Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(terraform): add CKV NCP check about NKS(kubernetes) logging #3855

Merged
merged 41 commits into from
Nov 24, 2022
Merged

feat(terraform): add CKV NCP check about NKS(kubernetes) logging #3855

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
6b5d88a
[22.10.27][add]LBListenerUsesSecureProtocols
pj991207 Oct 27, 2022
289c407
Merge branch 'bridgecrewio:master' into ncp/rule-19
pj991207 Oct 31, 2022
9f50708
[22.11.01][add]NksPublicAccess
pj991207 Oct 31, 2022
6777cd8
Merge remote-tracking branch 'origin/ncp/rule-19' into ncp/rule-19
pj991207 Oct 31, 2022
2bb569a
[22.11.01][delete]ncp-13 rule
pj991207 Oct 31, 2022
4430de8
[22.11.01][fix]NksPublicAccess Description fix
pj991207 Oct 31, 2022
dabdaf8
[22.11.01][fix] test_NksPublicAccess.py
pj991207 Oct 31, 2022
bc86ad9
Merge branch 'bridgecrewio:master' into master
Floodnut Nov 1, 2022
1a03f18
Merge branch 'bridgecrewio:master' into master
pj991207 Nov 5, 2022
77b362b
[22.11.05][add]NCP_LBTargetGroupUsingHTTPS
pj991207 Nov 5, 2022
5952dd8
[22.11.05][delete]ncp_13_rule
pj991207 Nov 5, 2022
7ad9795
Merge branch 'bridgecrewio:master' into master
pj991207 Nov 6, 2022
e7ffe7d
[22.11.06][addNCP_LBNetworkPrivate
pj991207 Nov 6, 2022
e0ab5ee
[22.11.08][add]CKV_NCP_18
pj991207 Nov 8, 2022
643d5ff
[22.11.08][add]NCP_CKV_39
pj991207 Nov 8, 2022
cb07031
Merge branch 'bridgecrewio:master' into ncp/rule-19
pj991207 Nov 8, 2022
107b2bc
[22.11.08][fix]CKV_NCP_21
pj991207 Nov 8, 2022
218ebab
[22.11.08][delete]CKVP_NCP_15
pj991207 Nov 8, 2022
c3aa017
[22.11.08]CKV_NCP_32
pj991207 Nov 8, 2022
f9be912
Revert "[22.11.08]CKV_NCP_32"
pj991207 Nov 8, 2022
b7341f7
[22.11.08][add]CKV_NCP_32
pj991207 Nov 8, 2022
b92c23b
Revert "[22.11.08][add]CKV_NCP_32"
pj991207 Nov 8, 2022
e840d67
Merge branch 'bridgecrewio:master' into master
Floodnut Nov 9, 2022
54e6d81
Merge branch 'master' of https://github.com/init-cloud/checkov
pj991207 Nov 10, 2022
51e7f0c
Merge branch 'bridgecrewio:master' into master
Floodnut Nov 11, 2022
a8d41e3
Merge branch 'bridgecrewio:master' into master
pj991207 Nov 11, 2022
d250948
Merge branch 'master' of https://github.com/init-cloud/checkov
pj991207 Nov 11, 2022
92d9569
Merge branch 'bridgecrewio:master' into ncp/rule-21
pj991207 Nov 12, 2022
141dda2
Merge branch 'ncp/rule-39' of https://github.com/init-cloud/checkov i…
pj991207 Nov 12, 2022
64c121c
[22.11.12][fix]CKV_NCP_27
pj991207 Nov 12, 2022
2251775
[22.11.12][fix]CKV_NCP_27
pj991207 Nov 12, 2022
68bbce6
Merge branch 'ncp/rule-19' of https://github.com/init-cloud/checkov
pj991207 Nov 14, 2022
1324e75
[22.11.14][fix]NCP_CKV_19
pj991207 Nov 14, 2022
cd36a43
Merge branch 'ncp/rule-19' of https://github.com/init-cloud/checkov i…
pj991207 Nov 16, 2022
ac1c0bf
[22.11.16]CKV_NCP_19 BaseResourceNegativeValueCheck
pj991207 Nov 16, 2022
5d2432d
[22.11.16][delet]CKV_NCP_27
pj991207 Nov 16, 2022
7e26e8a
Merge branch 'bridgecrewio:master' into ncp/rule-21
pj991207 Nov 21, 2022
5b980a7
Merge branch 'ncp/rule-21' of https://github.com/init-cloud/checkov i…
pj991207 Nov 21, 2022
ac9af05
[22.11.21][fix]CKV_NCP_21
pj991207 Nov 21, 2022
5f23ff7
Update checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py
pj991207 Nov 22, 2022
98886a3
Merge branch 'bridgecrewio:master' into ncp/rule-21
pj991207 Nov 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
from checkov.common.models.enums import CheckCategories
from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck


class NKSControlPlaneLogging(BaseResourceValueCheck):
def __init__(self):
name = "Ensure NKS control plane logging enabled for all log types"
id = "CKV_NCP_22"
supported_resources = ('ncloud_nks_cluster',)
categories = (CheckCategories.KUBERNETES,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def get_inspected_key(self):
return 'log/0/audit/0'


check = NKSControlPlaneLogging()
42 changes: 42 additions & 0 deletions tests/terraform/checks/resource/ncp/example_NKSControlPlaneLogging/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
resource "ncloud_nks_cluster" "pass" {
cluster_type = "SVR.VNKS.STAND.C002.M008.NET.SSD.B050.G002"
k8s_version = data.ncloud_nks_versions.version.versions.0.value
login_key_name = ncloud_login_key.loginkey.key_name
name = "sample-cluster"
lb_private_subnet_no = ncloud_subnet.subnet_lb.id
kube_network_plugin = "cilium"
subnet_no_list = [ ncloud_subnet.subnet.id ]
vpc_no = ncloud_vpc.vpc.id
zone = "KR-1"
public_network = false
log {
audit = true
}
}
resource "ncloud_nks_cluster" "fail" {
cluster_type = "SVR.VNKS.STAND.C002.M008.NET.SSD.B050.G002"
k8s_version = data.ncloud_nks_versions.version.versions.0.value
login_key_name = ncloud_login_key.loginkey.key_name
name = "sample-cluster"
lb_private_subnet_no = ncloud_subnet.subnet_lb.id
kube_network_plugin = "cilium"
subnet_no_list = [ ncloud_subnet.subnet.id ]
vpc_no = ncloud_vpc.vpc.id
zone = "KR-1"
public_network = false
log {
audit = false
}
}
resource "ncloud_nks_cluster" "fail2" {
cluster_type = "SVR.VNKS.STAND.C002.M008.NET.SSD.B050.G002"
k8s_version = data.ncloud_nks_versions.version.versions.0.value
login_key_name = ncloud_login_key.loginkey.key_name
name = "sample-cluster"
lb_private_subnet_no = ncloud_subnet.subnet_lb.id
kube_network_plugin = "cilium"
subnet_no_list = [ ncloud_subnet.subnet.id ]
vpc_no = ncloud_vpc.vpc.id
zone = "KR-1"
public_network = false
}
41 changes: 41 additions & 0 deletions tests/terraform/checks/resource/ncp/test_NKSControlPlaneLogging.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
import unittest
from pathlib import Path

from checkov.runner_filter import RunnerFilter
from checkov.terraform.checks.resource.ncp.NKSControlPlaneLogging import check
from checkov.terraform.runner import Runner


class TestNKSControlPlaneLogging(unittest.TestCase):
def test(self):
# given
test_files_dir = Path(__file__).parent / "example_NKSControlPlaneLogging"

# when
report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))

# then
summary = report.get_summary()

passing_resources = {
"ncloud_nks_cluster.pass",
}
failing_resources = {
"ncloud_nks_cluster.fail",
"ncloud_nks_cluster.fail2",
}

passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}

self.assertEqual(summary["passed"], 1)
self.assertEqual(summary["failed"], 2)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)

self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)


if __name__ == "__main__":
unittest.main()