IP aliasing disabled

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > IP aliasing disabled

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: ed672a9f-fbf0-44d8-a47d-779501b0db05

Cloud Provider: GCP

Platform: Ansible

Severity: Medium

Category: Insecure Configurations

Learn More

Provider Reference

Description

Kubernetes clusters must enable Alias IP ranges so pods use VPC-native networking. This prevents pod IP address conflicts and enables VPC features such as network policy enforcement and private IP addressing.

For Ansible-managed GKE clusters using the google.cloud.gcp_container_cluster (or gcp_container_cluster) module, the ip_allocation_policy property must be defined and its use_ip_aliases subproperty must be set to true (Ansible: yes). Resources missing ip_allocation_policy, missing use_ip_aliases, or with use_ip_aliases set to false are flagged. Secure configuration example:

- name: create gke cluster with alias IPs
  google.cloud.gcp_container_cluster:
    name: my-cluster
    location: us-central1
    ip_allocation_policy:
      use_ip_aliases: yes

Compliant Code Examples

- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: my-cluster
    initial_node_count: 2
    master_auth:
      username: cluster_admin
      password: my-secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    ip_allocation_policy:
      create_subnetwork: no
      use_ip_aliases: yes

Non-Compliant Code Examples

- name: create a cluster1
  google.cloud.gcp_container_cluster:
    name: my-cluster1
    initial_node_count: 2
    master_auth:
      username: cluster_admin
      password: my-secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
- name: create a cluster2
  google.cloud.gcp_container_cluster:
    name: my-cluster2
    initial_node_count: 2
    master_auth:
      username: cluster_admin
      password: my-secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    ip_allocation_policy:
      create_subnetwork: no
- name: create a cluster3
  google.cloud.gcp_container_cluster:
    name: my-cluster3
    initial_node_count: 2
    master_auth:
      username: cluster_admin
      password: my-secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    ip_allocation_policy:
      create_subnetwork: no
      use_ip_aliases: no