Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Calico is not supported as a valid Network Security for azurerm_kubernetes_cluster #376

Closed
RafaAguilar opened this issue Nov 9, 2020 · 0 comments · Fixed by #518
Closed

Calico is not supported as a valid Network Security for azurerm_kubernetes_cluster #376

RafaAguilar opened this issue Nov 9, 2020 · 0 comments · Fixed by #518
Assignees
@devang-gaur
Labels
policy Issue concerning policy maintainers.

Comments

@RafaAguilar
Copy link

Symptom:

When the Network Policy is enabled using calico as the driver, instead of azure, the accurics.azure.NS.382 is marked as failed, when Calico is a valid Security Policy.

  - rule_name: networkPolicyEnabled
    description: Ensure AKS cluster has Network Policy configured.
    rule_id: accurics.azure.NS.382

How to Reproduce:

  1. Declare an Azure Kubernetes Cluster with network_policy=calico
resource "azurerm_kubernetes_cluster" "aks-cluster" {
  ...
  network_profile {
    network_plugin     = "azure"
    network_policy     = "calico"
    ...
  }
  ...
}
  1. Run Terrascan with Azure Policy set:
terrascan scan -t azure
results:
  violations:
  - rule_name: networkPolicyEnabled
    description: Ensure AKS cluster has Network Policy configured.
    rule_id: accurics.azure.NS.382
    severity: MEDIUM
    category: Network Security
    resource_name: aks-cluster
    resource_type: azurerm_kubernetes_cluster
    file: cluster.tf
    line: 5
  count:
    low: 0
    medium: 1
    high: 0
    total: 1

Possible Solution

I think the issue is in the block in the line 6:

networkPolicyEnabled[api.id]{
    api := input.azurerm_kubernetes_cluster[_]
    profile := api.config.network_profile[_]
    profile.network_policy != "azure"
}

If it can check with an OR operation or an IN operation to check if it is whether azure or calico would fix it.

networkPolicyEnabled[api.id]{
    api := input.azurerm_kubernetes_cluster[_]
    profile := api.config.network_profile[_]
    profile.network_policy in ["azure", "calico"]
}

I know go does not have an in operator, just wanted to show the possible solution, it would need to be implemented. I am not a go developer myself but could try to send a PR if you think this is the way to go.

For anyone looking an in python-like operator for go, you could implement this using

func stringInSlice(a string, list []string) bool {
    for _, b := range list {
        if b == a {
            return true
        }
    }
    return false
}

Source: https://stackoverflow.com/a/15323988/2399397
@amirbenv amirbenv added the bug label Jan 9, 2021
@devang-gaur devang-gaur added policy Issue concerning policy maintainers. and removed bug labels Jan 12, 2021
@gaurav-gogia gaurav-gogia mentioned this issue Jan 28, 2021
Merged
cesar-rodriguez pushed a commit that referenced this issue Jan 28, 2021
Merge pull request #518 from gaurav-gogia/fix_376
fd73ed6 
fixes #376
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@devang-gaur devang-gaur

Labels
policy Issue concerning policy maintainers.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fixes #376
3 participants
@RafaAguilar @devang-gaur @amirbenv