terraform.gcp.security.gcp-gke-kubernetes-rbac-google-groups.gcp-gke-kubernetes-rbac-google-groups

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Manage Kubernetes RBAC users with Google Groups for GKE

Run Locally

Run in CI

Defintion

rules:
  - id: gcp-gke-kubernetes-rbac-google-groups
    patterns:
      - pattern: resource
      - pattern-inside: |
          resource "google_container_cluster" "..." {
          ...
          }
      - pattern-not-inside: |
          resource "google_container_cluster" "..." {
          ...
          authenticator_groups_config {
            ...
            security_group = "..."
            ...
          }
          ...
          }
    message: Manage Kubernetes RBAC users with Google Groups for GKE
    metadata:
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-284: Improper Access Control"
      category: security
      technology:
        - terraform
        - gcp
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: WARNING

Examples

gcp-gke-kubernetes-rbac-google-groups.tf

# fail
# ruleid: gcp-gke-kubernetes-rbac-google-groups
resource "google_container_cluster" "fail" {
  name               = var.name
  location           = var.location
  initial_node_count = 1
  project            = data.google_project.project.name

  network    = var.network
  subnetwork = var.subnetwork

  ip_allocation_policy {
    cluster_ipv4_cidr_block       = var.ip_allocation_policy["cluster_ipv4_cidr_block"]
    cluster_secondary_range_name  = var.ip_allocation_policy["cluster_secondary_range_name"]
    services_ipv4_cidr_block      = var.ip_allocation_policy["services_ipv4_cidr_block"]
    services_secondary_range_name = var.ip_allocation_policy["services_secondary_range_name"]
  }
}

# ok: gcp-gke-kubernetes-rbac-google-groups
resource "google_container_cluster" "success" {
  name               = var.name
  location           = var.location
  initial_node_count = 1
  project            = data.google_project.project.name

  network    = var.network
  subnetwork = var.subnetwork

  ip_allocation_policy {
    cluster_ipv4_cidr_block       = var.ip_allocation_policy["cluster_ipv4_cidr_block"]
    cluster_secondary_range_name  = var.ip_allocation_policy["cluster_secondary_range_name"]
    services_ipv4_cidr_block      = var.ip_allocation_policy["services_ipv4_cidr_block"]
    services_secondary_range_name = var.ip_allocation_policy["services_secondary_range_name"]
  }

  authenticator_groups_config {
    security_group = "gke-security-groups@yourdomain.com"
  }

  node_config {
    workload_metadata_config {
      node_metadata = "GKE_METADATA_SERVER"
    }
  }

  release_channel {
    channel = var.release_channel
  }
}