Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
GCP Terraform Misconfiguration: GKE Cluster Node Auto-Repair Disabled
Abstract
A Terraform configuration disables node auto-repair for a GKE node pool.
Explanation
Every cloud service security feature is designed to prevent or mitigate a known threat. When disabled by intent or negligence, it offers no protection.
By default, if a GKE node repeatedly reports an unhealthy status over a given period, GKE initiates a repair process for that node. Disabling node auto-repair prevents timely and automated replacements of unhealthy nodes on which mission-critical workloads might run.
Example 1: The following Terraform configuration disables node auto-repair of a node pool by setting
By default, if a GKE node repeatedly reports an unhealthy status over a given period, GKE initiates a repair process for that node. Disabling node auto-repair prevents timely and automated replacements of unhealthy nodes on which mission-critical workloads might run.
Example 1: The following Terraform configuration disables node auto-repair of a node pool by setting
auto_repair to false in the management block.
resource "google_container_node_pool" "node-pool-demo" {
...
management {
auto_repair = false
...
}
...
}
References
[1] HashiCorp google_container_node_pool
[2] Google Cloud Auto-repairing nodes
[3] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.5.2
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[9] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.3.3
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_node_auto_repair_disabled