gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 07:40:48 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(misconf): support auto_provisioning_defaults in google_container_cluster (#8705)

Browse Source 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
This commit is contained in:
Nikita Pivkin
2025-04-09 03:13:46 +06:00
committed by GitHub
parent 13608eac24
commit 9792611b36
4 changed files with 135 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
pkg/iac/adapters/terraform/google/gke/adapt.go
View File

@@ -26,7 +26,7 @@ type adapter struct {
func (a *adapter) adaptClusters() []gke.Cluster {
for _, module := range a.modules {
for _, resource := range module.GetResourcesByType("google_container_cluster") {
a.adaptCluster(resource, module)
a.adaptCluster(resource)
}
}
@@ -46,7 +46,7 @@ func (a *adapter) adaptClusters() []gke.Cluster {
return clusters
}
func (a *adapter) adaptCluster(resource *terraform.Block, module *terraform.Module) {
func (a *adapter) adaptCluster(resource *terraform.Block) {
cluster := gke.Cluster{
Metadata: resource.GetMetadata(),
@@ -104,7 +104,7 @@ func (a *adapter) adaptCluster(resource *terraform.Block, module *terraform.Modu
}
if blocks := resource.GetBlocks("master_authorized_networks_config"); len(blocks) > 0 {
cluster.MasterAuthorizedNetworks = adaptMasterAuthNetworksAsBlocks(resource, blocks)
cluster.MasterAuthorizedNetworks = adaptMasterAuthNetworksAsBlocks(blocks)
}
if policyBlock := resource.GetBlock("network_policy"); policyBlock.IsNotNil() {
@@ -129,12 +129,24 @@ func (a *adapter) adaptCluster(resource *terraform.Block, module *terraform.Modu
}
if configBlock := resource.GetBlock("node_config"); configBlock.IsNotNil() {
if configBlock.GetBlock("metadata").IsNotNil() {
cluster.NodeConfig.Metadata = configBlock.GetBlock("metadata").GetMetadata()
}
cluster.NodeConfig = adaptNodeConfig(configBlock)
}
if autoScalingBlock := resource.GetBlock("cluster_autoscaling"); autoScalingBlock.IsNotNil() {
cluster.AutoScaling = gke.AutoScaling{
Metadata: autoScalingBlock.GetMetadata(),
Enabled: autoScalingBlock.GetAttribute("enabled").AsBoolValueOrDefault(false, autoScalingBlock),
}
if b := autoScalingBlock.GetBlock("auto_provisioning_defaults"); b.IsNotNil() {
cluster.AutoScaling.AutoProvisioningDefaults = gke.AutoProvisioningDefaults{
Metadata: b.GetMetadata(),
ServiceAccount: b.GetAttribute("service_account").AsStringValueOrDefault("", b),
Management: adaptManagement(b),
ImageType: b.GetAttribute("image_type").AsStringValueOrDefault("", b),
}
}
}
cluster.EnableShieldedNodes = resource.GetAttribute("enable_shielded_nodes").AsBoolValueOrDefault(true, resource)
enableLegacyABACAttr := resource.GetAttribute("enable_legacy_abac")
@@ -152,6 +164,23 @@ func (a *adapter) adaptCluster(resource *terraform.Block, module *terraform.Modu
a.clusterMap[resource.ID()] = cluster
}
func adaptManagement(parent *terraform.Block) gke.Management {
b := parent.GetBlock("management")
if b.IsNil() {
return gke.Management{
Metadata: parent.GetMetadata(),
EnableAutoRepair: iacTypes.BoolDefault(false, parent.GetMetadata()),
EnableAutoUpgrade: iacTypes.BoolDefault(false, parent.GetMetadata()),
}
}
return gke.Management{
Metadata: b.GetMetadata(),
EnableAutoRepair: b.GetAttribute("auto_repair").AsBoolValueOrDefault(false, b),
EnableAutoUpgrade: b.GetAttribute("auto_upgrade").AsBoolValueOrDefault(false, b),
}
}
func (a *adapter) adaptNodePools() {
for _, nodePoolBlock := range a.modules.GetResourcesByType("google_container_node_pool") {
a.adaptNodePool(nodePoolBlock)
@@ -170,28 +199,13 @@ func (a *adapter) adaptNodePool(resource *terraform.Block) {
EnableLegacyEndpoints: iacTypes.BoolDefault(true, resource.GetMetadata()),
}
management := gke.Management{
Metadata: resource.GetMetadata(),
EnableAutoRepair: iacTypes.BoolDefault(false, resource.GetMetadata()),
EnableAutoUpgrade: iacTypes.BoolDefault(false, resource.GetMetadata()),
}
if managementBlock := resource.GetBlock("management"); managementBlock.IsNotNil() {
management.Metadata = managementBlock.GetMetadata()
autoRepairAttr := managementBlock.GetAttribute("auto_repair")
management.EnableAutoRepair = autoRepairAttr.AsBoolValueOrDefault(false, managementBlock)
autoUpgradeAttr := managementBlock.GetAttribute("auto_upgrade")
management.EnableAutoUpgrade = autoUpgradeAttr.AsBoolValueOrDefault(false, managementBlock)
}
if nodeConfigBlock := resource.GetBlock("node_config"); nodeConfigBlock.IsNotNil() {
nodeConfig = adaptNodeConfig(nodeConfigBlock)
}
nodePool := gke.NodePool{
Metadata: resource.GetMetadata(),
Management: management,
Management: adaptManagement(resource),
NodeConfig: nodeConfig,
}
@@ -270,9 +284,17 @@ func adaptNodeConfig(resource *terraform.Block) gke.NodeConfig {
}
if metadata := resource.GetAttribute("metadata"); metadata.IsNotNil() {
legacyMetadata := metadata.MapValue("disable-legacy-endpoints")
if legacyMetadata.IsWhollyKnown() && legacyMetadata.Type() == cty.Bool {
config.EnableLegacyEndpoints = iacTypes.Bool(legacyMetadata.False(), metadata.GetMetadata())
disableLegacy := metadata.MapValue("disable-legacy-endpoints")
if disableLegacy.IsKnown() {
var enableLegacyEndpoints bool
switch disableLegacy.Type() {
case cty.Bool:
enableLegacyEndpoints = disableLegacy.False()
case cty.String:
enableLegacyEndpoints = disableLegacy.AsString() == "false"
}
config.EnableLegacyEndpoints = iacTypes.Bool(enableLegacyEndpoints, metadata.GetMetadata())
}
}
@@ -312,7 +334,7 @@ func adaptMasterAuth(resource *terraform.Block) gke.MasterAuth {
}
}
func adaptMasterAuthNetworksAsBlocks(parent *terraform.Block, blocks terraform.Blocks) gke.MasterAuthorizedNetworks {
func adaptMasterAuthNetworksAsBlocks(blocks terraform.Blocks) gke.MasterAuthorizedNetworks {
var cidrs []iacTypes.StringValue
for _, block := range blocks {
for _, cidrBlock := range block.GetBlocks("cidr_blocks") {

51
pkg/iac/adapters/terraform/google/gke/adapt_test.go
View File

@@ -77,6 +77,18 @@ resource "google_container_cluster" "example" {
enable_autopilot = true
datapath_provider = "ADVANCED_DATAPATH"
cluster_autoscaling {
enabled = true
auto_provisioning_defaults {
service_account = "test"
image_type = "COS_CONTAINERD"
management {
auto_repair = true
auto_upgrade = true
}
}
}
}
resource "google_container_node_pool" "primary_preemptible_nodes" {
@@ -102,9 +114,7 @@ resource "google_container_node_pool" "primary_preemptible_nodes" {
expected: gke.GKE{
Clusters: []gke.Cluster{
{
Metadata: iacTypes.NewTestMetadata(),
NodeConfig: gke.NodeConfig{
Metadata: iacTypes.NewTestMetadata(),
ImageType: iacTypes.String("COS_CONTAINERD", iacTypes.NewTestMetadata()),
WorkloadMetadataConfig: gke.WorkloadMetadataConfig{
Metadata: iacTypes.NewTestMetadata(),
@@ -113,9 +123,19 @@ resource "google_container_node_pool" "primary_preemptible_nodes" {
ServiceAccount: iacTypes.String("", iacTypes.NewTestMetadata()),
EnableLegacyEndpoints: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
},
AutoScaling: gke.AutoScaling{
Enabled: iacTypes.BoolTest(true),
AutoProvisioningDefaults: gke.AutoProvisioningDefaults{
ImageType: iacTypes.StringTest("COS_CONTAINERD"),
ServiceAccount: iacTypes.StringTest("test"),
Management: gke.Management{
EnableAutoRepair: iacTypes.BoolTest(true),
EnableAutoUpgrade: iacTypes.BoolTest(true),
},
},
},
NodePools: []gke.NodePool{
{
Metadata: iacTypes.NewTestMetadata(),
Management: gke.Management{
Metadata: iacTypes.NewTestMetadata(),
EnableAutoRepair: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
@@ -134,19 +154,16 @@ resource "google_container_node_pool" "primary_preemptible_nodes" {
},
},
IPAllocationPolicy: gke.IPAllocationPolicy{
Metadata: iacTypes.NewTestMetadata(),
Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
},
MasterAuthorizedNetworks: gke.MasterAuthorizedNetworks{
Metadata: iacTypes.NewTestMetadata(),
Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
CIDRs: []iacTypes.StringValue{
iacTypes.String("10.10.128.0/24", iacTypes.NewTestMetadata()),
},
},
NetworkPolicy: gke.NetworkPolicy{
Metadata: iacTypes.NewTestMetadata(),
Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
},
DatapathProvider: iacTypes.String("ADVANCED_DATAPATH", iacTypes.NewTestMetadata()),
PrivateCluster: gke.PrivateCluster{
@@ -156,7 +173,6 @@ resource "google_container_node_pool" "primary_preemptible_nodes" {
LoggingService: iacTypes.String("logging.googleapis.com/kubernetes", iacTypes.NewTestMetadata()),
MonitoringService: iacTypes.String("monitoring.googleapis.com/kubernetes", iacTypes.NewTestMetadata()),
MasterAuth: gke.MasterAuth{
Metadata: iacTypes.NewTestMetadata(),
ClientCertificate: gke.ClientCertificate{
Metadata: iacTypes.NewTestMetadata(),
IssueCertificate: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
@@ -182,7 +198,7 @@ resource "google_container_cluster" "example" {
node_config {
service_account = "service-account"
metadata = {
disable-legacy-endpoints = true
disable-legacy-endpoints = "true"
}
image_type = "COS"
workload_metadata_config {
@@ -194,7 +210,6 @@ resource "google_container_cluster" "example" {
expected: gke.GKE{
Clusters: []gke.Cluster{
{
Metadata: iacTypes.NewTestMetadata(),
NodeConfig: gke.NodeConfig{
Metadata: iacTypes.NewTestMetadata(),
ImageType: iacTypes.String("COS", iacTypes.NewTestMetadata()),
@@ -207,17 +222,14 @@ resource "google_container_cluster" "example" {
},
IPAllocationPolicy: gke.IPAllocationPolicy{
Metadata: iacTypes.NewTestMetadata(),
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
},
MasterAuthorizedNetworks: gke.MasterAuthorizedNetworks{
Metadata: iacTypes.NewTestMetadata(),
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
CIDRs: []iacTypes.StringValue{},
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
CIDRs: []iacTypes.StringValue{},
},
NetworkPolicy: gke.NetworkPolicy{
Metadata: iacTypes.NewTestMetadata(),
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
},
DatapathProvider: iacTypes.StringDefault("DATAPATH_PROVIDER_UNSPECIFIED", iacTypes.NewTestMetadata()),
PrivateCluster: gke.PrivateCluster{
@@ -227,7 +239,6 @@ resource "google_container_cluster" "example" {
LoggingService: iacTypes.String("logging.googleapis.com/kubernetes", iacTypes.NewTestMetadata()),
MonitoringService: iacTypes.String("monitoring.googleapis.com/kubernetes", iacTypes.NewTestMetadata()),
MasterAuth: gke.MasterAuth{
Metadata: iacTypes.NewTestMetadata(),
ClientCertificate: gke.ClientCertificate{
Metadata: iacTypes.NewTestMetadata(),
IssueCertificate: iacTypes.Bool(false, iacTypes.NewTestMetadata()),

14
pkg/iac/providers/google/gke/gke.go
View File

@@ -19,6 +19,7 @@ type Cluster struct {
MonitoringService iacTypes.StringValue
MasterAuth MasterAuth
NodeConfig NodeConfig
AutoScaling AutoScaling
EnableShieldedNodes iacTypes.BoolValue
EnableLegacyABAC iacTypes.BoolValue
ResourceLabels iacTypes.MapValue
@@ -35,6 +36,19 @@ type NodeConfig struct {
EnableLegacyEndpoints iacTypes.BoolValue
}
type AutoScaling struct {
Metadata iacTypes.Metadata
Enabled iacTypes.BoolValue
AutoProvisioningDefaults AutoProvisioningDefaults
}
type AutoProvisioningDefaults struct {
Metadata iacTypes.Metadata
ImageType iacTypes.StringValue
ServiceAccount iacTypes.StringValue
Management Management
}
type WorkloadMetadataConfig struct {
Metadata iacTypes.Metadata
NodeMetadata iacTypes.StringValue

42
pkg/iac/rego/schemas/cloud.json
View File

@@ -6450,6 +6450,44 @@
}
}
},
"github.com.aquasecurity.trivy.pkg.iac.providers.google.gke.AutoProvisioningDefaults": {
"type": "object",
"properties": {
"__defsec_metadata": {
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
},
"imagetype": {
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
},
"management": {
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.google.gke.Management"
},
"serviceaccount": {
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
}
}
},
"github.com.aquasecurity.trivy.pkg.iac.providers.google.gke.AutoScaling": {
"type": "object",
"properties": {
"__defsec_metadata": {
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
},
"autoprovisioningdefaults": {
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.google.gke.AutoProvisioningDefaults"
},
"enabled": {
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.BoolValue"
}
}
},
"github.com.aquasecurity.trivy.pkg.iac.providers.google.gke.ClientCertificate": {
"type": "object",
"properties": {
@@ -6470,6 +6508,10 @@
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
},
"autoscaling": {
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.google.gke.AutoScaling"
},
"datapathprovider": {
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"