terraform.gcp.best-practice.gcp-gke-use-cos-image.gcp-gke-use-cos-image

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: gcp-gke-use-cos-image
    patterns:
      - pattern: resource
      - pattern-inside: |
          resource "google_container_node_pool" "..." {
          ...
          }
      - pattern-not-inside: |
          resource "google_container_node_pool" "..." {
          ...
          node_config {
            ...
            image_type = "COS"
          }
          ...
          }
    message: Ensure Container-Optimized OS (cos) is used for Kubernetes Engine
      Clusters Node image
    metadata:
      category: best-practice
      technology:
        - terraform
        - gcp
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - hcl
    severity: WARNING

Examples

gcp-gke-use-cos-image.tf

# fail
# ruleid: gcp-gke-use-cos-image
resource "google_container_node_pool" "fail" {
    autoscaling {
    max_node_count = "4"
    min_node_count = "1"
    }

    cluster            = google_container_cluster.tfer.name
    initial_node_count = "2"
    location           = "us-west1"

    management {
    auto_repair  = "true"
    auto_upgrade = "true"
    }

    max_pods_per_node = "110"
    name              = "async-pool-2"

    node_config {
    disk_size_gb = "400"
    disk_type    = "pd-ssd"
    image_type   = "SomethingElse"

    labels = {
        async = "true"
    }

    local_ssd_count = "0"
    machine_type    = "custom-32-65536"

    metadata = {
        async                    = "true"
        disable-legacy-endpoints = "true"
    }

    oauth_scopes    = ["https://www.googleapis.com/auth/cloud-platform"]
    preemptible     = "false"
    service_account = "default"

    shielded_instance_config {
        enable_integrity_monitoring = "true"
        enable_secure_boot          = "true"
    }
    }

    node_count     = "1"
    node_locations = ["us-west1-b", "us-west1-a"]
    project        = "test-project"

    upgrade_settings {
    max_surge       = "1"
    max_unavailable = "0"
    }

    version = "1.14.10-gke.36"
    zone    = "us-west1"
}

# ok: gcp-gke-use-cos-image
resource "google_container_node_pool" "success" {
  autoscaling {
    max_node_count = "4"
    min_node_count = "1"
  }

  cluster            = google_container_cluster.tfer.name
  initial_node_count = "2"
  location           = "us-west1"

  management {
    auto_repair  = "true"
    auto_upgrade = "true"
  }

  max_pods_per_node = "110"
  name              = "async-pool-2"

  node_config {
    disk_size_gb = "400"
    disk_type    = "pd-ssd"
    image_type   = "COS"

    labels = {
      async = "true"
    }

    local_ssd_count = "0"
    machine_type    = "custom-32-65536"

    metadata = {
      async                    = "true"
      disable-legacy-endpoints = "true"
    }

    oauth_scopes    = ["https://www.googleapis.com/auth/cloud-platform"]
    preemptible     = "false"
    service_account = "default"

    shielded_instance_config {
      enable_integrity_monitoring = "true"
      enable_secure_boot          = "true"
    }
  }

  node_count     = "1"
  node_locations = ["us-west1-b", "us-west1-a"]
  project        = "test-project"

  upgrade_settings {
    max_surge       = "1"
    max_unavailable = "0"
  }

  version = "1.14.10-gke.36"
  zone    = "us-west1"
}