Checkov to Ensure GKE clusters run on a supported Kubernetes version

[rlison47]

May I know if possible for Checkov to Ensure GKE clusters run on a supported Kubernetes version? The policy will make sure Google Kubernetes version remains up-to-date.

[JamesWoolfenden]

its totally possible, i think youd just have to check what the value of min_master_version (https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#min_master_version). What value did you have in mind?

[rlison47]

Thank you for this @JamesWoolfenden but having a hard time consolidating all the deprecated gke kubernetes versions. I'm looking at this link https://cloud.google.com/kubernetes-engine/docs/release-schedule#fn4. Can you help me how to check all the unsupported gke kubernetes versions? What I am thinking is to return all the forbidden values like what CKV_AWS_339 is doing for aws eks

[JamesWoolfenden]

you can get the lists from GKS with:

data google_container_engine_versions "uscentral1a" {
    project="yourprojectname"
    location       = "us-central1-a"
}

output "versions" {
    value=data.google_container_engine_versions.uscentral1a
}

and does this help https://endoflife.date/google-kubernetes-engine

[JamesWoolfenden]

and probably release_channel_default_version = {

• RAPID = "1.28.3-gke.1286000"
• REGULAR = "1.27.3-gke.100"
• STABLE = "1.27.3-gke.100" }

STABLE is minimum?

[rlison47]

Looking at this https://endoflife.date/google-kubernetes-engine. Can I list all the 1.25.x to 1.28.x version as expected value? but the challenge would be I will always keep on updating the policy as GKE is consistently keeps on updating. Please help me how can I create a more flexible checkov policy. Thanks in advance @JamesWoolfenden

[JamesWoolfenden]

We already have a number of checks like this that need updating regularly, its a pretty simple update to make. Id say go for it

[rlison47]

@JamesWoolfenden is checkov capable of scanning multiple resources? on our tfplan.json there are too many resources containing 'google_container_cluster' and I noticed that it only scans the first resource block and does not go through the other resources containing 'google_container_cluster'. Is this a limitation of checkov?

[JamesWoolfenden]

No its should report on all, it would fail to report if the scan crashed and that could be a bug or a bad plan file

[rlison47]

Can I send to you the tfplan.json in your email @JamesWoolfenden? Thanks

[rlison47]

Maybe I can check the resource 'google_container_engine_versions' but don't know how to inspect and get expected values for release_channel_default_version/"STABLE"?

"address": "module.gke_autopilot_cluster.data.google_container_engine_versions.region",
"mode": "data",
"type": "google_container_engine_versions",
"name": "region",
"provider_name": "registry.terraform.io/hashicorp/google",
"schema_version": 0,
"values": {
   "default_cluster_version": "1.27.3-gke.100",
   "id": "2024-01-18 17:10:17.366476564 +0000 UTC",
   "latest_master_version": "1.28.5-gke.1217000",
   "latest_node_version": "1.28.5-gke.1217000",
   "location": "asia-southeast1",
    "project": "isg-ceso-ccm-pd-ll90",
    "release_channel_default_version": {
       "RAPID": "1.28.3-gke.1286000",
       "REGULAR": "1.27.3-gke.100",
       "STABLE": "1.27.3-gke.100"

[JamesWoolfenden]

It would be simpler to just specifying the versions, similar to how this checks works checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py

[rlison47]

Thank you @JamesWoolfenden I find it hard to get it from a list or dictionary which I have shown previously

[rlison47]

For Lambda it is very easy to get you can get it directly unlike in google container it is in dictionary

[rlison47]

@JamesWoolfenden, could you please confirm if there is a checkov policy that retrieves the version information in a dictionary format? I'm interested in obtaining the version and returning it through the STABLE key. Here is an example of the existing data structure. Thank you in advance

"values": {
   "default_cluster_version": "1.27.3-gke.100",
   "id": "2024-01-18 17:10:17.366476564 +0000 UTC",
   "latest_master_version": "1.28.5-gke.1217000",
   "latest_node_version": "1.28.5-gke.1217000",
   "location": "asia-southeast1",
   "project": "isg-ceso-ccm-pd-ll90",
   "release_channel_default_version": {
       "RAPID": "1.28.3-gke.1286000",
       "REGULAR": "1.27.3-gke.100",
       "STABLE": "1.27.3-gke.100"
   }
}

[JamesWoolfenden]

As I said yesterday, these are static rules and you should follow checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py as rules do not currently query the AWS api for such data.

[rlison47]

Thanks for the advice @JamesWoolfenden with the data structure I think checkov custom policy would not be applicable Appreciate all your help and guidance

[stale[bot]]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!