_group_id = aws_security_group.worker.id
508 |
509 | type = "ingress"
510 | protocol = 4
511 | from_port = 0
512 | to_port = 0
513 | source_security_group_id = aws_security_group.controller.id
514 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-ipip-self
File: /aws/fedora-coreos/kubernetes/security.tf:516-524
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
516 | resource "aws_security_group_rule" "worker-ipip-self" {
517 | security_group_id = aws_security_group.worker.id
518 |
519 | type = "ingress"
520 | protocol = 4
521 | from_port = 0
522 | to_port = 0
523 | self = true
524 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-ipip-legacy
File: /aws/fedora-coreos/kubernetes/security.tf:526-534
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
526 | resource "aws_security_group_rule" "worker-ipip-legacy" {
527 | security_group_id = aws_security_group.worker.id
528 |
529 | type = "ingress"
530 | protocol = 94
531 | from_port = 0
532 | to_port = 0
533 | source_security_group_id = aws_security_group.controller.id
534 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-ipip-legacy-self
File: /aws/fedora-coreos/kubernetes/security.tf:536-544
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
536 | resource "aws_security_group_rule" "worker-ipip-legacy-self" {
537 | security_group_id = aws_security_group.worker.id
538 |
539 | type = "ingress"
540 | protocol = 94
541 | from_port = 0
542 | to_port = 0
543 | self = true
544 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-egress
File: /aws/fedora-coreos/kubernetes/security.tf:546-555
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
546 | resource "aws_security_group_rule" "worker-egress" {
547 | security_group_id = aws_security_group.worker.id
548 |
549 | type = "egress"
550 | protocol = "-1"
551 | from_port = 0
552 | to_port = 0
553 | cidr_blocks = ["0.0.0.0/0"]
554 | ipv6_cidr_blocks = ["::/0"]
555 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.workers.aws_launch_template.worker
File: /aws/fedora-coreos/kubernetes/workers/workers.tf:55-97
Calling File: /aws/fedora-coreos/kubernetes/workers.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
55 | resource "aws_launch_template" "worker" {
56 | name_prefix = "${var.name}-worker"
57 | image_id = local.ami_id
58 | instance_type = var.instance_type
59 | monitoring {
60 | enabled = false
61 | }
62 |
63 | user_data = sensitive(base64encode(data.ct_config.worker.rendered))
64 |
65 | # storage
66 | ebs_optimized = true
67 | block_device_mappings {
68 | device_name = "/dev/xvda"
69 | ebs {
70 | volume_type = var.disk_type
71 | volume_size = var.disk_size
72 | iops = var.disk_iops
73 | encrypted = true
74 | delete_on_termination = true
75 | }
76 | }
77 |
78 | # network
79 | vpc_security_group_ids = var.security_groups
80 |
81 | # spot
82 | dynamic "instance_market_options" {
83 | for_each = var.spot_price > 0 ? [1] : []
84 | content {
85 | market_type = "spot"
86 | spot_options {
87 | max_price = var.spot_price
88 | }
89 | }
90 | }
91 |
92 | lifecycle {
93 | // Override the default destroy and replace update behavior
94 | create_before_destroy = true
95 | ignore_changes = [image_id]
96 | }
97 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.controllers[0]
File: /aws/flatcar-linux/kubernetes/controllers.tf:17-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
17 | resource "aws_instance" "controllers" {
18 | count = var.controller_count
19 |
20 | tags = {
21 | Name = "${var.cluster_name}-controller-${count.index}"
22 | }
23 |
24 | instance_type = var.controller_type
25 |
26 | ami = local.ami_id
27 | user_data = data.ct_config.controllers.*.rendered[count.index]
28 |
29 | # storage
30 | root_block_device {
31 | volume_type = var.disk_type
32 | volume_size = var.disk_size
33 | iops = var.disk_iops
34 | encrypted = true
35 | tags = {}
36 | }
37 |
38 | # network
39 | associate_public_ip_address = true
40 | subnet_id = element(aws_subnet.public.*.id, count.index)
41 | vpc_security_group_ids = [aws_security_group.controller.id]
42 |
43 | lifecycle {
44 | ignore_changes = [
45 | ami,
46 | user_data,
47 | ]
48 | }
49 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.controllers[0]
File: /aws/flatcar-linux/kubernetes/controllers.tf:17-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
17 | resource "aws_instance" "controllers" {
18 | count = var.controller_count
19 |
20 | tags = {
21 | Name = "${var.cluster_name}-controller-${count.index}"
22 | }
23 |
24 | instance_type = var.controller_type
25 |
26 | ami = local.ami_id
27 | user_data = data.ct_config.controllers.*.rendered[count.index]
28 |
29 | # storage
30 | root_block_device {
31 | volume_type = var.disk_type
32 | volume_size = var.disk_size
33 | iops = var.disk_iops
34 | encrypted = true
35 | tags = {}
36 | }
37 |
38 | # network
39 | associate_public_ip_address = true
40 | subnet_id = element(aws_subnet.public.*.id, count.index)
41 | vpc_security_group_ids = [aws_security_group.controller.id]
42 |
43 | lifecycle {
44 | ignore_changes = [
45 | ami,
46 | user_data,
47 | ]
48 | }
49 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.controllers[0]
File: /aws/flatcar-linux/kubernetes/controllers.tf:17-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
17 | resource "aws_instance" "controllers" {
18 | count = var.controller_count
19 |
20 | tags = {
21 | Name = "${var.cluster_name}-controller-${count.index}"
22 | }
23 |
24 | instance_type = var.controller_type
25 |
26 | ami = local.ami_id
27 | user_data = data.ct_config.controllers.*.rendered[count.index]
28 |
29 | # storage
30 | root_block_device {
31 | volume_type = var.disk_type
32 | volume_size = var.disk_size
33 | iops = var.disk_iops
34 | encrypted = true
35 | tags = {}
36 | }
37 |
38 | # network
39 | associate_public_ip_address = true
40 | subnet_id = element(aws_subnet.public.*.id, count.index)
41 | vpc_security_group_ids = [aws_security_group.controller.id]
42 |
43 | lifecycle {
44 | ignore_changes = [
45 | ami,
46 | user_data,
47 | ]
48 | }
49 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.controllers[0]
File: /aws/flatcar-linux/kubernetes/controllers.tf:17-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
17 | resource "aws_instance" "controllers" {
18 | count = var.controller_count
19 |
20 | tags = {
21 | Name = "${var.cluster_name}-controller-${count.index}"
22 | }
23 |
24 | instance_type = var.controller_type
25 |
26 | ami = local.ami_id
27 | user_data = data.ct_config.controllers.*.rendered[count.index]
28 |
29 | # storage
30 | root_block_device {
31 | volume_type = var.disk_type
32 | volume_size = var.disk_size
33 | iops = var.disk_iops
34 | encrypted = true
35 | tags = {}
36 | }
37 |
38 | # network
39 | associate_public_ip_address = true
40 | subnet_id = element(aws_subnet.public.*.id, count.index)
41 | vpc_security_group_ids = [aws_security_group.controller.id]
42 |
43 | lifecycle {
44 | ignore_changes = [
45 | ami,
46 | user_data,
47 | ]
48 | }
49 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public
File: /aws/flatcar-linux/kubernetes/network.tf:47-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
47 | resource "aws_subnet" "public" {
48 | count = length(data.aws_availability_zones.all.names)
49 |
50 | vpc_id = aws_vpc.network.id
51 | availability_zone = data.aws_availability_zones.all.names[count.index]
52 |
53 | cidr_block = cidrsubnet(var.host_cidr, 4, count.index)
54 | ipv6_cidr_block = cidrsubnet(aws_vpc.network.ipv6_cidr_block, 8, count.index)
55 | map_public_ip_on_launch = true
56 | assign_ipv6_address_on_creation = true
57 |
58 | tags = {
59 | "Name" = "${var.cluster_name}-public-${count.index}"
60 | }
61 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.nlb
File: /aws/flatcar-linux/kubernetes/nlb.tf:17-26
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
17 | resource "aws_lb" "nlb" {
18 | name = "${var.cluster_name}-nlb"
19 | load_balancer_type = "network"
20 | ip_address_type = "dualstack"
21 | internal = false
22 |
23 | subnets = aws_subnet.public.*.id
24 |
25 | enable_cross_zone_load_balancing = true
26 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.nlb
File: /aws/flatcar-linux/kubernetes/nlb.tf:17-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
17 | resource "aws_lb" "nlb" {
18 | name = "${var.cluster_name}-nlb"
19 | load_balancer_type = "network"
20 | ip_address_type = "dualstack"
21 | internal = false
22 |
23 | subnets = aws_subnet.public.*.id
24 |
25 | enable_cross_zone_load_balancing = true
26 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-icmp
File: /aws/flatcar-linux/kubernetes/security.tf:16-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
16 | resource "aws_security_group_rule" "controller-icmp" {
17 | count = var.networking == "cilium" ? 1 : 0
18 |
19 | security_group_id = aws_security_group.controller.id
20 |
21 | type = "ingress"
22 | protocol = "icmp"
23 | from_port = 8
24 | to_port = 0
25 | source_security_group_id = aws_security_group.worker.id
26 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-icmp-self
File: /aws/flatcar-linux/kubernetes/security.tf:28-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
28 | resource "aws_security_group_rule" "controller-icmp-self" {
29 | count = var.networking == "cilium" ? 1 : 0
30 |
31 | security_group_id = aws_security_group.controller.id
32 |
33 | type = "ingress"
34 | protocol = "icmp"
35 | from_port = 8
36 | to_port = 0
37 | self = true
38 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-ssh
File: /aws/flatcar-linux/kubernetes/security.tf:40-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
40 | resource "aws_security_group_rule" "controller-ssh" {
41 | security_group_id = aws_security_group.controller.id
42 |
43 | type = "ingress"
44 | protocol = "tcp"
45 | from_port = 22
46 | to_port = 22
47 | cidr_blocks = ["0.0.0.0/0"]
48 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group_rule.controller-ssh
File: /aws/flatcar-linux/kubernetes/security.tf:40-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
40 | resource "aws_security_group_rule" "controller-ssh" {
41 | security_group_id = aws_security_group.controller.id
42 |
43 | type = "ingress"
44 | protocol = "tcp"
45 | from_port = 22
46 | to_port = 22
47 | cidr_blocks = ["0.0.0.0/0"]
48 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-etcd
File: /aws/flatcar-linux/kubernetes/security.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
50 | resource "aws_security_group_rule" "controller-etcd" {
51 | security_group_id = aws_security_group.controller.id
52 |
53 | type = "ingress"
54 | protocol = "tcp"
55 | from_port = 2379
56 | to_port = 2380
57 | self = true
58 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-etcd-metrics
File: /aws/flatcar-linux/kubernetes/security.tf:61-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
61 | resource "aws_security_group_rule" "controller-etcd-metrics" {
62 | security_group_id = aws_security_group.controller.id
63 |
64 | type = "ingress"
65 | protocol = "tcp"
66 | from_port = 2381
67 | to_port = 2381
68 | source_security_group_id = aws_security_group.worker.id
69 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-cilium-health
File: /aws/flatcar-linux/kubernetes/security.tf:71-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
71 | resource "aws_security_group_rule" "controller-cilium-health" {
72 | count = var.networking == "cilium" ? 1 : 0
73 |
74 | security_group_id = aws_security_group.controller.id
75 |
76 | type = "ingress"
77 | protocol = "tcp"
78 | from_port = 4240
79 | to_port = 4240
80 | source_security_group_id = aws_security_group.worker.id
81 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-cilium-health-self
File: /aws/flatcar-linux/kubernetes/security.tf:83-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
83 | resource "aws_security_group_rule" "controller-cilium-health-self" {
84 | count = var.networking == "cilium" ? 1 : 0
85 |
86 | security_group_id = aws_security_group.controller.id
87 |
88 | type = "ingress"
89 | protocol = "tcp"
90 | from_port = 4240
91 | to_port = 4240
92 | self = true
93 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-vxlan
File: /aws/flatcar-linux/kubernetes/security.tf:96-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
96 | resource "aws_security_group_rule" "controller-vxlan" {
97 | count = var.networking == "flannel" ? 1 : 0
98 |
99 | security_group_id = aws_security_group.controller.id
100 |
101 | type = "ingress"
102 | protocol = "udp"
103 | from_port = 4789
104 | to_port = 4789
105 | source_security_group_id = aws_security_group.worker.id
106 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-vxlan-self
File: /aws/flatcar-linux/kubernetes/security.tf:108-118
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
108 | resource "aws_security_group_rule" "controller-vxlan-self" {
109 | count = var.networking == "flannel" ? 1 : 0
110 |
111 | security_group_id = aws_security_group.controller.id
112 |
113 | type = "ingress"
114 | protocol = "udp"
115 | from_port = 4789
116 | to_port = 4789
117 | self = true
118 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-apiserver
File: /aws/flatcar-linux/kubernetes/security.tf:120-128
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
120 | resource "aws_security_group_rule" "controller-apiserver" {
121 | security_group_id = aws_security_group.controller.id
122 |
123 | type = "ingress"
124 | protocol = "tcp"
125 | from_port = 6443
126 | to_port = 6443
127 | cidr_blocks = ["0.0.0.0/0"]
128 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-linux-vxlan
File: /aws/flatcar-linux/kubernetes/security.tf:131-141
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
131 | resource "aws_security_group_rule" "controller-linux-vxlan" {
132 | count = var.networking == "cilium" ? 1 : 0
133 |
134 | security_group_id = aws_security_group.controller.id
135 |
136 | type = "ingress"
137 | protocol = "udp"
138 | from_port = 8472
139 | to_port = 8472
140 | source_security_group_id = aws_security_group.worker.id
141 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-linux-vxlan-self
File: /aws/flatcar-linux/kubernetes/security.tf:143-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
143 | resource "aws_security_group_rule" "controller-linux-vxlan-self" {
144 | count = var.networking == "cilium" ? 1 : 0
145 |
146 | security_group_id = aws_security_group.controller.id
147 |
148 | type = "ingress"
149 | protocol = "udp"
150 | from_port = 8472
151 | to_port = 8472
152 | self = true
153 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-node-exporter
File: /aws/flatcar-linux/kubernetes/security.tf:156-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
156 | resource "aws_security_group_rule" "controller-node-exporter" {
157 | security_group_id = aws_security_group.controller.id
158 |
159 | type = "ingress"
160 | protocol = "tcp"
161 | from_port = 9100
162 | to_port = 9100
163 | source_security_group_id = aws_security_group.worker.id
164 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.kube-proxy-metrics
File: /aws/flatcar-linux/kubernetes/security.tf:167-175
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
167 | resource "aws_security_group_rule" "kube-proxy-metrics" {
168 | security_group_id = aws_security_group.controller.id
169 |
170 | type = "ingress"
171 | protocol = "tcp"
172 | from_port = 10249
173 | to_port = 10249
174 | source_security_group_id = aws_security_group.worker.id
175 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-kubelet
File: /aws/flatcar-linux/kubernetes/security.tf:178-186
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
178 | resource "aws_security_group_rule" "controller-kubelet" {
179 | security_group_id = aws_security_group.controller.id
180 |
181 | type = "ingress"
182 | protocol = "tcp"
183 | from_port = 10250
184 | to_port = 10250
185 | source_security_group_id = aws_security_group.worker.id
186 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-kubelet-self
File: /aws/flatcar-linux/kubernetes/security.tf:188-196
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
188 | resource "aws_security_group_rule" "controller-kubelet-self" {
189 | security_group_id = aws_security_group.controller.id
190 |
191 | type = "ingress"
192 | protocol = "tcp"
193 | from_port = 10250
194 | to_port = 10250
195 | self = true
196 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-scheduler-metrics
File: /aws/flatcar-linux/kubernetes/security.tf:199-207
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
199 | resource "aws_security_group_rule" "controller-scheduler-metrics" {
200 | security_group_id = aws_security_group.controller.id
201 |
202 | type = "ingress"
203 | protocol = "tcp"
204 | from_port = 10259
205 | to_port = 10259
206 | source_security_group_id = aws_security_group.worker.id
207 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-manager-metrics
File: /aws/flatcar-linux/kubernetes/security.tf:210-218
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
210 | resource "aws_security_group_rule" "controller-manager-metrics" {
211 | security_group_id = aws_security_group.controller.id
212 |
213 | type = "ingress"
214 | protocol = "tcp"
215 | from_port = 10257
216 | to_port = 10257
217 | source_security_group_id = aws_security_group.worker.id
218 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-bgp
File: /aws/flatcar-linux/kubernetes/security.tf:220-228
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
220 | resource "aws_security_group_rule" "controller-bgp" {
221 | security_group_id = aws_security_group.controller.id
222 |
223 | type = "ingress"
224 | protocol = "tcp"
225 | from_port = 179
226 | to_port = 179
227 | source_security_group_id = aws_security_group.worker.id
228 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-bgp-self
File: /aws/flatcar-linux/kubernetes/security.tf:230-238
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
230 | resource "aws_security_group_rule" "controller-bgp-self" {
231 | security_group_id = aws_security_group.controller.id
232 |
233 | type = "ingress"
234 | protocol = "tcp"
235 | from_port = 179
236 | to_port = 179
237 | self = true
238 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-ipip
File: /aws/flatcar-linux/kubernetes/security.tf:240-248
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
240 | resource "aws_security_group_rule" "controller-ipip" {
241 | security_group_id = aws_security_group.controller.id
242 |
243 | type = "ingress"
244 | protocol = 4
245 | from_port = 0
246 | to_port = 0
247 | source_security_group_id = aws_security_group.worker.id
248 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-ipip-self
File: /aws/flatcar-linux/kubernetes/security.tf:250-258
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
250 | resource "aws_security_group_rule" "controller-ipip-self" {
251 | security_group_id = aws_security_group.controller.id
252 |
253 | type = "ingress"
254 | protocol = 4
255 | from_port = 0
256 | to_port = 0
257 | self = true
258 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-ipip-legacy
File: /aws/flatcar-linux/kubernetes/security.tf:260-268
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
260 | resource "aws_security_group_rule" "controller-ipip-legacy" {
261 | security_group_id = aws_security_group.controller.id
262 |
263 | type = "ingress"
264 | protocol = 94
265 | from_port = 0
266 | to_port = 0
267 | source_security_group_id = aws_security_group.worker.id
268 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-ipip-legacy-self
File: /aws/flatcar-linux/kubernetes/security.tf:270-278
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
270 | resource "aws_security_group_rule" "controller-ipip-legacy-self" {
271 | security_group_id = aws_security_group.controller.id
272 |
273 | type = "ingress"
274 | protocol = 94
275 | from_port = 0
276 | to_port = 0
277 | self = true
278 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.controller-egress
File: /aws/flatcar-linux/kubernetes/security.tf:280-289
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
280 | resource "aws_security_group_rule" "controller-egress" {
281 | security_group_id = aws_security_group.controller.id
282 |
283 | type = "egress"
284 | protocol = "-1"
285 | from_port = 0
286 | to_port = 0
287 | cidr_blocks = ["0.0.0.0/0"]
288 | ipv6_cidr_blocks = ["::/0"]
289 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-icmp
File: /aws/flatcar-linux/kubernetes/security.tf:304-314
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
304 | resource "aws_security_group_rule" "worker-icmp" {
305 | count = var.networking == "cilium" ? 1 : 0
306 |
307 | security_group_id = aws_security_group.worker.id
308 |
309 | type = "ingress"
310 | protocol = "icmp"
311 | from_port = 8
312 | to_port = 0
313 | source_security_group_id = aws_security_group.controller.id
314 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-icmp-self
File: /aws/flatcar-linux/kubernetes/security.tf:316-326
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
316 | resource "aws_security_group_rule" "worker-icmp-self" {
317 | count = var.networking == "cilium" ? 1 : 0
318 |
319 | security_group_id = aws_security_group.worker.id
320 |
321 | type = "ingress"
322 | protocol = "icmp"
323 | from_port = 8
324 | to_port = 0
325 | self = true
326 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-ssh
File: /aws/flatcar-linux/kubernetes/security.tf:328-336
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
328 | resource "aws_security_group_rule" "worker-ssh" {
329 | security_group_id = aws_security_group.worker.id
330 |
331 | type = "ingress"
332 | protocol = "tcp"
333 | from_port = 22
334 | to_port = 22
335 | cidr_blocks = ["0.0.0.0/0"]
336 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group_rule.worker-ssh
File: /aws/flatcar-linux/kubernetes/security.tf:328-336
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
328 | resource "aws_security_group_rule" "worker-ssh" {
329 | security_group_id = aws_security_group.worker.id
330 |
331 | type = "ingress"
332 | protocol = "tcp"
333 | from_port = 22
334 | to_port = 22
335 | cidr_blocks = ["0.0.0.0/0"]
336 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-http
File: /aws/flatcar-linux/kubernetes/security.tf:338-346
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
338 | resource "aws_security_group_rule" "worker-http" {
339 | security_group_id = aws_security_group.worker.id
340 |
341 | type = "ingress"
342 | protocol = "tcp"
343 | from_port = 80
344 | to_port = 80
345 | cidr_blocks = ["0.0.0.0/0"]
346 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group_rule.worker-http
File: /aws/flatcar-linux/kubernetes/security.tf:338-346
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
338 | resource "aws_security_group_rule" "worker-http" {
339 | security_group_id = aws_security_group.worker.id
340 |
341 | type = "ingress"
342 | protocol = "tcp"
343 | from_port = 80
344 | to_port = 80
345 | cidr_blocks = ["0.0.0.0/0"]
346 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-https
File: /aws/flatcar-linux/kubernetes/security.tf:348-356
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
348 | resource "aws_security_group_rule" "worker-https" {
349 | security_group_id = aws_security_group.worker.id
350 |
351 | type = "ingress"
352 | protocol = "tcp"
353 | from_port = 443
354 | to_port = 443
355 | cidr_blocks = ["0.0.0.0/0"]
356 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-cilium-health
File: /aws/flatcar-linux/kubernetes/security.tf:358-368
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
358 | resource "aws_security_group_rule" "worker-cilium-health" {
359 | count = var.networking == "cilium" ? 1 : 0
360 |
361 | security_group_id = aws_security_group.worker.id
362 |
363 | type = "ingress"
364 | protocol = "tcp"
365 | from_port = 4240
366 | to_port = 4240
367 | source_security_group_id = aws_security_group.controller.id
368 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-cilium-health-self
File: /aws/flatcar-linux/kubernetes/security.tf:370-380
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
370 | resource "aws_security_group_rule" "worker-cilium-health-self" {
371 | count = var.networking == "cilium" ? 1 : 0
372 |
373 | security_group_id = aws_security_group.worker.id
374 |
375 | type = "ingress"
376 | protocol = "tcp"
377 | from_port = 4240
378 | to_port = 4240
379 | self = true
380 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-vxlan
File: /aws/flatcar-linux/kubernetes/security.tf:383-393
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
383 | resource "aws_security_group_rule" "worker-vxlan" {
384 | count = var.networking == "flannel" ? 1 : 0
385 |
386 | security_group_id = aws_security_group.worker.id
387 |
388 | type = "ingress"
389 | protocol = "udp"
390 | from_port = 4789
391 | to_port = 4789
392 | source_security_group_id = aws_security_group.controller.id
393 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-vxlan-self
File: /aws/flatcar-linux/kubernetes/security.tf:395-405
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
395 | resource "aws_security_group_rule" "worker-vxlan-self" {
396 | count = var.networking == "flannel" ? 1 : 0
397 |
398 | security_group_id = aws_security_group.worker.id
399 |
400 | type = "ingress"
401 | protocol = "udp"
402 | from_port = 4789
403 | to_port = 4789
404 | self = true
405 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-linux-vxlan
File: /aws/flatcar-linux/kubernetes/security.tf:408-418
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
408 | resource "aws_security_group_rule" "worker-linux-vxlan" {
409 | count = var.networking == "cilium" ? 1 : 0
410 |
411 | security_group_id = aws_security_group.worker.id
412 |
413 | type = "ingress"
414 | protocol = "udp"
415 | from_port = 8472
416 | to_port = 8472
417 | source_security_group_id = aws_security_group.controller.id
418 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-linux-vxlan-self
File: /aws/flatcar-linux/kubernetes/security.tf:420-430
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
420 | resource "aws_security_group_rule" "worker-linux-vxlan-self" {
421 | count = var.networking == "cilium" ? 1 : 0
422 |
423 | security_group_id = aws_security_group.worker.id
424 |
425 | type = "ingress"
426 | protocol = "udp"
427 | from_port = 8472
428 | to_port = 8472
429 | self = true
430 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-node-exporter
File: /aws/flatcar-linux/kubernetes/security.tf:433-441
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
433 | resource "aws_security_group_rule" "worker-node-exporter" {
434 | security_group_id = aws_security_group.worker.id
435 |
436 | type = "ingress"
437 | protocol = "tcp"
438 | from_port = 9100
439 | to_port = 9100
440 | self = true
441 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-kube-proxy
File: /aws/flatcar-linux/kubernetes/security.tf:444-452
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
444 | resource "aws_security_group_rule" "worker-kube-proxy" {
445 | security_group_id = aws_security_group.worker.id
446 |
447 | type = "ingress"
448 | protocol = "tcp"
449 | from_port = 10249
450 | to_port = 10249
451 | self = true
452 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-kubelet
File: /aws/flatcar-linux/kubernetes/security.tf:455-463
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
455 | resource "aws_security_group_rule" "worker-kubelet" {
456 | security_group_id = aws_security_group.worker.id
457 |
458 | type = "ingress"
459 | protocol = "tcp"
460 | from_port = 10250
461 | to_port = 10250
462 | source_security_group_id = aws_security_group.controller.id
463 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-kubelet-self
File: /aws/flatcar-linux/kubernetes/security.tf:466-474
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
466 | resource "aws_security_group_rule" "worker-kubelet-self" {
467 | security_group_id = aws_security_group.worker.id
468 |
469 | type = "ingress"
470 | protocol = "tcp"
471 | from_port = 10250
472 | to_port = 10250
473 | self = true
474 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress-health
File: /aws/flatcar-linux/kubernetes/security.tf:476-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
476 | resource "aws_security_group_rule" "ingress-health" {
477 | security_group_id = aws_security_group.worker.id
478 |
479 | type = "ingress"
480 | protocol = "tcp"
481 | from_port = 10254
482 | to_port = 10254
483 | cidr_blocks = ["0.0.0.0/0"]
484 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-bgp
File: /aws/flatcar-linux/kubernetes/security.tf:486-494
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
486 | resource "aws_security_group_rule" "worker-bgp" {
487 | security_group_id = aws_security_group.worker.id
488 |
489 | type = "ingress"
490 | protocol = "tcp"
491 | from_port = 179
492 | to_port = 179
493 | source_security_group_id = aws_security_group.controller.id
494 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-bgp-self
File: /aws/flatcar-linux/kubernetes/security.tf:496-504
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
496 | resource "aws_security_group_rule" "worker-bgp-self" {
497 | security_group_id = aws_security_group.worker.id
498 |
499 | type = "ingress"
500 | protocol = "tcp"
501 | from_port = 179
502 | to_port = 179
503 | self = true
504 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-ipip
File: /aws/flatcar-linux/kubernetes/security.tf:506-514
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
506 | resource "aws_security_group_rule" "worker-ipip" {
507 | security_group_id = aws_security_group.worker.id
508 |
509 | type = "ingress"
510 | protocol = 4
511 | from_port = 0
512 | to_port = 0
513 | source_security_group_id = aws_security_group.controller.id
514 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-ipip-self
File: /aws/flatcar-linux/kubernetes/security.tf:516-524
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
516 | resource "aws_security_group_rule" "worker-ipip-self" {
517 | security_group_id = aws_security_group.worker.id
518 |
519 | type = "ingress"
520 | protocol = 4
521 | from_port = 0
522 | to_port = 0
523 | self = true
524 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-ipip-legacy
File: /aws/flatcar-linux/kubernetes/security.tf:526-534
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
526 | resource "aws_security_group_rule" "worker-ipip-legacy" {
527 | security_group_id = aws_security_group.worker.id
528 |
529 | type = "ingress"
530 | protocol = 94
531 | from_port = 0
532 | to_port = 0
533 | source_security_group_id = aws_security_group.controller.id
534 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-ipip-legacy-self
File: /aws/flatcar-linux/kubernetes/security.tf:536-544
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
536 | resource "aws_security_group_rule" "worker-ipip-legacy-self" {
537 | security_group_id = aws_security_group.worker.id
538 |
539 | type = "ingress"
540 | protocol = 94
541 | from_port = 0
542 | to_port = 0
543 | self = true
544 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.worker-egress
File: /aws/flatcar-linux/kubernetes/security.tf:546-555
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
546 | resource "aws_security_group_rule" "worker-egress" {
547 | security_group_id = aws_security_group.worker.id
548 |
549 | type = "egress"
550 | protocol = "-1"
551 | from_port = 0
552 | to_port = 0
553 | cidr_blocks = ["0.0.0.0/0"]
554 | ipv6_cidr_blocks = ["::/0"]
555 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.workers.aws_launch_template.worker
File: /aws/flatcar-linux/kubernetes/workers/workers.tf:55-97
Calling File: /aws/flatcar-linux/kubernetes/workers.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
55 | resource "aws_launch_template" "worker" {
56 | name_prefix = "${var.name}-worker"
57 | image_id = local.ami_id
58 | instance_type = var.instance_type
59 | monitoring {
60 | enabled = false
61 | }
62 |
63 | user_data = sensitive(base64encode(data.ct_config.worker.rendered))
64 |
65 | # storage
66 | ebs_optimized = true
67 | block_device_mappings {
68 | device_name = "/dev/xvda"
69 | ebs {
70 | volume_type = var.disk_type
71 | volume_size = var.disk_size
72 | iops = var.disk_iops
73 | encrypted = true
74 | delete_on_termination = true
75 | }
76 | }
77 |
78 | # network
79 | vpc_security_group_ids = var.security_groups
80 |
81 | # spot
82 | dynamic "instance_market_options" {
83 | for_each = var.spot_price > 0 ? [1] : []
84 | content {
85 | market_type = "spot"
86 | spot_options {
87 | max_price = var.spot_price
88 | }
89 | }
90 | }
91 |
92 | lifecycle {
93 | // Override the default destroy and replace update behavior
94 | create_before_destroy = true
95 | ignore_changes = [image_id]
96 | }
97 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_linux_virtual_machine.controllers[0]
File: /azure/fedora-coreos/kubernetes/controllers.tf:37-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
37 | resource "azurerm_linux_virtual_machine" "controllers" {
38 | count = var.controller_count
39 | resource_group_name = azurerm_resource_group.cluster.name
40 |
41 | name = "${var.cluster_name}-controller-${count.index}"
42 | location = var.region
43 | availability_set_id = azurerm_availability_set.controllers.id
44 |
45 | size = var.controller_type
46 | custom_data = base64encode(data.ct_config.controllers.*.rendered[count.index])
47 |
48 | # storage
49 | source_image_id = var.os_image
50 | os_disk {
51 | name = "${var.cluster_name}-controller-${count.index}"
52 | caching = "None"
53 | disk_size_gb = var.disk_size
54 | storage_account_type = "Premium_LRS"
55 | }
56 |
57 | # network
58 | network_interface_ids = [
59 | azurerm_network_interface.controllers.*.id[count.index]
60 | ]
61 |
62 | # Azure requires setting admin_ssh_key, though Ignition custom_data handles it too
63 | admin_username = "core"
64 | admin_ssh_key {
65 | username = "core"
66 | public_key = local.azure_authorized_key
67 | }
68 |
69 | lifecycle {
70 | ignore_changes = [
71 | os_disk,
72 | custom_data,
73 | ]
74 | }
75 | }
Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
FAILED for resource: azurerm_network_security_rule.controller-ssh
File: /azure/fedora-coreos/kubernetes/security.tf:25-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
25 | resource "azurerm_network_security_rule" "controller-ssh" {
26 | resource_group_name = azurerm_resource_group.cluster.name
27 |
28 | name = "allow-ssh"
29 | network_security_group_name = azurerm_network_security_group.controller.name
30 | priority = "2000"
31 | access = "Allow"
32 | direction = "Inbound"
33 | protocol = "Tcp"
34 | source_port_range = "*"
35 | destination_port_range = "22"
36 | source_address_prefix = "*"
37 | destination_address_prefixes = azurerm_subnet.controller.address_prefixes
38 | }
Check: CKV_AZURE_160: "Ensure that HTTP (port 80) access is restricted from the internet"
FAILED for resource: azurerm_network_security_rule.worker-http
File: /azure/fedora-coreos/kubernetes/security.tf:270-283
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-http-port-80-access-from-the-internet-is-restricted.html
270 | resource "azurerm_network_security_rule" "worker-http" {
271 | resource_group_name = azurerm_resource_group.cluster.name
272 |
273 | name = "allow-http"
274 | network_security_group_name = azurerm_network_security_group.worker.name
275 | priority = "2005"
276 | access = "Allow"
277 | direction = "Inbound"
278 | protocol = "Tcp"
279 | source_port_range = "*"
280 | destination_port_range = "80"
281 | source_address_prefix = "*"
282 | destination_address_prefixes = azurerm_subnet.worker.address_prefixes
283 | }
Check: CKV_AZURE_178: "Ensure linux VM enables SSH with keys for secure communication"
FAILED for resource: module.workers.azurerm_linux_virtual_machine_scale_set.workers
File: /azure/fedora-coreos/kubernetes/workers/workers.tf:6-53
Calling File: /azure/fedora-coreos/kubernetes/workers.tf:1-25
6 | resource "azurerm_linux_virtual_machine_scale_set" "workers" {
7 | resource_group_name = var.resource_group_name
8 |
9 | name = "${var.name}-worker"
10 | location = var.region
11 | sku = var.vm_type
12 | instances = var.worker_count
13 | # instance name prefix for instances in the set
14 | computer_name_prefix = "${var.name}-worker"
15 | single_placement_group = false
16 | custom_data = base64encode(data.ct_config.worker.rendered)
17 |
18 | # storage
19 | source_image_id = var.os_image
20 | os_disk {
21 | storage_account_type = "Standard_LRS"
22 | caching = "ReadWrite"
23 | }
24 |
25 | # Azure requires setting admin_ssh_key, though Ignition custom_data handles it too
26 | admin_username = "core"
27 | admin_ssh_key {
28 | username = "core"
29 | public_key = var.azure_authorized_key
30 | }
31 |
32 | # network
33 | network_interface {
34 | name = "nic0"
35 | primary = true
36 | network_security_group_id = var.security_group_id
37 |
38 | ip_configuration {
39 | name = "ip0"
40 | primary = true
41 | subnet_id = var.subnet_id
42 |
43 | # backend address pool to which the NIC should be added
44 | load_balancer_backend_address_pool_ids = [var.backend_address_pool_id]
45 | }
46 | }
47 |
48 | # lifecycle
49 | upgrade_mode = "Manual"
50 | # eviction policy may only be set when priority is Spot
51 | priority = var.priority
52 | eviction_policy = var.priority == "Spot" ? "Delete" : null
53 | }
Check: CKV_AZURE_97: "Ensure that Virtual machine scale sets have encryption at host enabled"
FAILED for resource: module.workers.azurerm_linux_virtual_machine_scale_set.workers
File: /azure/fedora-coreos/kubernetes/workers/workers.tf:6-53
Calling File: /azure/fedora-coreos/kubernetes/workers.tf:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machine-scale-sets-have-encryption-at-host-enabled.html
6 | resource "azurerm_linux_virtual_machine_scale_set" "workers" {
7 | resource_group_name = var.resource_group_name
8 |
9 | name = "${var.name}-worker"
10 | location = var.region
11 | sku = var.vm_type
12 | instances = var.worker_count
13 | # instance name prefix for instances in the set
14 | computer_name_prefix = "${var.name}-worker"
15 | single_placement_group = false
16 | custom_data = base64encode(data.ct_config.worker.rendered)
17 |
18 | # storage
19 | source_image_id = var.os_image
20 | os_disk {
21 | storage_account_type = "Standard_LRS"
22 | caching = "ReadWrite"
23 | }
24 |
25 | # Azure requires setting admin_ssh_key, though Ignition custom_data handles it too
26 | admin_username = "core"
27 | admin_ssh_key {
28 | username = "core"
29 | public_key = var.azure_authorized_key
30 | }
31 |
32 | # network
33 | network_interface {
34 | name = "nic0"
35 | primary = true
36 | network_security_group_id = var.security_group_id
37 |
38 | ip_configuration {
39 | name = "ip0"
40 | primary = true
41 | subnet_id = var.subnet_id
42 |
43 | # backend address pool to which the NIC should be added
44 | load_balancer_backend_address_pool_ids = [var.backend_address_pool_id]
45 | }
46 | }
47 |
48 | # lifecycle
49 | upgrade_mode = "Manual"
50 | # eviction policy may only be set when priority is Spot
51 | priority = var.priority
52 | eviction_policy = var.priority == "Spot" ? "Delete" : null
53 | }
Check: CKV_AZURE_49: "Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)"
FAILED for resource: module.workers.azurerm_linux_virtual_machine_scale_set.workers
File: /azure/fedora-coreos/kubernetes/workers/workers.tf:6-53
Calling File: /azure/fedora-coreos/kubernetes/workers.tf:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-13.html
6 | resource "azurerm_linux_virtual_machine_scale_set" "workers" {
7 | resource_group_name = var.resource_group_name
8 |
9 | name = "${var.name}-worker"
10 | location = var.region
11 | sku = var.vm_type
12 | instances = var.worker_count
13 | # instance name prefix for instances in the set
14 | computer_name_prefix = "${var.name}-worker"
15 | single_placement_group = false
16 | custom_data = base64encode(data.ct_config.worker.rendered)
17 |
18 | # storage
19 | source_image_id = var.os_image
20 | os_disk {
21 | storage_account_type = "Standard_LRS"
22 | caching = "ReadWrite"
23 | }
24 |
25 | # Azure requires setting admin_ssh_key, though Ignition custom_data handles it too
26 | admin_username = "core"
27 | admin_ssh_key {
28 | username = "core"
29 | public_key = var.azure_authorized_key
30 | }
31 |
32 | # network
33 | network_interface {
34 | name = "nic0"
35 | primary = true
36 | network_security_group_id = var.security_group_id
37 |
38 | ip_configuration {
39 | name = "ip0"
40 | primary = true
41 | subnet_id = var.subnet_id
42 |
43 | # backend address pool to which the NIC should be added
44 | load_balancer_backend_address_pool_ids = [var.backend_address_pool_id]
45 | }
46 | }
47 |
48 | # lifecycle
49 | upgrade_mode = "Manual"
50 | # eviction policy may only be set when priority is Spot
51 | priority = var.priority
52 | eviction_policy = var.priority == "Spot" ? "Delete" : null
53 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_linux_virtual_machine.controllers[0]
File: /azure/flatcar-linux/kubernetes/controllers.tf:43-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
FAILED for resource: azurerm_network_security_rule.controller-ssh
File: /azure/flatcar-linux/kubernetes/security.tf:25-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
25 | resource "azurerm_network_security_rule" "controller-ssh" {
26 | resource_group_name = azurerm_resource_group.cluster.name
27 |
28 | name = "allow-ssh"
29 | network_security_group_name = azurerm_network_security_group.controller.name
30 | priority = "2000"
31 | access = "Allow"
32 | direction = "Inbound"
33 | protocol = "Tcp"
34 | source_port_range = "*"
35 | destination_port_range = "22"
36 | source_address_prefix = "*"
37 | destination_address_prefixes = azurerm_subnet.controller.address_prefixes
38 | }
Check: CKV_AZURE_160: "Ensure that HTTP (port 80) access is restricted from the internet"
FAILED for resource: azurerm_network_security_rule.worker-http
File: /azure/flatcar-linux/kubernetes/security.tf:270-283
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-http-port-80-access-from-the-internet-is-restricted.html
270 | resource "azurerm_network_security_rule" "worker-http" {
271 | resource_group_name = azurerm_resource_group.cluster.name
272 |
273 | name = "allow-http"
274 | network_security_group_name = azurerm_network_security_group.worker.name
275 | priority = "2005"
276 | access = "Allow"
277 | direction = "Inbound"
278 | protocol = "Tcp"
279 | source_port_range = "*"
280 | destination_port_range = "80"
281 | source_address_prefix = "*"
282 | destination_address_prefixes = azurerm_subnet.worker.address_prefixes
283 | }
Check: CKV_AZURE_97: "Ensure that Virtual machine scale sets have encryption at host enabled"
FAILED for resource: module.workers.azurerm_linux_virtual_machine_scale_set.workers
File: /azure/flatcar-linux/kubernetes/workers/workers.tf:11-80
Calling File: /azure/flatcar-linux/kubernetes/workers.tf:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machine-scale-sets-have-encryption-at-host-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_49: "Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)"
FAILED for resource: module.workers.azurerm_linux_virtual_machine_scale_set.workers
File: /azure/flatcar-linux/kubernetes/workers/workers.tf:11-80
Calling File: /azure/flatcar-linux/kubernetes/workers.tf:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DIO_2: "Ensure the droplet specifies an SSH key"
FAILED for resource: digitalocean_droplet.controllers[0]
File: /digital-ocean/fedora-coreos/kubernetes/controllers.tf:34-58
34 | resource "digitalocean_droplet" "controllers" {
35 | count = var.controller_count
36 |
37 | name = "${var.cluster_name}-controller-${count.index}"
38 | region = var.region
39 |
40 | image = var.os_image
41 | size = var.controller_type
42 |
43 | # network
44 | vpc_uuid = digitalocean_vpc.network.id
45 | # TODO: Only official DigitalOcean images support IPv6
46 | ipv6 = false
47 |
48 | user_data = data.ct_config.controllers.*.rendered[count.index]
49 | ssh_keys = var.ssh_fingerprints
50 |
51 | tags = [
52 | digitalocean_tag.controllers.id,
53 | ]
54 |
55 | lifecycle {
56 | ignore_changes = [user_data]
57 | }
58 | }
Check: CKV_DIO_4: "Ensure the firewall ingress is not wide open"
FAILED for resource: digitalocean_firewall.workers
File: /digital-ocean/fedora-coreos/kubernetes/network.tf:124-147
124 | resource "digitalocean_firewall" "workers" {
125 | name = "${var.cluster_name}-workers"
126 |
127 | tags = [digitalocean_tag.workers.name]
128 |
129 | # allow HTTP/HTTPS ingress
130 | inbound_rule {
131 | protocol = "tcp"
132 | port_range = "80"
133 | source_addresses = ["0.0.0.0/0", "::/0"]
134 | }
135 |
136 | inbound_rule {
137 | protocol = "tcp"
138 | port_range = "443"
139 | source_addresses = ["0.0.0.0/0", "::/0"]
140 | }
141 |
142 | inbound_rule {
143 | protocol = "tcp"
144 | port_range = "10254"
145 | source_addresses = ["0.0.0.0/0"]
146 | }
147 | }
Check: CKV_DIO_2: "Ensure the droplet specifies an SSH key"
FAILED for resource: digitalocean_droplet.workers[0]
File: /digital-ocean/fedora-coreos/kubernetes/workers.tf:30-54
30 | resource "digitalocean_droplet" "workers" {
31 | count = var.worker_count
32 |
33 | name = "${var.cluster_name}-worker-${count.index}"
34 | region = var.region
35 |
36 | image = var.os_image
37 | size = var.worker_type
38 |
39 | # network
40 | vpc_uuid = digitalocean_vpc.network.id
41 | # TODO: Only official DigitalOcean images support IPv6
42 | ipv6 = false
43 |
44 | user_data = data.ct_config.worker.rendered
45 | ssh_keys = var.ssh_fingerprints
46 |
47 | tags = [
48 | digitalocean_tag.workers.id,
49 | ]
50 |
51 | lifecycle {
52 | create_before_destroy = true
53 | }
54 | }
Check: CKV_DIO_2: "Ensure the droplet specifies an SSH key"
FAILED for resource: digitalocean_droplet.controllers[0]
File: /digital-ocean/flatcar-linux/kubernetes/controllers.tf:39-63
39 | resource "digitalocean_droplet" "controllers" {
40 | count = var.controller_count
41 |
42 | name = "${var.cluster_name}-controller-${count.index}"
43 | region = var.region
44 |
45 | image = var.os_image
46 | size = var.controller_type
47 |
48 | # network
49 | vpc_uuid = digitalocean_vpc.network.id
50 | # TODO: Only official DigitalOcean images support IPv6
51 | ipv6 = false
52 |
53 | user_data = data.ct_config.controllers.*.rendered[count.index]
54 | ssh_keys = var.ssh_fingerprints
55 |
56 | tags = [
57 | digitalocean_tag.controllers.id,
58 | ]
59 |
60 | lifecycle {
61 | ignore_changes = [user_data]
62 | }
63 | }
Check: CKV_DIO_4: "Ensure the firewall ingress is not wide open"
FAILED for resource: digitalocean_firewall.workers
File: /digital-ocean/flatcar-linux/kubernetes/network.tf:124-147
124 | resource "digitalocean_firewall" "workers" {
125 | name = "${var.cluster_name}-workers"
126 |
127 | tags = [digitalocean_tag.workers.name]
128 |
129 | # allow HTTP/HTTPS ingress
130 | inbound_rule {
131 | protocol = "tcp"
132 | port_range = "80"
133 | source_addresses = ["0.0.0.0/0", "::/0"]
134 | }
135 |
136 | inbound_rule {
137 | protocol = "tcp"
138 | port_range = "443"
139 | source_addresses = ["0.0.0.0/0", "::/0"]
140 | }
141 |
142 | inbound_rule {
143 | protocol = "tcp"
144 | port_range = "10254"
145 | source_addresses = ["0.0.0.0/0"]
146 | }
147 | }
Check: CKV_DIO_2: "Ensure the droplet specifies an SSH key"
FAILED for resource: digitalocean_droplet.workers[0]
File: /digital-ocean/flatcar-linux/kubernetes/workers.tf:28-52
28 | resource "digitalocean_droplet" "workers" {
29 | count = var.worker_count
30 |
31 | name = "${var.cluster_name}-worker-${count.index}"
32 | region = var.region
33 |
34 | image = var.os_image
35 | size = var.worker_type
36 |
37 | # network
38 | vpc_uuid = digitalocean_vpc.network.id
39 | # only official DigitalOcean images support IPv6
40 | ipv6 = local.is_official_image
41 |
42 | user_data = data.ct_config.worker.rendered
43 | ssh_keys = var.ssh_fingerprints
44 |
45 | tags = [
46 | digitalocean_tag.workers.id,
47 | ]
48 |
49 | lifecycle {
50 | create_before_destroy = true
51 | }
52 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.controllers[0]
File: /google-cloud/fedora-coreos/kubernetes/controllers.tf:29-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
29 | resource "google_compute_instance" "controllers" {
30 | count = var.controller_count
31 |
32 | name = "${var.cluster_name}-controller-${count.index}"
33 | # use a zone in the region and wrap around (e.g. controllers > zones)
34 | zone = element(local.zones, count.index)
35 | machine_type = var.controller_type
36 |
37 | metadata = {
38 | user-data = data.ct_config.controllers.*.rendered[count.index]
39 | }
40 |
41 | boot_disk {
42 | auto_delete = true
43 |
44 | initialize_params {
45 | image = data.google_compute_image.fedora-coreos.self_link
46 | size = var.disk_size
47 | }
48 | }
49 |
50 | network_interface {
51 | network = google_compute_network.network.name
52 |
53 | # Ephemeral external IP
54 | access_config {
55 | }
56 | }
57 |
58 | can_ip_forward = true
59 | tags = ["${var.cluster_name}-controller"]
60 |
61 | lifecycle {
62 | ignore_changes = [
63 | metadata,
64 | boot_disk[0].initialize_params
65 | ]
66 | }
67 | }
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: google_compute_instance.controllers[0]
File: /google-cloud/fedora-coreos/kubernetes/controllers.tf:29-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
29 | resource "google_compute_instance" "controllers" {
30 | count = var.controller_count
31 |
32 | name = "${var.cluster_name}-controller-${count.index}"
33 | # use a zone in the region and wrap around (e.g. controllers > zones)
34 | zone = element(local.zones, count.index)
35 | machine_type = var.controller_type
36 |
37 | metadata = {
38 | user-data = data.ct_config.controllers.*.rendered[count.index]
39 | }
40 |
41 | boot_disk {
42 | auto_delete = true
43 |
44 | initialize_params {
45 | image = data.google_compute_image.fedora-coreos.self_link
46 | size = var.disk_size
47 | }
48 | }
49 |
50 | network_interface {
51 | network = google_compute_network.network.name
52 |
53 | # Ephemeral external IP
54 | access_config {
55 | }
56 | }
57 |
58 | can_ip_forward = true
59 | tags = ["${var.cluster_name}-controller"]
60 |
61 | lifecycle {
62 | ignore_changes = [
63 | metadata,
64 | boot_disk[0].initialize_params
65 | ]
66 | }
67 | }
Check: CKV_GCP_36: "Ensure that IP forwarding is not enabled on Instances"
FAILED for resource: google_compute_instance.controllers[0]
File: /google-cloud/fedora-coreos/kubernetes/controllers.tf:29-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-12.html
29 | resource "google_compute_instance" "controllers" {
30 | count = var.controller_count
31 |
32 | name = "${var.cluster_name}-controller-${count.index}"
33 | # use a zone in the region and wrap around (e.g. controllers > zones)
34 | zone = element(local.zones, count.index)
35 | machine_type = var.controller_type
36 |
37 | metadata = {
38 | user-data = data.ct_config.controllers.*.rendered[count.index]
39 | }
40 |
41 | boot_disk {
42 | auto_delete = true
43 |
44 | initialize_params {
45 | image = data.google_compute_image.fedora-coreos.self_link
46 | size = var.disk_size
47 | }
48 | }
49 |
50 | network_interface {
51 | network = google_compute_network.network.name
52 |
53 | # Ephemeral external IP
54 | access_config {
55 | }
56 | }
57 |
58 | can_ip_forward = true
59 | tags = ["${var.cluster_name}-controller"]
60 |
61 | lifecycle {
62 | ignore_changes = [
63 | metadata,
64 | boot_disk[0].initialize_params
65 | ]
66 | }
67 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.controllers[0]
File: /google-cloud/fedora-coreos/kubernetes/controllers.tf:29-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
29 | resource "google_compute_instance" "controllers" {
30 | count = var.controller_count
31 |
32 | name = "${var.cluster_name}-controller-${count.index}"
33 | # use a zone in the region and wrap around (e.g. controllers > zones)
34 | zone = element(local.zones, count.index)
35 | machine_type = var.controller_type
36 |
37 | metadata = {
38 | user-data = data.ct_config.controllers.*.rendered[count.index]
39 | }
40 |
41 | boot_disk {
42 | auto_delete = true
43 |
44 | initialize_params {
45 | image = data.google_compute_image.fedora-coreos.self_link
46 | size = var.disk_size
47 | }
48 | }
49 |
50 | network_interface {
51 | network = google_compute_network.network.name
52 |
53 | # Ephemeral external IP
54 | access_config {
55 | }
56 | }
57 |
58 | can_ip_forward = true
59 | tags = ["${var.cluster_name}-controller"]
60 |
61 | lifecycle {
62 | ignore_changes = [
63 | metadata,
64 | boot_disk[0].initialize_params
65 | ]
66 | }
67 | }
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_instance.controllers[0]
File: /google-cloud/fedora-coreos/kubernetes/controllers.tf:29-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
29 | resource "google_compute_instance" "controllers" {
30 | count = var.controller_count
31 |
32 | name = "${var.cluster_name}-controller-${count.index}"
33 | # use a zone in the region and wrap around (e.g. controllers > zones)
34 | zone = element(local.zones, count.index)
35 | machine_type = var.controller_type
36 |
37 | metadata = {
38 | user-data = data.ct_config.controllers.*.rendered[count.index]
39 | }
40 |
41 | boot_disk {
42 | auto_delete = true
43 |
44 | initialize_params {
45 | image = data.google_compute_image.fedora-coreos.self_link
46 | size = var.disk_size
47 | }
48 | }
49 |
50 | network_interface {
51 | network = google_compute_network.network.name
52 |
53 | # Ephemeral external IP
54 | access_config {
55 | }
56 | }
57 |
58 | can_ip_forward = true
59 | tags = ["${var.cluster_name}-controller"]
60 |
61 | lifecycle {
62 | ignore_changes = [
63 | metadata,
64 | boot_disk[0].initialize_params
65 | ]
66 | }
67 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: google_compute_instance.controllers[0]
File: /google-cloud/fedora-coreos/kubernetes/controllers.tf:29-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
29 | resource "google_compute_instance" "controllers" {
30 | count = var.controller_count
31 |
32 | name = "${var.cluster_name}-controller-${count.index}"
33 | # use a zone in the region and wrap around (e.g. controllers > zones)
34 | zone = element(local.zones, count.index)
35 | machine_type = var.controller_type
36 |
37 | metadata = {
38 | user-data = data.ct_config.controllers.*.rendered[count.index]
39 | }
40 |
41 | boot_disk {
42 | auto_delete = true
43 |
44 | initialize_params {
45 | image = data.google_compute_image.fedora-coreos.self_link
46 | size = var.disk_size
47 | }
48 | }
49 |
50 | network_interface {
51 | network = google_compute_network.network.name
52 |
53 | # Ephemeral external IP
54 | access_config {
55 | }
56 | }
57 |
58 | can_ip_forward = true
59 | tags = ["${var.cluster_name}-controller"]
60 |
61 | lifecycle {
62 | ignore_changes = [
63 | metadata,
64 | boot_disk[0].initialize_params
65 | ]
66 | }
67 | }
Check: CKV_GCP_2: "Ensure Google compute firewall ingress does not allow unrestricted ssh access"
FAILED for resource: google_compute_firewall.allow-ssh
File: /google-cloud/fedora-coreos/kubernetes/network.tf:11-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-1.html
11 | resource "google_compute_firewall" "allow-ssh" {
12 | name = "${var.cluster_name}-allow-ssh"
13 | network = google_compute_network.network.name
14 |
15 | allow {
16 | protocol = "tcp"
17 | ports = [22]
18 | }
19 |
20 | source_ranges = ["0.0.0.0/0"]
21 | target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
22 | }
Check: CKV_GCP_106: "Ensure Google compute firewall ingress does not allow unrestricted http port 80 access"
FAILED for resource: google_compute_firewall.allow-ingress
File: /google-cloud/fedora-coreos/kubernetes/network.tf:186-197
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-http-port-80-access.html
186 | resource "google_compute_firewall" "allow-ingress" {
187 | name = "${var.cluster_name}-allow-ingress"
188 | network = google_compute_network.network.name
189 |
190 | allow {
191 | protocol = "tcp"
192 | ports = [80, 443]
193 | }
194 |
195 | source_ranges = ["0.0.0.0/0"]
196 | target_tags = ["${var.cluster_name}-worker"]
197 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: module.workers.google_compute_instance_template.worker
File: /google-cloud/fedora-coreos/kubernetes/workers/workers.tf:61-106
Calling File: /google-cloud/fedora-coreos/kubernetes/workers.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
61 | resource "google_compute_instance_template" "worker" {
62 | name_prefix = "${var.name}-worker-"
63 | description = "${var.name} worker instance template"
64 | machine_type = var.machine_type
65 |
66 | metadata = {
67 | user-data = data.ct_config.worker.rendered
68 | }
69 |
70 | scheduling {
71 | provisioning_model = var.preemptible ? "SPOT" : "STANDARD"
72 | preemptible = var.preemptible
73 | automatic_restart = var.preemptible ? false : true
74 | # Spot instances with termination action DELETE cannot be used with MIGs
75 | instance_termination_action = var.preemptible ? "STOP" : null
76 | }
77 |
78 | disk {
79 | auto_delete = true
80 | boot = true
81 | source_image = data.google_compute_image.fedora-coreos.self_link
82 | disk_size_gb = var.disk_size
83 | }
84 |
85 | network_interface {
86 | network = var.network
87 | # Ephemeral external IP
88 | access_config {}
89 | }
90 |
91 | can_ip_forward = true
92 | tags = ["worker", "${var.cluster_name}-worker", "${var.name}-worker"]
93 |
94 | guest_accelerator {
95 | count = var.accelerator_count
96 | type = var.accelerator_type
97 | }
98 |
99 | lifecycle {
100 | ignore_changes = [
101 | disk[0].source_image
102 | ]
103 | # To update an Instance Template, Terraform should replace the existing resource
104 | create_before_destroy = true
105 | }
106 | }
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: module.workers.google_compute_instance_template.worker
File: /google-cloud/fedora-coreos/kubernetes/workers/workers.tf:61-106
Calling File: /google-cloud/fedora-coreos/kubernetes/workers.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
61 | resource "google_compute_instance_template" "worker" {
62 | name_prefix = "${var.name}-worker-"
63 | description = "${var.name} worker instance template"
64 | machine_type = var.machine_type
65 |
66 | metadata = {
67 | user-data = data.ct_config.worker.rendered
68 | }
69 |
70 | scheduling {
71 | provisioning_model = var.preemptible ? "SPOT" : "STANDARD"
72 | preemptible = var.preemptible
73 | automatic_restart = var.preemptible ? false : true
74 | # Spot instances with termination action DELETE cannot be used with MIGs
75 | instance_termination_action = var.preemptible ? "STOP" : null
76 | }
77 |
78 | disk {
79 | auto_delete = true
80 | boot = true
81 | source_image = data.google_compute_image.fedora-coreos.self_link
82 | disk_size_gb = var.disk_size
83 | }
84 |
85 | network_interface {
86 | network = var.network
87 | # Ephemeral external IP
88 | access_config {}
89 | }
90 |
91 | can_ip_forward = true
92 | tags = ["worker", "${var.cluster_name}-worker", "${var.name}-worker"]
93 |
94 | guest_accelerator {
95 | count = var.accelerator_count
96 | type = var.accelerator_type
97 | }
98 |
99 | lifecycle {
100 | ignore_changes = [
101 | disk[0].source_image
102 | ]
103 | # To update an Instance Template, Terraform should replace the existing resource
104 | create_before_destroy = true
105 | }
106 | }
Check: CKV_GCP_36: "Ensure that IP forwarding is not enabled on Instances"
FAILED for resource: module.workers.google_compute_instance_template.worker
File: /google-cloud/fedora-coreos/kubernetes/workers/workers.tf:61-106
Calling File: /google-cloud/fedora-coreos/kubernetes/workers.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-12.html
61 | resource "google_compute_instance_template" "worker" {
62 | name_prefix = "${var.name}-worker-"
63 | description = "${var.name} worker instance template"
64 | machine_type = var.machine_type
65 |
66 | metadata = {
67 | user-data = data.ct_config.worker.rendered
68 | }
69 |
70 | scheduling {
71 | provisioning_model = var.preemptible ? "SPOT" : "STANDARD"
72 | preemptible = var.preemptible
73 | automatic_restart = var.preemptible ? false : true
74 | # Spot instances with termination action DELETE cannot be used with MIGs
75 | instance_termination_action = var.preemptible ? "STOP" : null
76 | }
77 |
78 | disk {
79 | auto_delete = true
80 | boot = true
81 | source_image = data.google_compute_image.fedora-coreos.self_link
82 | disk_size_gb = var.disk_size
83 | }
84 |
85 | network_interface {
86 | network = var.network
87 | # Ephemeral external IP
88 | access_config {}
89 | }
90 |
91 | can_ip_forward = true
92 | tags = ["worker", "${var.cluster_name}-worker", "${var.name}-worker"]
93 |
94 | guest_accelerator {
95 | count = var.accelerator_count
96 | type = var.accelerator_type
97 | }
98 |
99 | lifecycle {
100 | ignore_changes = [
101 | disk[0].source_image
102 | ]
103 | # To update an Instance Template, Terraform should replace the existing resource
104 | create_before_destroy = true
105 | }
106 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: module.workers.google_compute_instance_template.worker
File: /google-cloud/fedora-coreos/kubernetes/workers/workers.tf:61-106
Calling File: /google-cloud/fedora-coreos/kubernetes/workers.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
61 | resource "google_compute_instance_template" "worker" {
62 | name_prefix = "${var.name}-worker-"
63 | description = "${var.name} worker instance template"
64 | machine_type = var.machine_type
65 |
66 | metadata = {
67 | user-data = data.ct_config.worker.rendered
68 | }
69 |
70 | scheduling {
71 | provisioning_model = var.preemptible ? "SPOT" : "STANDARD"
72 | preemptible = var.preemptible
73 | automatic_restart = var.preemptible ? false : true
74 | # Spot instances with termination action DELETE cannot be used with MIGs
75 | instance_termination_action = var.preemptible ? "STOP" : null
76 | }
77 |
78 | disk {
79 | auto_delete = true
80 | boot = true
81 | source_image = data.google_compute_image.fedora-coreos.self_link
82 | disk_size_gb = var.disk_size
83 | }
84 |
85 | network_interface {
86 | network = var.network
87 | # Ephemeral external IP
88 | access_config {}
89 | }
90 |
91 | can_ip_forward = true
92 | tags = ["worker", "${var.cluster_name}-worker", "${var.name}-worker"]
93 |
94 | guest_accelerator {
95 | count = var.accelerator_count
96 | type = var.accelerator_type
97 | }
98 |
99 | lifecycle {
100 | ignore_changes = [
101 | disk[0].source_image
102 | ]
103 | # To update an Instance Template, Terraform should replace the existing resource
104 | create_before_destroy = true
105 | }
106 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: module.workers.google_compute_instance_template.worker
File: /google-cloud/fedora-coreos/kubernetes/workers/workers.tf:61-106
Calling File: /google-cloud/fedora-coreos/kubernetes/workers.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
61 | resource "google_compute_instance_template" "worker" {
62 | name_prefix = "${var.name}-worker-"
63 | description = "${var.name} worker instance template"
64 | machine_type = var.machine_type
65 |
66 | metadata = {
67 | user-data = data.ct_config.worker.rendered
68 | }
69 |
70 | scheduling {
71 | provisioning_model = var.preemptible ? "SPOT" : "STANDARD"
72 | preemptible = var.preemptible
73 | automatic_restart = var.preemptible ? false : true
74 | # Spot instances with termination action DELETE cannot be used with MIGs
75 | instance_termination_action = var.preemptible ? "STOP" : null
76 | }
77 |
78 | disk {
79 | auto_delete = true
80 | boot = true
81 | source_image = data.google_compute_image.fedora-coreos.self_link
82 | disk_size_gb = var.disk_size
83 | }
84 |
85 | network_interface {
86 | network = var.network
87 | # Ephemeral external IP
88 | access_config {}
89 | }
90 |
91 | can_ip_forward = true
92 | tags = ["worker", "${var.cluster_name}-worker", "${var.name}-worker"]
93 |
94 | guest_accelerator {
95 | count = var.accelerator_count
96 | type = var.accelerator_type
97 | }
98 |
99 | lifecycle {
100 | ignore_changes = [
101 | disk[0].source_image
102 | ]
103 | # To update an Instance Template, Terraform should replace the existing resource
104 | create_before_destroy = true
105 | }
106 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.controllers[0]
File: /google-cloud/flatcar-linux/kubernetes/controllers.tf:29-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
29 | resource "google_compute_instance" "controllers" {
30 | count = var.controller_count
31 |
32 | name = "${var.cluster_name}-controller-${count.index}"
33 | # use a zone in the region and wrap around (e.g. controllers > zones)
34 | zone = element(local.zones, count.index)
35 | machine_type = var.controller_type
36 |
37 | metadata = {
38 | user-data = data.ct_config.controllers.*.rendered[count.index]
39 | }
40 |
41 | boot_disk {
42 | auto_delete = true
43 |
44 | initialize_params {
45 | image = data.google_compute_image.flatcar-linux.self_link
46 | size = var.disk_size
47 | }
48 | }
49 |
50 | network_interface {
51 | network = google_compute_network.network.name
52 |
53 | # Ephemeral external IP
54 | access_config {
55 | }
56 | }
57 |
58 | can_ip_forward = true
59 | tags = ["${var.cluster_name}-controller"]
60 |
61 | lifecycle {
62 | ignore_changes = [
63 | metadata,
64 | boot_disk[0].initialize_params
65 | ]
66 | }
67 | }
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: google_compute_instance.controllers[0]
File: /google-cloud/flatcar-linux/kubernetes/controllers.tf:29-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
29 | resource "google_compute_instance" "controllers" {
30 | count = var.controller_count
31 |
32 | name = "${var.cluster_name}-controller-${count.index}"
33 | # use a zone in the region and wrap around (e.g. controllers > zones)
34 | zone = element(local.zones, count.index)
35 | machine_type = var.controller_type
36 |
37 | metadata = {
38 | user-data = data.ct_config.controllers.*.rendered[count.index]
39 | }
40 |
41 | boot_disk {
42 | auto_delete = true
43 |
44 | initialize_params {
45 | image = data.google_compute_image.flatcar-linux.self_link
46 | size = var.disk_size
47 | }
48 | }
49 |
50 | network_interface {
51 | network = google_compute_network.network.name
52 |
53 | # Ephemeral external IP
54 | access_config {
55 | }
56 | }
57 |
58 | can_ip_forward = true
59 | tags = ["${var.cluster_name}-controller"]
60 |
61 | lifecycle {
62 | ignore_changes = [
63 | metadata,
64 | boot_disk[0].initialize_params
65 | ]
66 | }
67 | }
Check: CKV_GCP_36: "Ensure that IP forwarding is not enabled on Instances"
FAILED for resource: google_compute_instance.controllers[0]
File: /google-cloud/flatcar-linux/kubernetes/controllers.tf:29-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-12.html
29 | resource "google_compute_instance" "controllers" {
30 | count = var.controller_count
31 |
32 | name = "${var.cluster_name}-controller-${count.index}"
33 | # use a zone in the region and wrap around (e.g. controllers > zones)
34 | zone = element(local.zones, count.index)
35 | machine_type = var.controller_type
36 |
37 | metadata = {
38 | user-data = data.ct_config.controllers.*.rendered[count.index]
39 | }
40 |
41 | boot_disk {
42 | auto_delete = true
43 |
44 | initialize_params {
45 | image = data.google_compute_image.flatcar-linux.self_link
46 | size = var.disk_size
47 | }
48 | }
49 |
50 | network_interface {
51 | network = google_compute_network.network.name
52 |
53 | # Ephemeral external IP
54 | access_config {
55 | }
56 | }
57 |
58 | can_ip_forward = true
59 | tags = ["${var.cluster_name}-controller"]
60 |
61 | lifecycle {
62 | ignore_changes = [
63 | metadata,
64 | boot_disk[0].initialize_params
65 | ]
66 | }
67 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.controllers[0]
File: /google-cloud/flatcar-linux/kubernetes/controllers.tf:29-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
29 | resource "google_compute_instance" "controllers" {
30 | count = var.controller_count
31 |
32 | name = "${var.cluster_name}-controller-${count.index}"
33 | # use a zone in the region and wrap around (e.g. controllers > zones)
34 | zone = element(local.zones, count.index)
35 | machine_type = var.controller_type
36 |
37 | metadata = {
38 | user-data = data.ct_config.controllers.*.rendered[count.index]
39 | }
40 |
41 | boot_disk {
42 | auto_delete = true
43 |
44 | initialize_params {
45 | image = data.google_compute_image.flatcar-linux.self_link
46 | size = var.disk_size
47 | }
48 | }
49 |
50 | network_interface {
51 | network = google_compute_network.network.name
52 |
53 | # Ephemeral external IP
54 | access_config {
55 | }
56 | }
57 |
58 | can_ip_forward = true
59 | tags = ["${var.cluster_name}-controller"]
60 |
61 | lifecycle {
62 | ignore_changes = [
63 | metadata,
64 | boot_disk[0].initialize_params
65 | ]
66 | }
67 | }
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_instance.controllers[0]
File: /google-cloud/flatcar-linux/kubernetes/controllers.tf:29-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
29 | resource "google_compute_instance" "controllers" {
30 | count = var.controller_count
31 |
32 | name = "${var.cluster_name}-controller-${count.index}"
33 | # use a zone in the region and wrap around (e.g. controllers > zones)
34 | zone = element(local.zones, count.index)
35 | machine_type = var.controller_type
36 |
37 | metadata = {
38 | user-data = data.ct_config.controllers.*.rendered[count.index]
39 | }
40 |
41 | boot_disk {
42 | auto_delete = true
43 |
44 | initialize_params {
45 | image = data.google_compute_image.flatcar-linux.self_link
46 | size = var.disk_size
47 | }
48 | }
49 |
50 | network_interface {
51 | network = google_compute_network.network.name
52 |
53 | # Ephemeral external IP
54 | access_config {
55 | }
56 | }
57 |
58 | can_ip_forward = true
59 | tags = ["${var.cluster_name}-controller"]
60 |
61 | lifecycle {
62 | ignore_changes = [
63 | metadata,
64 | boot_disk[0].initialize_params
65 | ]
66 | }
67 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: google_compute_instance.controllers[0]
File: /google-cloud/flatcar-linux/kubernetes/controllers.tf:29-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
29 | resource "google_compute_instance" "controllers" {
30 | count = var.controller_count
31 |
32 | name = "${var.cluster_name}-controller-${count.index}"
33 | # use a zone in the region and wrap around (e.g. controllers > zones)
34 | zone = element(local.zones, count.index)
35 | machine_type = var.controller_type
36 |
37 | metadata = {
38 | user-data = data.ct_config.controllers.*.rendered[count.index]
39 | }
40 |
41 | boot_disk {
42 | auto_delete = true
43 |
44 | initialize_params {
45 | image = data.google_compute_image.flatcar-linux.self_link
46 | size = var.disk_size
47 | }
48 | }
49 |
50 | network_interface {
51 | network = google_compute_network.network.name
52 |
53 | # Ephemeral external IP
54 | access_config {
55 | }
56 | }
57 |
58 | can_ip_forward = true
59 | tags = ["${var.cluster_name}-controller"]
60 |
61 | lifecycle {
62 | ignore_changes = [
63 | metadata,
64 | boot_disk[0].initialize_params
65 | ]
66 | }
67 | }
Check: CKV_GCP_2: "Ensure Google compute firewall ingress does not allow unrestricted ssh access"
FAILED for resource: google_compute_firewall.allow-ssh
File: /google-cloud/flatcar-linux/kubernetes/network.tf:11-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-1.html
11 | resource "google_compute_firewall" "allow-ssh" {
12 | name = "${var.cluster_name}-allow-ssh"
13 | network = google_compute_network.network.name
14 |
15 | allow {
16 | protocol = "tcp"
17 | ports = [22]
18 | }
19 |
20 | source_ranges = ["0.0.0.0/0"]
21 | target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
22 | }
Check: CKV_GCP_106: "Ensure Google compute firewall ingress does not allow unrestricted http port 80 access"
FAILED for resource: google_compute_firewall.allow-ingress
File: /google-cloud/flatcar-linux/kubernetes/network.tf:186-197
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-http-port-80-access.html
186 | resource "google_compute_firewall" "allow-ingress" {
187 | name = "${var.cluster_name}-allow-ingress"
188 | network = google_compute_network.network.name
189 |
190 | allow {
191 | protocol = "tcp"
192 | ports = [80, 443]
193 | }
194 |
195 | source_ranges = ["0.0.0.0/0"]
196 | target_tags = ["${var.cluster_name}-worker"]
197 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: module.workers.google_compute_instance_template.worker
File: /google-cloud/flatcar-linux/kubernetes/workers/workers.tf:61-106
Calling File: /google-cloud/flatcar-linux/kubernetes/workers.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
61 | resource "google_compute_instance_template" "worker" {
62 | name_prefix = "${var.name}-worker-"
63 | description = "Worker Instance template"
64 | machine_type = var.machine_type
65 |
66 | metadata = {
67 | user-data = data.ct_config.worker.rendered
68 | }
69 |
70 | scheduling {
71 | provisioning_model = var.preemptible ? "SPOT" : "STANDARD"
72 | preemptible = var.preemptible
73 | automatic_restart = var.preemptible ? false : true
74 | # Spot instances with termination action DELETE cannot be used with MIGs
75 | instance_termination_action = var.preemptible ? "STOP" : null
76 | }
77 |
78 | disk {
79 | auto_delete = true
80 | boot = true
81 | source_image = data.google_compute_image.flatcar-linux.self_link
82 | disk_size_gb = var.disk_size
83 | }
84 |
85 | network_interface {
86 | network = var.network
87 | # Ephemeral external IP
88 | access_config {}
89 | }
90 |
91 | can_ip_forward = true
92 | tags = ["worker", "${var.cluster_name}-worker", "${var.name}-worker"]
93 |
94 | guest_accelerator {
95 | count = var.accelerator_count
96 | type = var.accelerator_type
97 | }
98 |
99 | lifecycle {
100 | ignore_changes = [
101 | disk[0].source_image
102 | ]
103 | # To update an Instance Template, Terraform should replace the existing resource
104 | create_before_destroy = true
105 | }
106 | }
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: module.workers.google_compute_instance_template.worker
File: /google-cloud/flatcar-linux/kubernetes/workers/workers.tf:61-106
Calling File: /google-cloud/flatcar-linux/kubernetes/workers.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
61 | resource "google_compute_instance_template" "worker" {
62 | name_prefix = "${var.name}-worker-"
63 | description = "Worker Instance template"
64 | machine_type = var.machine_type
65 |
66 | metadata = {
67 | user-data = data.ct_config.worker.rendered
68 | }
69 |
70 | scheduling {
71 | provisioning_model = var.preemptible ? "SPOT" : "STANDARD"
72 | preemptible = var.preemptible
73 | automatic_restart = var.preemptible ? false : true
74 | # Spot instances with termination action DELETE cannot be used with MIGs
75 | instance_termination_action = var.preemptible ? "STOP" : null
76 | }
77 |
78 | disk {
79 | auto_delete = true
80 | boot = true
81 | source_image = data.google_compute_image.flatcar-linux.self_link
82 | disk_size_gb = var.disk_size
83 | }
84 |
85 | network_interface {
86 | network = var.network
87 | # Ephemeral external IP
88 | access_config {}
89 | }
90 |
91 | can_ip_forward = true
92 | tags = ["worker", "${var.cluster_name}-worker", "${var.name}-worker"]
93 |
94 | guest_accelerator {
95 | count = var.accelerator_count
96 | type = var.accelerator_type
97 | }
98 |
99 | lifecycle {
100 | ignore_changes = [
101 | disk[0].source_image
102 | ]
103 | # To update an Instance Template, Terraform should replace the existing resource
104 | create_before_destroy = true
105 | }
106 | }
Check: CKV_GCP_36: "Ensure that IP forwarding is not enabled on Instances"
FAILED for resource: module.workers.google_compute_instance_template.worker
File: /google-cloud/flatcar-linux/kubernetes/workers/workers.tf:61-106
Calling File: /google-cloud/flatcar-linux/kubernetes/workers.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-12.html
61 | resource "google_compute_instance_template" "worker" {
62 | name_prefix = "${var.name}-worker-"
63 | description = "Worker Instance template"
64 | machine_type = var.machine_type
65 |
66 | metadata = {
67 | user-data = data.ct_config.worker.rendered
68 | }
69 |
70 | scheduling {
71 | provisioning_model = var.preemptible ? "SPOT" : "STANDARD"
72 | preemptible = var.preemptible
73 | automatic_restart = var.preemptible ? false : true
74 | # Spot instances with termination action DELETE cannot be used with MIGs
75 | instance_termination_action = var.preemptible ? "STOP" : null
76 | }
77 |
78 | disk {
79 | auto_delete = true
80 | boot = true
81 | source_image = data.google_compute_image.flatcar-linux.self_link
82 | disk_size_gb = var.disk_size
83 | }
84 |
85 | network_interface {
86 | network = var.network
87 | # Ephemeral external IP
88 | access_config {}
89 | }
90 |
91 | can_ip_forward = true
92 | tags = ["worker", "${var.cluster_name}-worker", "${var.name}-worker"]
93 |
94 | guest_accelerator {
95 | count = var.accelerator_count
96 | type = var.accelerator_type
97 | }
98 |
99 | lifecycle {
100 | ignore_changes = [
101 | disk[0].source_image
102 | ]
103 | # To update an Instance Template, Terraform should replace the existing resource
104 | create_before_destroy = true
105 | }
106 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: module.workers.google_compute_instance_template.worker
File: /google-cloud/flatcar-linux/kubernetes/workers/workers.tf:61-106
Calling File: /google-cloud/flatcar-linux/kubernetes/workers.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
61 | resource "google_compute_instance_template" "worker" {
62 | name_prefix = "${var.name}-worker-"
63 | description = "Worker Instance template"
64 | machine_type = var.machine_type
65 |
66 | metadata = {
67 | user-data = data.ct_config.worker.rendered
68 | }
69 |
70 | scheduling {
71 | provisioning_model = var.preemptible ? "SPOT" : "STANDARD"
72 | preemptible = var.preemptible
73 | automatic_restart = var.preemptible ? false : true
74 | # Spot instances with termination action DELETE cannot be used with MIGs
75 | instance_termination_action = var.preemptible ? "STOP" : null
76 | }
77 |
78 | disk {
79 | auto_delete = true
80 | boot = true
81 | source_image = data.google_compute_image.flatcar-linux.self_link
82 | disk_size_gb = var.disk_size
83 | }
84 |
85 | network_interface {
86 | network = var.network
87 | # Ephemeral external IP
88 | access_config {}
89 | }
90 |
91 | can_ip_forward = true
92 | tags = ["worker", "${var.cluster_name}-worker", "${var.name}-worker"]
93 |
94 | guest_accelerator {
95 | count = var.accelerator_count
96 | type = var.accelerator_type
97 | }
98 |
99 | lifecycle {
100 | ignore_changes = [
101 | disk[0].source_image
102 | ]
103 | # To update an Instance Template, Terraform should replace the existing resource
104 | create_before_destroy = true
105 | }
106 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: module.workers.google_compute_instance_template.worker
File: /google-cloud/flatcar-linux/kubernetes/workers/workers.tf:61-106
Calling File: /google-cloud/flatcar-linux/kubernetes/workers.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
61 | resource "google_compute_instance_template" "worker" {
62 | name_prefix = "${var.name}-worker-"
63 | description = "Worker Instance template"
64 | machine_type = var.machine_type
65 |
66 | metadata = {
67 | user-data = data.ct_config.worker.rendered
68 | }
69 |
70 | scheduling {
71 | provisioning_model = var.preemptible ? "SPOT" : "STANDARD"
72 | preemptible = var.preemptible
73 | automatic_restart = var.preemptible ? false : true
74 | # Spot instances with termination action DELETE cannot be used with MIGs
75 | instance_termination_action = var.preemptible ? "STOP" : null
76 | }
77 |
78 | disk {
79 | auto_delete = true
80 | boot = true
81 | source_image = data.google_compute_image.flatcar-linux.self_link
82 | disk_size_gb = var.disk_size
83 | }
84 |
85 | network_interface {
86 | network = var.network
87 | # Ephemeral external IP
88 | access_config {}
89 | }
90 |
91 | can_ip_forward = true
92 | tags = ["worker", "${var.cluster_name}-worker", "${var.name}-worker"]
93 |
94 | guest_accelerator {
95 | count = var.accelerator_count
96 | type = var.accelerator_type
97 | }
98 |
99 | lifecycle {
100 | ignore_changes = [
101 | disk[0].source_image
102 | ]
103 | # To update an Instance Template, Terraform should replace the existing resource
104 | create_before_destroy = true
105 | }
106 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.network
File: /aws/fedora-coreos/kubernetes/network.tf:6-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
6 | resource "aws_vpc" "network" {
7 | cidr_block = var.host_cidr
8 | assign_generated_ipv6_cidr_block = true
9 | enable_dns_support = true
10 | enable_dns_hostnames = true
11 |
12 | tags = {
13 | "Name" = var.cluster_name
14 | }
15 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.network
File: /aws/flatcar-linux/kubernetes/network.tf:6-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
6 | resource "aws_vpc" "network" {
7 | cidr_block = var.host_cidr
8 | assign_generated_ipv6_cidr_block = true
9 | enable_dns_support = true
10 | enable_dns_hostnames = true
11 |
12 | tags = {
13 | "Name" = var.cluster_name
14 | }
15 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.nlb
File: /aws/fedora-coreos/kubernetes/nlb.tf:17-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
17 | resource "aws_lb" "nlb" {
18 | name = "${var.cluster_name}-nlb"
19 | load_balancer_type = "network"
20 | ip_address_type = "dualstack"
21 | internal = false
22 |
23 | subnets = aws_subnet.public.*.id
24 |
25 | enable_cross_zone_load_balancing = true
26 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.nlb
File: /aws/flatcar-linux/kubernetes/nlb.tf:17-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
17 | resource "aws_lb" "nlb" {
18 | name = "${var.cluster_name}-nlb"
19 | load_balancer_type = "network"
20 | ip_address_type = "dualstack"
21 | internal = false
22 |
23 | subnets = aws_subnet.public.*.id
24 |
25 | enable_cross_zone_load_balancing = true
26 | }
Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
FAILED for resource: aws_route53_record.etcds[0]
File: /aws/fedora-coreos/kubernetes/controllers.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html
2 | resource "aws_route53_record" "etcds" {
3 | count = var.controller_count
4 |
5 | # DNS Zone where record should be created
6 | zone_id = var.dns_zone_id
7 |
8 | name = format("%s-etcd%d.%s.", var.cluster_name, count.index, var.dns_zone)
9 | type = "A"
10 | ttl = 300
11 |
12 | # private IPv4 address for etcd
13 | records = [aws_instance.controllers.*.private_ip[count.index]]
14 | }
Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
FAILED for resource: aws_route53_record.etcds[0]
File: /aws/flatcar-linux/kubernetes/controllers.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html
2 | resource "aws_route53_record" "etcds" {
3 | count = var.controller_count
4 |
5 | # DNS Zone where record should be created
6 | zone_id = var.dns_zone_id
7 |
8 | name = format("%s-etcd%d.%s.", var.cluster_name, count.index, var.dns_zone)
9 | type = "A"
10 | ttl = 300
11 |
12 | # private IPv4 address for etcd
13 | records = [aws_instance.controllers.*.private_ip[count.index]]
14 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.network
File: /aws/fedora-coreos/kubernetes/network.tf:6-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
6 | resource "aws_vpc" "network" {
7 | cidr_block = var.host_cidr
8 | assign_generated_ipv6_cidr_block = true
9 | enable_dns_support = true
10 | enable_dns_hostnames = true
11 |
12 | tags = {
13 | "Name" = var.cluster_name
14 | }
15 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.network
File: /aws/flatcar-linux/kubernetes/network.tf:6-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
6 | resource "aws_vpc" "network" {
7 | cidr_block = var.host_cidr
8 | assign_generated_ipv6_cidr_block = true
9 | enable_dns_support = true
10 | enable_dns_hostnames = true
11 |
12 | tags = {
13 | "Name" = var.cluster_name
14 | }
15 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.controllers[0]
File: /aws/fedora-coreos/kubernetes/controllers.tf:17-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
17 | resource "aws_instance" "controllers" {
18 | count = var.controller_count
19 |
20 | tags = {
21 | Name = "${var.cluster_name}-controller-${count.index}"
22 | }
23 |
24 | instance_type = var.controller_type
25 | ami = var.arch == "arm64" ? data.aws_ami.fedora-coreos-arm[0].image_id : data.aws_ami.fedora-coreos.image_id
26 | user_data = data.ct_config.controllers.*.rendered[count.index]
27 |
28 | # storage
29 | root_block_device {
30 | volume_type = var.disk_type
31 | volume_size = var.disk_size
32 | iops = var.disk_iops
33 | encrypted = true
34 | tags = {}
35 | }
36 |
37 | # network
38 | associate_public_ip_address = true
39 | subnet_id = element(aws_subnet.public.*.id, count.index)
40 | vpc_security_group_ids = [aws_security_group.controller.id]
41 |
42 | lifecycle {
43 | ignore_changes = [
44 | ami,
45 | user_data,
46 | ]
47 | }
48 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.controllers[0]
File: /aws/flatcar-linux/kubernetes/controllers.tf:17-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
17 | resource "aws_instance" "controllers" {
18 | count = var.controller_count
19 |
20 | tags = {
21 | Name = "${var.cluster_name}-controller-${count.index}"
22 | }
23 |
24 | instance_type = var.controller_type
25 |
26 | ami = local.ami_id
27 | user_data = data.ct_config.controllers.*.rendered[count.index]
28 |
29 | # storage
30 | root_block_device {
31 | volume_type = var.disk_type
32 | volume_size = var.disk_size
33 | iops = var.disk_iops
34 | encrypted = true
35 | tags = {}
36 | }
37 |
38 | # network
39 | associate_public_ip_address = true
40 | subnet_id = element(aws_subnet.public.*.id, count.index)
41 | vpc_security_group_ids = [aws_security_group.controller.id]
42 |
43 | lifecycle {
44 | ignore_changes = [
45 | ami,
46 | user_data,
47 | ]
48 | }
49 | }
kubernetes scan results:
Passed checks: 824, Failed checks: 122, Skipped checks: 0
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.grafana
File: /addons/grafana/deployment.yaml:1-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.grafana
File: /addons/grafana/deployment.yaml:1-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.grafana
File: /addons/grafana/deployment.yaml:1-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.monitoring.grafana
File: /addons/grafana/deployment.yaml:1-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.grafana
File: /addons/grafana/deployment.yaml:1-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.grafana
File: /addons/grafana/deployment.yaml:1-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.grafana
File: /addons/grafana/deployment.yaml:1-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.grafana
File: /addons/grafana/deployment.yaml:1-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.grafana
File: /addons/grafana/deployment.yaml:1-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.grafana
File: /addons/grafana/deployment.yaml:1-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/bare-metal/deployment.yaml:1-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/bare-metal/deployment.yaml:1-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_25: "Minimize the admission of containers with added capability"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/bare-metal/deployment.yaml:1-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/bare-metal/deployment.yaml:1-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/bare-metal/deployment.yaml:1-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/bare-metal/deployment.yaml:1-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/bare-metal/deployment.yaml:1-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/bare-metal/deployment.yaml:1-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/bare-metal/deployment.yaml:1-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/bare-metal/deployment.yaml:1-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/bare-metal/deployment.yaml:1-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_42: "Ensure that default service accounts are not actively used"
FAILED for resource: RoleBinding.ingress.ingress
File: /addons/nginx-ingress/bare-metal/rbac/role-binding.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-default-service-accounts-are-not-actively-used.html
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: RoleBinding
3 | metadata:
4 | name: ingress
5 | namespace: ingress
6 | roleRef:
7 | apiGroup: rbac.authorization.k8s.io
8 | kind: Role
9 | name: ingress
10 | subjects:
11 | - kind: ServiceAccount
12 | namespace: ingress
13 | name: default
Check: CKV_K8S_42: "Ensure that default service accounts are not actively used"
FAILED for resource: ClusterRoleBinding.default.ingress
File: /addons/nginx-ingress/bare-metal/rbac/cluster-role-binding.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-default-service-accounts-are-not-actively-used.html
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRoleBinding
3 | metadata:
4 | name: ingress
5 | roleRef:
6 | apiGroup: rbac.authorization.k8s.io
7 | kind: ClusterRole
8 | name: ingress
9 | subjects:
10 | - kind: ServiceAccount
11 | namespace: ingress
12 | name: default
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/google-cloud/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_26: "Do not specify hostPort unless absolutely necessary"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/google-cloud/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-25.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/google-cloud/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_25: "Minimize the admission of containers with added capability"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/google-cloud/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/google-cloud/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/google-cloud/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/google-cloud/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/google-cloud/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/google-cloud/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/google-cloud/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/google-cloud/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/google-cloud/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_42: "Ensure that default service accounts are not actively used"
FAILED for resource: RoleBinding.ingress.ingress
File: /addons/nginx-ingress/google-cloud/rbac/role-binding.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-default-service-accounts-are-not-actively-used.html
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: RoleBinding
3 | metadata:
4 | name: ingress
5 | namespace: ingress
6 | roleRef:
7 | apiGroup: rbac.authorization.k8s.io
8 | kind: Role
9 | name: ingress
10 | subjects:
11 | - kind: ServiceAccount
12 | namespace: ingress
13 | name: default
Check: CKV_K8S_42: "Ensure that default service accounts are not actively used"
FAILED for resource: ClusterRoleBinding.default.ingress
File: /addons/nginx-ingress/google-cloud/rbac/cluster-role-binding.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-default-service-accounts-are-not-actively-used.html
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRoleBinding
3 | metadata:
4 | name: ingress
5 | roleRef:
6 | apiGroup: rbac.authorization.k8s.io
7 | kind: ClusterRole
8 | name: ingress
9 | subjects:
10 | - kind: ServiceAccount
11 | namespace: ingress
12 | name: default
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/azure/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_26: "Do not specify hostPort unless absolutely necessary"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/azure/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-25.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/azure/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_25: "Minimize the admission of containers with added capability"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/azure/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/azure/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/azure/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/azure/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/azure/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/azure/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/azure/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/azure/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/azure/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_42: "Ensure that default service accounts are not actively used"
FAILED for resource: RoleBinding.ingress.ingress
File: /addons/nginx-ingress/azure/rbac/role-binding.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-default-service-accounts-are-not-actively-used.html
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: RoleBinding
3 | metadata:
4 | name: ingress
5 | namespace: ingress
6 | roleRef:
7 | apiGroup: rbac.authorization.k8s.io
8 | kind: Role
9 | name: ingress
10 | subjects:
11 | - kind: ServiceAccount
12 | namespace: ingress
13 | name: default
Check: CKV_K8S_42: "Ensure that default service accounts are not actively used"
FAILED for resource: ClusterRoleBinding.default.ingress
File: /addons/nginx-ingress/azure/rbac/cluster-role-binding.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-default-service-accounts-are-not-actively-used.html
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRoleBinding
3 | metadata:
4 | name: ingress
5 | roleRef:
6 | apiGroup: rbac.authorization.k8s.io
7 | kind: ClusterRole
8 | name: ingress
9 | subjects:
10 | - kind: ServiceAccount
11 | namespace: ingress
12 | name: default
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/aws/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_26: "Do not specify hostPort unless absolutely necessary"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/aws/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-25.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/aws/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_25: "Minimize the admission of containers with added capability"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/aws/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/aws/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/aws/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/aws/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/aws/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/aws/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/aws/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/aws/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/aws/deployment.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_42: "Ensure that default service accounts are not actively used"
FAILED for resource: RoleBinding.ingress.ingress
File: /addons/nginx-ingress/aws/rbac/role-binding.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-default-service-accounts-are-not-actively-used.html
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: RoleBinding
3 | metadata:
4 | name: ingress
5 | namespace: ingress
6 | roleRef:
7 | apiGroup: rbac.authorization.k8s.io
8 | kind: Role
9 | name: ingress
10 | subjects:
11 | - kind: ServiceAccount
12 | namespace: ingress
13 | name: default
Check: CKV_K8S_42: "Ensure that default service accounts are not actively used"
FAILED for resource: ClusterRoleBinding.default.ingress
File: /addons/nginx-ingress/aws/rbac/cluster-role-binding.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-default-service-accounts-are-not-actively-used.html
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRoleBinding
3 | metadata:
4 | name: ingress
5 | roleRef:
6 | apiGroup: rbac.authorization.k8s.io
7 | kind: ClusterRole
8 | name: ingress
9 | subjects:
10 | - kind: ServiceAccount
11 | namespace: ingress
12 | name: default
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: DaemonSet.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/digital-ocean/daemonset.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_26: "Do not specify hostPort unless absolutely necessary"
FAILED for resource: DaemonSet.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/digital-ocean/daemonset.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-25.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: DaemonSet.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/digital-ocean/daemonset.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_25: "Minimize the admission of containers with added capability"
FAILED for resource: DaemonSet.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/digital-ocean/daemonset.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/digital-ocean/daemonset.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/digital-ocean/daemonset.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/digital-ocean/daemonset.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: DaemonSet.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/digital-ocean/daemonset.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/digital-ocean/daemonset.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: DaemonSet.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/digital-ocean/daemonset.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/digital-ocean/daemonset.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.ingress.nginx-ingress-controller
File: /addons/nginx-ingress/digital-ocean/daemonset.yaml:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_42: "Ensure that default service accounts are not actively used"
FAILED for resource: RoleBinding.ingress.ingress
File: /addons/nginx-ingress/digital-ocean/rbac/role-binding.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-default-service-accounts-are-not-actively-used.html
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: RoleBinding
3 | metadata:
4 | name: ingress
5 | namespace: ingress
6 | roleRef:
7 | apiGroup: rbac.authorization.k8s.io
8 | kind: Role
9 | name: ingress
10 | subjects:
11 | - kind: ServiceAccount
12 | namespace: ingress
13 | name: default
Check: CKV_K8S_42: "Ensure that default service accounts are not actively used"
FAILED for resource: ClusterRoleBinding.default.ingress
File: /addons/nginx-ingress/digital-ocean/rbac/cluster-role-binding.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-default-service-accounts-are-not-actively-used.html
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRoleBinding
3 | metadata:
4 | name: ingress
5 | roleRef:
6 | apiGroup: rbac.authorization.k8s.io
7 | kind: ClusterRole
8 | name: ingress
9 | subjects:
10 | - kind: ServiceAccount
11 | namespace: ingress
12 | name: default
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.monitoring.prometheus
File: /addons/prometheus/deployment.yaml:1-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.prometheus
File: /addons/prometheus/deployment.yaml:1-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.prometheus
File: /addons/prometheus/deployment.yaml:1-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus
File: /addons/prometheus/deployment.yaml:1-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.monitoring.prometheus
File: /addons/prometheus/deployment.yaml:1-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.prometheus
File: /addons/prometheus/deployment.yaml:1-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.monitoring.prometheus
File: /addons/prometheus/deployment.yaml:1-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.prometheus
File: /addons/prometheus/deployment.yaml:1-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.prometheus
File: /addons/prometheus/deployment.yaml:1-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.prometheus
File: /addons/prometheus/deployment.yaml:1-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus
File: /addons/prometheus/deployment.yaml:1-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus
File: /addons/prometheus/deployment.yaml:1-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /addons/prometheus/exporters/kube-state-metrics/deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: kube-state-metrics
5 | namespace: monitoring
6 | spec:
7 | replicas: 1
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 1
12 | selector:
13 | matchLabels:
14 | name: kube-state-metrics
15 | phase: prod
16 | template:
17 | metadata:
18 | labels:
19 | name: kube-state-metrics
20 | phase: prod
21 | spec:
22 | securityContext:
23 | seccompProfile:
24 | type: RuntimeDefault
25 | serviceAccountName: kube-state-metrics
26 | containers:
27 | - name: kube-state-metrics
28 | image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.7.0
29 | ports:
30 | - name: metrics
31 | containerPort: 8080
32 | - name: telemetry
33 | containerPort: 8081
34 | livenessProbe:
35 | httpGet:
36 | path: /healthz
37 | port: 8080
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | readinessProbe:
41 | httpGet:
42 | path: /
43 | port: 8081
44 | initialDelaySeconds: 5
45 | timeoutSeconds: 5
46 | securityContext:
47 | runAsUser: 65534
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /addons/prometheus/exporters/kube-state-metrics/deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: kube-state-metrics
5 | namespace: monitoring
6 | spec:
7 | replicas: 1
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 1
12 | selector:
13 | matchLabels:
14 | name: kube-state-metrics
15 | phase: prod
16 | template:
17 | metadata:
18 | labels:
19 | name: kube-state-metrics
20 | phase: prod
21 | spec:
22 | securityContext:
23 | seccompProfile:
24 | type: RuntimeDefault
25 | serviceAccountName: kube-state-metrics
26 | containers:
27 | - name: kube-state-metrics
28 | image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.7.0
29 | ports:
30 | - name: metrics
31 | containerPort: 8080
32 | - name: telemetry
33 | containerPort: 8081
34 | livenessProbe:
35 | httpGet:
36 | path: /healthz
37 | port: 8080
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | readinessProbe:
41 | httpGet:
42 | path: /
43 | port: 8081
44 | initialDelaySeconds: 5
45 | timeoutSeconds: 5
46 | securityContext:
47 | runAsUser: 65534
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /addons/prometheus/exporters/kube-state-metrics/deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: kube-state-metrics
5 | namespace: monitoring
6 | spec:
7 | replicas: 1
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 1
12 | selector:
13 | matchLabels:
14 | name: kube-state-metrics
15 | phase: prod
16 | template:
17 | metadata:
18 | labels:
19 | name: kube-state-metrics
20 | phase: prod
21 | spec:
22 | securityContext:
23 | seccompProfile:
24 | type: RuntimeDefault
25 | serviceAccountName: kube-state-metrics
26 | containers:
27 | - name: kube-state-metrics
28 | image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.7.0
29 | ports:
30 | - name: metrics
31 | containerPort: 8080
32 | - name: telemetry
33 | containerPort: 8081
34 | livenessProbe:
35 | httpGet:
36 | path: /healthz
37 | port: 8080
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | readinessProbe:
41 | httpGet:
42 | path: /
43 | port: 8081
44 | initialDelaySeconds: 5
45 | timeoutSeconds: 5
46 | securityContext:
47 | runAsUser: 65534
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /addons/prometheus/exporters/kube-state-metrics/deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: kube-state-metrics
5 | namespace: monitoring
6 | spec:
7 | replicas: 1
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 1
12 | selector:
13 | matchLabels:
14 | name: kube-state-metrics
15 | phase: prod
16 | template:
17 | metadata:
18 | labels:
19 | name: kube-state-metrics
20 | phase: prod
21 | spec:
22 | securityContext:
23 | seccompProfile:
24 | type: RuntimeDefault
25 | serviceAccountName: kube-state-metrics
26 | containers:
27 | - name: kube-state-metrics
28 | image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.7.0
29 | ports:
30 | - name: metrics
31 | containerPort: 8080
32 | - name: telemetry
33 | containerPort: 8081
34 | livenessProbe:
35 | httpGet:
36 | path: /healthz
37 | port: 8080
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | readinessProbe:
41 | httpGet:
42 | path: /
43 | port: 8081
44 | initialDelaySeconds: 5
45 | timeoutSeconds: 5
46 | securityContext:
47 | runAsUser: 65534
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /addons/prometheus/exporters/kube-state-metrics/deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: kube-state-metrics
5 | namespace: monitoring
6 | spec:
7 | replicas: 1
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 1
12 | selector:
13 | matchLabels:
14 | name: kube-state-metrics
15 | phase: prod
16 | template:
17 | metadata:
18 | labels:
19 | name: kube-state-metrics
20 | phase: prod
21 | spec:
22 | securityContext:
23 | seccompProfile:
24 | type: RuntimeDefault
25 | serviceAccountName: kube-state-metrics
26 | containers:
27 | - name: kube-state-metrics
28 | image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.7.0
29 | ports:
30 | - name: metrics
31 | containerPort: 8080
32 | - name: telemetry
33 | containerPort: 8081
34 | livenessProbe:
35 | httpGet:
36 | path: /healthz
37 | port: 8080
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | readinessProbe:
41 | httpGet:
42 | path: /
43 | port: 8081
44 | initialDelaySeconds: 5
45 | timeoutSeconds: 5
46 | securityContext:
47 | runAsUser: 65534
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /addons/prometheus/exporters/kube-state-metrics/deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: kube-state-metrics
5 | namespace: monitoring
6 | spec:
7 | replicas: 1
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 1
12 | selector:
13 | matchLabels:
14 | name: kube-state-metrics
15 | phase: prod
16 | template:
17 | metadata:
18 | labels:
19 | name: kube-state-metrics
20 | phase: prod
21 | spec:
22 | securityContext:
23 | seccompProfile:
24 | type: RuntimeDefault
25 | serviceAccountName: kube-state-metrics
26 | containers:
27 | - name: kube-state-metrics
28 | image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.7.0
29 | ports:
30 | - name: metrics
31 | containerPort: 8080
32 | - name: telemetry
33 | containerPort: 8081
34 | livenessProbe:
35 | httpGet:
36 | path: /healthz
37 | port: 8080
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | readinessProbe:
41 | httpGet:
42 | path: /
43 | port: 8081
44 | initialDelaySeconds: 5
45 | timeoutSeconds: 5
46 | securityContext:
47 | runAsUser: 65534
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /addons/prometheus/exporters/kube-state-metrics/deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: kube-state-metrics
5 | namespace: monitoring
6 | spec:
7 | replicas: 1
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 1
12 | selector:
13 | matchLabels:
14 | name: kube-state-metrics
15 | phase: prod
16 | template:
17 | metadata:
18 | labels:
19 | name: kube-state-metrics
20 | phase: prod
21 | spec:
22 | securityContext:
23 | seccompProfile:
24 | type: RuntimeDefault
25 | serviceAccountName: kube-state-metrics
26 | containers:
27 | - name: kube-state-metrics
28 | image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.7.0
29 | ports:
30 | - name: metrics
31 | containerPort: 8080
32 | - name: telemetry
33 | containerPort: 8081
34 | livenessProbe:
35 | httpGet:
36 | path: /healthz
37 | port: 8080
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | readinessProbe:
41 | httpGet:
42 | path: /
43 | port: 8081
44 | initialDelaySeconds: 5
45 | timeoutSeconds: 5
46 | securityContext:
47 | runAsUser: 65534
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /addons/prometheus/exporters/kube-state-metrics/deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: kube-state-metrics
5 | namespace: monitoring
6 | spec:
7 | replicas: 1
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 1
12 | selector:
13 | matchLabels:
14 | name: kube-state-metrics
15 | phase: prod
16 | template:
17 | metadata:
18 | labels:
19 | name: kube-state-metrics
20 | phase: prod
21 | spec:
22 | securityContext:
23 | seccompProfile:
24 | type: RuntimeDefault
25 | serviceAccountName: kube-state-metrics
26 | containers:
27 | - name: kube-state-metrics
28 | image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.7.0
29 | ports:
30 | - name: metrics
31 | containerPort: 8080
32 | - name: telemetry
33 | containerPort: 8081
34 | livenessProbe:
35 | httpGet:
36 | path: /healthz
37 | port: 8080
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | readinessProbe:
41 | httpGet:
42 | path: /
43 | port: 8081
44 | initialDelaySeconds: 5
45 | timeoutSeconds: 5
46 | securityContext:
47 | runAsUser: 65534
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /addons/prometheus/exporters/kube-state-metrics/deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: kube-state-metrics
5 | namespace: monitoring
6 | spec:
7 | replicas: 1
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 1
12 | selector:
13 | matchLabels:
14 | name: kube-state-metrics
15 | phase: prod
16 | template:
17 | metadata:
18 | labels:
19 | name: kube-state-metrics
20 | phase: prod
21 | spec:
22 | securityContext:
23 | seccompProfile:
24 | type: RuntimeDefault
25 | serviceAccountName: kube-state-metrics
26 | containers:
27 | - name: kube-state-metrics
28 | image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.7.0
29 | ports:
30 | - name: metrics
31 | containerPort: 8080
32 | - name: telemetry
33 | containerPort: 8081
34 | livenessProbe:
35 | httpGet:
36 | path: /healthz
37 | port: 8080
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | readinessProbe:
41 | httpGet:
42 | path: /
43 | port: 8081
44 | initialDelaySeconds: 5
45 | timeoutSeconds: 5
46 | securityContext:
47 | runAsUser: 65534
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /addons/prometheus/exporters/kube-state-metrics/deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: kube-state-metrics
5 | namespace: monitoring
6 | spec:
7 | replicas: 1
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 1
12 | selector:
13 | matchLabels:
14 | name: kube-state-metrics
15 | phase: prod
16 | template:
17 | metadata:
18 | labels:
19 | name: kube-state-metrics
20 | phase: prod
21 | spec:
22 | securityContext:
23 | seccompProfile:
24 | type: RuntimeDefault
25 | serviceAccountName: kube-state-metrics
26 | containers:
27 | - name: kube-state-metrics
28 | image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.7.0
29 | ports:
30 | - name: metrics
31 | containerPort: 8080
32 | - name: telemetry
33 | containerPort: 8081
34 | livenessProbe:
35 | httpGet:
36 | path: /healthz
37 | port: 8080
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | readinessProbe:
41 | httpGet:
42 | path: /
43 | port: 8081
44 | initialDelaySeconds: 5
45 | timeoutSeconds: 5
46 | securityContext:
47 | runAsUser: 65534
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /addons/prometheus/exporters/kube-state-metrics/deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: kube-state-metrics
5 | namespace: monitoring
6 | spec:
7 | replicas: 1
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 1
12 | selector:
13 | matchLabels:
14 | name: kube-state-metrics
15 | phase: prod
16 | template:
17 | metadata:
18 | labels:
19 | name: kube-state-metrics
20 | phase: prod
21 | spec:
22 | securityContext:
23 | seccompProfile:
24 | type: RuntimeDefault
25 | serviceAccountName: kube-state-metrics
26 | containers:
27 | - name: kube-state-metrics
28 | image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.7.0
29 | ports:
30 | - name: metrics
31 | containerPort: 8080
32 | - name: telemetry
33 | containerPort: 8081
34 | livenessProbe:
35 | httpGet:
36 | path: /healthz
37 | port: 8080
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | readinessProbe:
41 | httpGet:
42 | path: /
43 | port: 8081
44 | initialDelaySeconds: 5
45 | timeoutSeconds: 5
46 | securityContext:
47 | runAsUser: 65534
Check: CKV_K8S_26: "Do not specify hostPort unless absolutely necessary"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /addons/prometheus/exporters/node-exporter/daemonset.yaml:1-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-25.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /addons/prometheus/exporters/node-exporter/daemonset.yaml:1-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /addons/prometheus/exporters/node-exporter/daemonset.yaml:1-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /addons/prometheus/exporters/node-exporter/daemonset.yaml:1-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /addons/prometheus/exporters/node-exporter/daemonset.yaml:1-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /addons/prometheus/exporters/node-exporter/daemonset.yaml:1-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_17: "Containers should not share the host process ID namespace"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /addons/prometheus/exporters/node-exporter/daemonset.yaml:1-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-16.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /addons/prometheus/exporters/node-exporter/daemonset.yaml:1-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /addons/prometheus/exporters/node-exporter/daemonset.yaml:1-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /addons/prometheus/exporters/node-exporter/daemonset.yaml:1-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /addons/prometheus/exporters/node-exporter/daemonset.yaml:1-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /addons/prometheus/exporters/node-exporter/daemonset.yaml:1-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.grafana.name-grafana.phase-prod
File: /addons/grafana/deployment.yaml:1-124
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx-ingress-controller.name-nginx-ingress-controller.phase-prod
File: /addons/nginx-ingress/bare-metal/deployment.yaml:1-80
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx-ingress-controller.name-nginx-ingress-controller.phase-prod
File: /addons/nginx-ingress/google-cloud/deployment.yaml:1-83
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx-ingress-controller.name-nginx-ingress-controller.phase-prod
File: /addons/nginx-ingress/azure/deployment.yaml:1-83
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx-ingress-controller.name-nginx-ingress-controller.phase-prod
File: /addons/nginx-ingress/aws/deployment.yaml:1-83
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx-ingress-controller.name-nginx-ingress-controller.phase-prod
File: /addons/nginx-ingress/digital-ocean/daemonset.yaml:1-83
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.kube-state-metrics.name-kube-state-metrics.phase-prod
File: /addons/prometheus/exporters/kube-state-metrics/deployment.yaml:1-47
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: kube-state-metrics
5 | namespace: monitoring
6 | spec:
7 | replicas: 1
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 1
12 | selector:
13 | matchLabels:
14 | name: kube-state-metrics
15 | phase: prod
16 | template:
17 | metadata:
18 | labels:
19 | name: kube-state-metrics
20 | phase: prod
21 | spec:
22 | securityContext:
23 | seccompProfile:
24 | type: RuntimeDefault
25 | serviceAccountName: kube-state-metrics
26 | containers:
27 | - name: kube-state-metrics
28 | image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.7.0
29 | ports:
30 | - name: metrics
31 | containerPort: 8080
32 | - name: telemetry
33 | containerPort: 8081
34 | livenessProbe:
35 | httpGet:
36 | path: /healthz
37 | port: 8080
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | readinessProbe:
41 | httpGet:
42 | path: /
43 | port: 8081
44 | initialDelaySeconds: 5
45 | timeoutSeconds: 5
46 | securityContext:
47 | runAsUser: 65534
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.node-exporter.name-node-exporter.phase-prod
File: /addons/prometheus/exporters/node-exporter/daemonset.yaml:1-79
Code lines for this resource are too many. Please use IDE of your choice to review the file.
github_actions scan results:
Passed checks: 7, Failed checks: 1, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(publish)
File: /.github/workflows/publish.yaml:11-12
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools