-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(terraform): Ensure that only critical system pods run on system …
…nodes (#5665) * Created check CKV_AZURE_228 * Created check CKV_AZURE_229 * Those are from another PR * Should not be there * Removed unused import * Fixed flake8 findings * fixed bug in the test * adjust check ID --------- Co-authored-by: Thomas Defise <[email protected]> Co-authored-by: Anton Grübel <[email protected]>
- Loading branch information
1 parent
7ec8270
commit 08d963b
Showing
3 changed files
with
104 additions
and
0 deletions.
There are no files selected for viewing
24 changes: 24 additions & 0 deletions
24
checkov/terraform/checks/resource/azure/AKSOnlyCriticalPodsOnSystemNodes.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
from checkov.common.models.enums import CheckCategories | ||
from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck | ||
|
||
|
||
class AKSOnlyCriticalPodsOnSystemNodes(BaseResourceValueCheck): | ||
def __init__(self) -> None: | ||
""" | ||
Microsoft recommends to isolate critical system pods from application pods | ||
to prevent misconfigured or rogue application pods from accidentally killing system pods. | ||
This can be enforced by creating a dedicated system node pool with the CriticalAddonsOnly=true:NoSchedule taint | ||
to prevent application pods from being scheduled on system node pools. | ||
""" | ||
name = "Ensure that only critical system pods run on system nodes" | ||
id = "CKV_AZURE_232" | ||
supported_resources = ("azurerm_kubernetes_cluster",) | ||
categories = (CheckCategories.KUBERNETES,) | ||
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
||
def get_inspected_key(self) -> str: | ||
return "default_node_pool/[0]/only_critical_addons_enabled" | ||
|
||
|
||
check = AKSOnlyCriticalPodsOnSystemNodes() |
37 changes: 37 additions & 0 deletions
37
tests/terraform/checks/resource/azure/example_AKSOnlyCriticalPodsOnSystemNodes/main.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
resource "azurerm_kubernetes_cluster" "pass" { | ||
name = "example" | ||
|
||
default_node_pool { | ||
name = "defaultpool" | ||
only_critical_addons_enabled = true | ||
} | ||
} | ||
|
||
resource "azurerm_kubernetes_cluster" "fail1" { | ||
name = "example" | ||
|
||
default_node_pool { | ||
name = "defaultpool" | ||
} | ||
} | ||
|
||
resource "azurerm_kubernetes_cluster" "fail2" { | ||
name = "example" | ||
|
||
default_node_pool { | ||
name = "defaultpool" | ||
only_critical_addons_enabled = false | ||
} | ||
} | ||
|
||
resource "azurerm_kubernetes_cluster" "fail3" { | ||
name = "example" | ||
|
||
} | ||
|
||
resource "azurerm_kubernetes_cluster" "fail4" { | ||
name = "example" | ||
only_critical_addons_enabled = true | ||
|
||
} | ||
|
43 changes: 43 additions & 0 deletions
43
tests/terraform/checks/resource/azure/test_AKSOnlyCriticalPodsOnSystemNodes.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
import os | ||
import unittest | ||
|
||
from checkov.runner_filter import RunnerFilter | ||
from checkov.terraform.runner import Runner | ||
from checkov.terraform.checks.resource.azure.AKSOnlyCriticalPodsOnSystemNodes import check | ||
|
||
|
||
class TestAKSOnlyCriticalPodsOnSystemNodes(unittest.TestCase): | ||
def test(self): | ||
runner = Runner() | ||
current_dir = os.path.dirname(os.path.realpath(__file__)) | ||
|
||
test_files_dir = os.path.join(current_dir, "example_AKSOnlyCriticalPodsOnSystemNodes") | ||
report = runner.run(root_folder=test_files_dir, | ||
runner_filter=RunnerFilter(checks=[check.id])) | ||
summary = report.get_summary() | ||
|
||
passing_resources = { | ||
'azurerm_kubernetes_cluster.pass', | ||
} | ||
failing_resources = { | ||
'azurerm_kubernetes_cluster.fail1', | ||
'azurerm_kubernetes_cluster.fail2', | ||
'azurerm_kubernetes_cluster.fail3', | ||
'azurerm_kubernetes_cluster.fail4', | ||
} | ||
skipped_resources = {} | ||
|
||
passed_check_resources = {c.resource for c in report.passed_checks} | ||
failed_check_resources = {c.resource for c in report.failed_checks} | ||
|
||
self.assertEqual(summary['passed'], len(passing_resources)) | ||
self.assertEqual(summary['failed'], len(failing_resources)) | ||
self.assertEqual(summary['skipped'], len(skipped_resources)) | ||
self.assertEqual(summary['parsing_errors'], 0) | ||
|
||
self.assertEqual(passing_resources, passed_check_resources) | ||
self.assertEqual(failing_resources, failed_check_resources) | ||
|
||
|
||
if __name__ == '__main__': | ||
unittest.main() |