Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GCPGKEPrivateClusterConstraintV1 does not validate private endpoint + public nodes #392

Open
jdyke opened this issue Feb 24, 2021 · 3 comments · May be fixed by #438
Open

GCPGKEPrivateClusterConstraintV1 does not validate private endpoint + public nodes #392

jdyke opened this issue Feb 24, 2021 · 3 comments · May be fixed by #438
Labels
bug Something isn't working

Comments

@jdyke
Copy link

jdyke commented Feb 24, 2021

The logic in GCPGKEPrivateClusterConstraintV1 will not catch a google_container_cluster resource with the following configuration:

resource "google_container_cluster" "primary" {
  name     = "my-gke-cluster"
  location = "us-central1"
  project = "project123"

  remove_default_node_pool = true
  initial_node_count       = 1
  private_cluster_config {
    enable_private_endpoint = true
    enable_private_nodes = false
  }
}

This is due to GCPGKEPrivateClusterConstraintV1 only checking to see if private_cluster_config exists or not:

cluster := asset.resource.data
private_cluster_config := lib.get_default(cluster, "privateClusterConfig", {})
private_cluster_config == {}

Example terraform plan in JSON format:

{
    "format_version": "0.1",
    "terraform_version": "0.14.3",
    "variables": {
        "project": {
            "value": "project123"
        }
    },
    "planned_values": {
        "root_module": {
            "resources": [
                {
                    "address": "google_container_cluster.private_api_endpoint_test",
                    "mode": "managed",
                    "type": "google_container_cluster",
                    "name": "private_api_endpoint_test",
                    "provider_name": "registry.terraform.io/hashicorp/google",
                    "schema_version": 1,
                    "values": {
                        "description": null,
                        "enable_binary_authorization": false,
                        "enable_intranode_visibility": null,
                        "enable_kubernetes_alpha": false,
                        "enable_legacy_abac": false,
                        "enable_shielded_nodes": false,
                        "enable_tpu": null,
                        "initial_node_count": 1,
                        "ip_allocation_policy": [],
                        "location": "us-central1",
                        "maintenance_policy": [],
                        "master_authorized_networks_config": [],
                        "min_master_version": null,
                        "name": "private-endpoint-test",
                        "network": "default",
                        "pod_security_policy_config": [],
                        "private_cluster_config": [
                            {
                                "enable_private_endpoint": true,
                                "enable_private_nodes": null,
                                "master_ipv4_cidr_block": null
                            }
                        ],
                        "project": "project123",
                        "remove_default_node_pool": null,
                        "resource_labels": null,
                        "resource_usage_export_config": [],
                        "timeouts": null,
                        "vertical_pod_autoscaling": [],
                        "workload_identity_config": []
                    }
                }
            ]
        }
    },
    "resource_changes": [
        {
            "address": "google_container_cluster.private_api_endpoint_test",
            "mode": "managed",
            "type": "google_container_cluster",
            "name": "private_api_endpoint_test",
            "provider_name": "registry.terraform.io/hashicorp/google",
            "change": {
                "actions": [
                    "create"
                ],
                "before": null,
                "after": {
                    "description": null,
                    "enable_binary_authorization": false,
                    "enable_intranode_visibility": null,
                    "enable_kubernetes_alpha": false,
                    "enable_legacy_abac": false,
                    "enable_shielded_nodes": false,
                    "enable_tpu": null,
                    "initial_node_count": 1,
                    "ip_allocation_policy": [],
                    "location": "us-central1",
                    "maintenance_policy": [],
                    "master_authorized_networks_config": [],
                    "min_master_version": null,
                    "name": "private-endpoint-test",
                    "network": "default",
                    "pod_security_policy_config": [],
                    "private_cluster_config": [
                        {
                            "enable_private_endpoint": true,
                            "enable_private_nodes": null,
                            "master_ipv4_cidr_block": null
                        }
                    ],
                    "project": "project123",
                    "remove_default_node_pool": null,
                    "resource_labels": null,
                    "resource_usage_export_config": [],
                    "timeouts": null,
                    "vertical_pod_autoscaling": [],
                    "workload_identity_config": []
                },
                "after_unknown": {
                    "addons_config": true,
                    "authenticator_groups_config": true,
                    "cluster_autoscaling": true,
                    "cluster_ipv4_cidr": true,
                    "database_encryption": true,
                    "datapath_provider": true,
                    "default_max_pods_per_node": true,
                    "default_snat_status": true,
                    "endpoint": true,
                    "id": true,
                    "instance_group_urls": true,
                    "ip_allocation_policy": [],
                    "label_fingerprint": true,
                    "logging_service": true,
                    "maintenance_policy": [],
                    "master_auth": true,
                    "master_authorized_networks_config": [],
                    "master_version": true,
                    "monitoring_service": true,
                    "network_policy": true,
                    "node_config": true,
                    "node_locations": true,
                    "node_pool": true,
                    "node_version": true,
                    "operation": true,
                    "pod_security_policy_config": [],
                    "private_cluster_config": [
                        {
                            "master_global_access_config": true,
                            "peering_name": true,
                            "private_endpoint": true,
                            "public_endpoint": true
                        }
                    ],
                    "release_channel": true,
                    "resource_usage_export_config": [],
                    "self_link": true,
                    "services_ipv4_cidr": true,
                    "subnetwork": true,
                    "tpu_ipv4_cidr_block": true,
                    "vertical_pod_autoscaling": [],
                    "workload_identity_config": []
                }
            }
        }
    ],
    "configuration": {
        "root_module": {
            "resources": [
                {
                    "address": "google_container_cluster.private_api_endpoint_test",
                    "mode": "managed",
                    "type": "google_container_cluster",
                    "name": "private_api_endpoint_test",
                    "provider_config_key": "google",
                    "expressions": {
                        "initial_node_count": {
                            "constant_value": 1
                        },
                        "location": {
                            "constant_value": "us-central1"
                        },
                        "name": {
                            "constant_value": "private-endpoint-test"
                        },
                        "private_cluster_config": [
                            {
                                "enable_private_endpoint": {
                                    "constant_value": true
                                },
                                "enable_private_nodes": {
                                    "constant_value": false
                                }
                            }
                        ],
                        "project": {
                            "references": [
                                "var.project"
                            ]
                        }
                    },
                    "schema_version": 1
                }
            ],
            "variables": {
                "project": {}
            }
        }
    }
}
@morgante morgante added the bug Something isn't working label Feb 24, 2021
@morgante
Copy link
Contributor

Good catch. I probably won't have a chance to fix this immediately but happy to review a PR.

@jdyke
Copy link
Author

jdyke commented Feb 24, 2021

No prob @morgante I can take this one

This was referenced Jun 21, 2023
Closed
Open
@jralmaraz
Copy link

As I try to start as a new contributor, I've created the PR #438 to work on this issue, please let me know if there's any feedback (I've added a comment in the code on the approach).

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Trying to fix current bypass of check GCPGKEPrivateClusterConstraintV1 jralmaraz/policy-library
3 participants
@morgante @jralmaraz @jdyke