Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create aks2.tf #2

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Create aks2.tf #2

wants to merge 1 commit into from

Conversation

cmrice
Copy link

@cmrice cmrice commented Apr 23, 2024

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 23, 2024
View reviewed changes
terraform/azure/aks2.tf
Comment on lines +1 to +25
resource azurerm_kubernetes_cluster "k8s_cluster" {
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {
oms_agent {
enabled = false
}
kube_dashboard {
enabled = true
}
}
role_based_access_control {
enabled = false
}
}

Check failure

Code scanning / defsec

Ensure AKS cluster has Network Policy configured Error

Kubernetes cluster does not have a network policy set.
terraform/azure/aks2.tf
Comment on lines +1 to +25
resource azurerm_kubernetes_cluster "k8s_cluster" {
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {
oms_agent {
enabled = false
}
kube_dashboard {
enabled = true
}
}
role_based_access_control {
enabled = false
}
}

Check failure

Code scanning / defsec

Ensure AKS has an API Server Authorized IP Ranges enabled Error

Cluster does not limit API access to specific IP addresses.
terraform/azure/aks2.tf
Comment on lines +1 to +25
resource azurerm_kubernetes_cluster "k8s_cluster" {
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {
oms_agent {
enabled = false
}
kube_dashboard {
enabled = true
}
}
role_based_access_control {
enabled = false
}
}

Check warning

Code scanning / defsec

Ensure AKS logging to Azure Monitoring is Configured Warning

Cluster does not have logging enabled via OMS Agent.
terraform/azure/aks2.tf
Comment on lines +1 to +25
resource azurerm_kubernetes_cluster "k8s_cluster" {
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {
oms_agent {
enabled = false
}
kube_dashboard {
enabled = true
}
}
role_based_access_control {
enabled = false
}
}

Check failure

Code scanning / defsec

Ensure RBAC is enabled on AKS clusters Error

Cluster has RBAC disabled
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 23, 2024
View reviewed changes
terraform/azure/aks2.tf
Comment on lines +1 to +25
resource azurerm_kubernetes_cluster "k8s_cluster" {
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {
oms_agent {
enabled = false
}
kube_dashboard {
enabled = true
}
}
role_based_access_control {
enabled = false
}
}

Check failure

Code scanning / bridgecrew

Ensure ephemeral disks are used for OS disks Error

Ensure ephemeral disks are used for OS disks
terraform/azure/aks2.tf
Comment on lines +1 to +25
resource azurerm_kubernetes_cluster "k8s_cluster" {
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {
oms_agent {
enabled = false
}
kube_dashboard {
enabled = true
}
}
role_based_access_control {
enabled = false
}
}

Check failure

Code scanning / bridgecrew

Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources Error

Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources
terraform/azure/aks2.tf
Comment on lines +1 to +25
resource azurerm_kubernetes_cluster "k8s_cluster" {
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {
oms_agent {
enabled = false
}
kube_dashboard {
enabled = true
}
}
role_based_access_control {
enabled = false
}
}

Check failure

Code scanning / bridgecrew

Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters Error

Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters
terraform/azure/aks2.tf
Comment on lines +1 to +25
resource azurerm_kubernetes_cluster "k8s_cluster" {
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {
oms_agent {
enabled = false
}
kube_dashboard {
enabled = true
}
}
role_based_access_control {
enabled = false
}
}

Check failure

Code scanning / bridgecrew

Ensure AKS logging to Azure Monitoring is Configured Error

Ensure AKS logging to Azure Monitoring is Configured
terraform/azure/aks2.tf
Comment on lines +1 to +25
resource azurerm_kubernetes_cluster "k8s_cluster" {
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {
oms_agent {
enabled = false
}
kube_dashboard {
enabled = true
}
}
role_based_access_control {
enabled = false
}
}

Check failure

Code scanning / bridgecrew

Ensure AKS has an API Server Authorized IP Ranges enabled Error

Ensure AKS has an API Server Authorized IP Ranges enabled
terraform/azure/aks2.tf
Comment on lines +1 to +25
resource azurerm_kubernetes_cluster "k8s_cluster" {
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {
oms_agent {
enabled = false
}
kube_dashboard {
enabled = true
}
}
role_based_access_control {
enabled = false
}
}

Check failure

Code scanning / bridgecrew

Ensure that AKS use the Paid Sku for its SLA Error

Ensure that AKS use the Paid Sku for its SLA
terraform/azure/aks2.tf
Comment on lines +1 to +25
resource azurerm_kubernetes_cluster "k8s_cluster" {
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {
oms_agent {
enabled = false
}
kube_dashboard {
enabled = true
}
}
role_based_access_control {
enabled = false
}
}

Check failure

Code scanning / bridgecrew

Ensure AKS cluster has Network Policy configured Error

Ensure AKS cluster has Network Policy configured
terraform/azure/aks2.tf
Comment on lines +1 to +25
resource azurerm_kubernetes_cluster "k8s_cluster" {
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {
oms_agent {
enabled = false
}
kube_dashboard {
enabled = true
}
}
role_based_access_control {
enabled = false
}
}

Check failure

Code scanning / bridgecrew

Ensure that only critical system pods run on system nodes Error

Ensure that only critical system pods run on system nodes
terraform/azure/aks2.tf
Comment on lines +1 to +25
resource azurerm_kubernetes_cluster "k8s_cluster" {
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {
oms_agent {
enabled = false
}
kube_dashboard {
enabled = true
}
}
role_based_access_control {
enabled = false
}
}

Check failure

Code scanning / bridgecrew

Ensure that AKS uses disk encryption set Error

Ensure that AKS uses disk encryption set
terraform/azure/aks2.tf
Comment on lines +1 to +25
resource azurerm_kubernetes_cluster "k8s_cluster" {
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {
oms_agent {
enabled = false
}
kube_dashboard {
enabled = true
}
}
role_based_access_control {
enabled = false
}
}

Check failure

Code scanning / bridgecrew

Ensure AKS cluster has Azure CNI networking enabled Error

Ensure AKS cluster has Azure CNI networking enabled
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@cmrice