diff --git a/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py b/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py index 19554b6765b..506c96d4760 100644 --- a/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py +++ b/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py @@ -1,17 +1,29 @@ -from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck -from checkov.common.models.enums import CheckCategories +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck -class GKEBinaryAuthorization(BaseResourceValueCheck): - def __init__(self) -> None: +class GKEBinaryAuthorization(BaseResourceCheck): + def __init__(self): name = "Ensure use of Binary Authorization" id = "CKV_GCP_66" - supported_resources = ("google_container_cluster",) - categories = (CheckCategories.KUBERNETES,) + supported_resources = ['google_container_cluster'] + categories = [CheckCategories.KUBERNETES] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def get_inspected_key(self) -> str: - return "enable_binary_authorization" + def scan_resource_conf(self, conf): + if 'binary_authorization' in conf.keys(): + binary_authorization = conf["binary_authorization"][0] + if isinstance(binary_authorization, dict) and 'evaluation_mode' in binary_authorization: + # Google provider version >= v4.31.0 + if binary_authorization.get("evaluation_mode") == ["PROJECT_SINGLETON_POLICY_ENFORCE"]: + return CheckResult.PASSED + # Google provider version v4.29.0 and v4.30.0 + elif binary_authorization.get("evaluation_mode") == [True]: + return CheckResult.PASSED + # Google provider version <= v4.28.0 + if conf.get("enable_binary_authorization") == [True]: + return CheckResult.PASSED + return CheckResult.FAILED check = GKEBinaryAuthorization() diff --git a/tests/terraform/checks/resource/gcp/test_GKEBinaryAuthorization.py b/tests/terraform/checks/resource/gcp/test_GKEBinaryAuthorization.py index 873e9187ebb..f8a408fe326 100644 --- a/tests/terraform/checks/resource/gcp/test_GKEBinaryAuthorization.py +++ b/tests/terraform/checks/resource/gcp/test_GKEBinaryAuthorization.py @@ -17,18 +17,21 @@ def test(self): summary = report.get_summary() passing_resources = { - 'google_container_cluster.success' + 'google_container_cluster.success', + 'google_container_cluster.success2' } failing_resources = { 'google_container_cluster.fail1', 'google_container_cluster.fail2', + 'google_container_cluster.fail3', + 'google_container_cluster.fail4', } passed_check_resources = set([c.resource for c in report.passed_checks]) failed_check_resources = set([c.resource for c in report.failed_checks]) - self.assertEqual(summary['passed'], 1) - self.assertEqual(summary['failed'], 2) + self.assertEqual(summary['passed'], 2) + self.assertEqual(summary['failed'], 4) self.assertEqual(summary['skipped'], 0) self.assertEqual(summary['parsing_errors'], 0) diff --git a/tests/terraform/checks/resource/gcp/test_GKEBinaryAuthorization/main.tf b/tests/terraform/checks/resource/gcp/test_GKEBinaryAuthorization/main.tf index bf038aaf98d..8fefd819605 100644 --- a/tests/terraform/checks/resource/gcp/test_GKEBinaryAuthorization/main.tf +++ b/tests/terraform/checks/resource/gcp/test_GKEBinaryAuthorization/main.tf @@ -150,6 +150,166 @@ resource "google_container_cluster" "fail2" { resource_labels = var.resource_labels } +resource "google_container_cluster" "fail3" { + name = var.name + location = var.location + initial_node_count = 1 + project = data.google_project.project.name + + network = var.network + subnetwork = var.subnetwork + + ip_allocation_policy { + cluster_ipv4_cidr_block = var.ip_allocation_policy["cluster_ipv4_cidr_block"] + cluster_secondary_range_name = var.ip_allocation_policy["cluster_secondary_range_name"] + services_ipv4_cidr_block = var.ip_allocation_policy["services_ipv4_cidr_block"] + services_secondary_range_name = var.ip_allocation_policy["services_secondary_range_name"] + } + + remove_default_node_pool = var.remove_default_node_pool + + enable_shielded_nodes = false + + binary_authorization { + evaluation_mode = false + } + + node_config { + workload_metadata_config { + node_metadata = "GKE_METADATA_SERVER" + } + } + + release_channel { + channel = var.release_channel + } + + master_auth { + + client_certificate_config { + issue_client_certificate = false + } + } + + addons_config { + http_load_balancing { + disabled = var.http_load_balancing_disabled + } + + network_policy_config { + disabled = var.network_policy_config_disabled + } + } + + maintenance_policy { + daily_maintenance_window { + start_time = var.maintenance_window + } + } + + private_cluster_config { + enable_private_nodes = var.private_cluster_config["enable_private_nodes"] + enable_private_endpoint = var.private_cluster_config["enable_private_endpoint"] + master_ipv4_cidr_block = var.private_cluster_config["master_ipv4_cidr_block"] + } + + master_authorized_networks_config { + cidr_blocks { + cidr_block = var.master_authorized_network_cidr + } + } + + network_policy { + enabled = true + } + + pod_security_policy_config { + enabled = var.pod_security_policy_config_enabled + } + + resource_labels = var.resource_labels +} + +resource "google_container_cluster" "fail4" { + name = var.name + location = var.location + initial_node_count = 1 + project = data.google_project.project.name + + network = var.network + subnetwork = var.subnetwork + + ip_allocation_policy { + cluster_ipv4_cidr_block = var.ip_allocation_policy["cluster_ipv4_cidr_block"] + cluster_secondary_range_name = var.ip_allocation_policy["cluster_secondary_range_name"] + services_ipv4_cidr_block = var.ip_allocation_policy["services_ipv4_cidr_block"] + services_secondary_range_name = var.ip_allocation_policy["services_secondary_range_name"] + } + + remove_default_node_pool = var.remove_default_node_pool + + enable_shielded_nodes = false + + binary_authorization { + evaluation_mode = "DISABLED" + } + + node_config { + workload_metadata_config { + node_metadata = "GKE_METADATA_SERVER" + } + } + + release_channel { + channel = var.release_channel + } + + master_auth { + + client_certificate_config { + issue_client_certificate = false + } + } + + addons_config { + http_load_balancing { + disabled = var.http_load_balancing_disabled + } + + network_policy_config { + disabled = var.network_policy_config_disabled + } + } + + maintenance_policy { + daily_maintenance_window { + start_time = var.maintenance_window + } + } + + private_cluster_config { + enable_private_nodes = var.private_cluster_config["enable_private_nodes"] + enable_private_endpoint = var.private_cluster_config["enable_private_endpoint"] + master_ipv4_cidr_block = var.private_cluster_config["master_ipv4_cidr_block"] + } + + master_authorized_networks_config { + cidr_blocks { + cidr_block = var.master_authorized_network_cidr + } + } + + network_policy { + enabled = true + } + + pod_security_policy_config { + enabled = var.pod_security_policy_config_enabled + } + + resource_labels = var.resource_labels +} + resource "google_container_cluster" "success" { name = var.name location = var.location @@ -224,4 +384,83 @@ resource "google_container_cluster" "success" { } resource_labels = var.resource_labels -} \ No newline at end of file +} + +resource "google_container_cluster" "success2" { + name = var.name + location = var.location + initial_node_count = 1 + project = data.google_project.project.name + network = var.network + subnetwork = var.subnetwork + + ip_allocation_policy { + cluster_ipv4_cidr_block = var.ip_allocation_policy["cluster_ipv4_cidr_block"] + cluster_secondary_range_name = var.ip_allocation_policy["cluster_secondary_range_name"] + services_ipv4_cidr_block = var.ip_allocation_policy["services_ipv4_cidr_block"] + services_secondary_range_name = var.ip_allocation_policy["services_secondary_range_name"] + } + + remove_default_node_pool = var.remove_default_node_pool + + enable_shielded_nodes = true + + node_config { + workload_metadata_config { + node_metadata = "GKE_METADATA_SERVER" + } + } + + binary_authorization { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + + release_channel { + channel = var.release_channel + } + + master_auth { + + client_certificate_config { + issue_client_certificate = false + } + } + + addons_config { + http_load_balancing { + disabled = var.http_load_balancing_disabled + } + + network_policy_config { + disabled = var.network_policy_config_disabled + } + } + + maintenance_policy { + daily_maintenance_window { + start_time = var.maintenance_window + } + } + + private_cluster_config { + enable_private_nodes = var.private_cluster_config["enable_private_nodes"] + enable_private_endpoint = var.private_cluster_config["enable_private_endpoint"] + master_ipv4_cidr_block = var.private_cluster_config["master_ipv4_cidr_block"] + } + + master_authorized_networks_config { + cidr_blocks { + cidr_block = var.master_authorized_network_cidr + } + } + + network_policy { + enabled = true + } + + pod_security_policy_config { + enabled = var.pod_security_policy_config_enabled + } + + resource_labels = var.resource_labels +}