界: Environment

本節包括原始程式碼之外的所有內容,但對於建立中產品的安全性仍至關重要。由於此領域所涵蓋的問題與原始程式碼沒有直接關係,因此我們將其與其他領域分開。

GCP Terraform Misconfiguration: GKE Container-Optimized OS Not In Use

Abstract
Terraform 組態設定了不執行 Container-Optimized OS 的 GKE 節點。
Explanation
依預設,GKE 節點會透過 Container-Optimized OS (COS) 執行。COS 是一種作業系統映像檔,經過最佳化以在 Google Compute Engine 執行個體上執行 GKE 節點。若選擇退出預設設定,將會放棄增強安全性和效率的好處。

範例 1:以下範例 Terraform 組態設定了一個不執行 COS 的 GKE 節點集區,因為 node_config 區塊中的 image_type 設定為非 COS 映像檔。

resource "google_container_node_pool" "node_pool_demo" {
  ...
  node_config {
    image_type = "UBUNTU"
    ...
  }
  ...
}
References
[1] HashiCorp google_container_node_pool
[2] Google Cloud Setting the default node image type
[3] Google Cloud Container-Optimized OS Overview
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.5.1
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[11] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.3.3
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.hcl.gcp_terraform_misconfiguration_gke_container_optimized_os_not_in_use