For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/gcp/google_container_node_pool_auto_repair_disabled.md. A documentation index is available at /llms.txt.

Google container node pool auto repair disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: d58c6f24-3763-4269-9f5b-86b2569a003b

Cloud Provider: GCP

Platform: Ansible

Severity: Medium

Category: Insecure Configurations

Learn More

Description

Node pools must have automatic node repair enabled so unhealthy or failing nodes are remediated automatically, reducing the risk of prolonged downtime and inconsistent cluster state.

For Ansible GKE node pool resources (modules google.cloud.gcp_container_node_pool and gcp_container_node_pool), the management block must be defined and its auto_repair property set to true. Tasks missing the management block or with management.auto_repair set to false are flagged.

Secure configuration example:

- name: Create GKE node pool with auto repair enabled
  google.cloud.gcp_container_node_pool:
    name: my-node-pool
    cluster: my-cluster
    location: us-central1
    initial_node_count: 3
    management:
      auto_repair: true

Compliant Code Examples

- name: create a node pool
  google.cloud.gcp_container_node_pool:
    name: my-pool
    initial_node_count: 4
    cluster: '{{ cluster }}'
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    management:
      auto_repair: yes

- name: create a node pool
  google.cloud.gcp_container_node_pool:
    name: my-pool
    initial_node_count: 4
    cluster: '{{ cluster }}'
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    management:
      auto_repair: true

Non-Compliant Code Examples

---
- name: create a node pool
  google.cloud.gcp_container_node_pool:
    name: my-pool
    initial_node_count: 4
    cluster: "{{ cluster }}"
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    management:
      auto_repair: no

- name: create a node pool2
  google.cloud.gcp_container_node_pool:
    name: my-pool
    initial_node_count: 4
    cluster: "{{ cluster }}"
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    management:
      auto_repair: false

- name: create a node pool3
  google.cloud.gcp_container_node_pool:
    name: my-pool
    initial_node_count: 4
    cluster: "{{ cluster }}"
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present