Ensure that workload vulnerability scanning is enabled for your Google Kubernetes Engine (GKE) clusters to help detect vulnerabilities in container images, ensure compliance with security standards, and protect your clusters from potential threats. When enabled, a vulnerability scanning pod is deployed to each node within your GKE cluster to conduct the scan.
PoC代码[已公开]
id: gcloud-gke-vulnerability-scanning-disabled
info:
name: GKE Clusters Without Workload Vulnerability Scanning
author: princechaddha
severity: medium
description: |
Ensure that workload vulnerability scanning is enabled for your Google Kubernetes Engine (GKE) clusters to help detect vulnerabilities in container images, ensure compliance with security standards, and protect your clusters from potential threats. When enabled, a vulnerability scanning pod is deployed to each node within your GKE cluster to conduct the scan.
impact: |
Without workload vulnerability scanning enabled, vulnerabilities in container images and language packages may go undetected, increasing the risk of security breaches and exploitation of known vulnerabilities.
remediation: |
Enable workload vulnerability scanning for your GKE clusters using:
gcloud container clusters update CLUSTER_NAME --region=REGION --workload-vulnerability-scanning=enterprise
reference:
- https://cloud.google.com/kubernetes-engine/docs/how-to/security-posture
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/GKE/enable-workload-vulnerability-scanning.html
tags: cloud,devops,gcp,gcloud,gke,kubernetes,security,vulnerability,scanning,gcp-cloud-config
flow: |
code(1)
for(let projectId of iterate(template.projectIds)){
set("projectId", projectId)
code(2)
for(let cluster of iterate(template.clusters)){
cluster = JSON.parse(cluster)
set("clusterName", cluster.name)
set("location", cluster.location)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
gcloud projects list --format="json(projectId)"
extractors:
- type: json
name: projectIds
internal: true
json:
- '.[].projectId'
- engine:
- sh
- bash
source: |
gcloud container clusters list --project $projectId --format="json(name,location)"
extractors:
- type: json
name: clusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
gcloud container clusters describe $clusterName --location $location --project $projectId --format="value(securityPostureConfig.vulnerabilityMode)"
matchers:
- type: word
words:
- "VULNERABILITY_MODE_UNSPECIFIED"
- "VULNERABILITY_DISABLED"
condition: or
extractors:
- type: dsl
dsl:
- '"GKE cluster " + clusterName + " in " + location + " of project " + projectId + " does not have workload vulnerability scanning enabled"'
# digest: 4b0a00483046022100a0494ed8a40f4d7dbab38573edd46cc327574c8cd88d60d5bb37d9b2fef3ce6f022100a5fcc2e3d769828230541949eed2fe0319127c24e10fd84277f7d11f648f721f:922c64590222798bb761d5b6d8e72950