wyardley
commented
2 years ago Basic POC that shows this against current trunk as well.
title "GKE Nodepool test"
gcp_project_id = input("gcp_project_id")
gke_cluster = input("gke_cluster")
gke_cluster_location = input("gke_cluster_location")
gke_nodepool_name = input("gke_nodepool_name")
# you add controls here
control "gke-cluster-1.0" do
impact 1.0
title "Ensure cluster exists."
desc "Testing"
describe google_container_cluster(project: gcp_project_id, name: gke_cluster, location: gke_cluster_location) do
it { should exist }
end
describe google_container_node_pool(project: gcp_project_id, nodepool_name: gke_nodepool_name, cluster_name: gke_cluster, location: gke_cluster_location) do
it { should exist }
its('config.workload_meta_config.mode') { should be_in %w[GCE_METADATA GKE_METADATA] }
end
end × gke-cluster-1.0: Ensure cluster exists. (1 failed)
✔ Cluster xyz is expected to exist
✔ NodePool default-node-pool is expected to exist
× NodePool default-node-pool config.workload_meta_config.mode is expected to be in "GCE_METADATA" and "GKE_METADATA"
expected `` to be in the list: `["GCE_METADATA", "GKE_METADATA"]`dumping out the config object, it's got:
+ "workloadMetadataConfig"=>{"mode"=>"GKE_METADATA"},the GCP CLI also shows
config:
workloadMetadataConfig:
mode: GKE_METADATA
sa-progress
Describe the problem
I've got a situation where
workloadMetadataConfig.modeis set toGKE_METADATA, and yet theworkload_meta_config.modematcher seesm to be nil. This is using a slightly older version of this that's vendored in with https://github.com/GoogleCloudPlatform/inspec-gcp-helpers, so I can try to doublecheck if this issue affects the latest version as well.Described in more detail at: https://github.com/GoogleCloudPlatform/inspec-gke-cis-benchmark/issues/30
Possible Solution