For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-alicloud-kubernetes-cluster-without-terway-as-cni-network-plugin.md. A documentation index is available at /llms.txt.

Kubernetes cluster without Terway as CNI network plugin

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-alicloud-kubernetes-cluster-without-terway-as-cni-network-plugin

Provider: Alicloud

Platform: Terraform

Severity: Low

Category: Networking and Firewall

Learn More

Description

Kubernetes clusters (alicloud_cs_kubernetes) must include the Terway CNI network plugin and define pod_vswitch_ids. Specifically, the addons block must include an entry for terway-eniip, and the pod_vswitch_ids attribute must be defined and not null. Terway enables ENI-based networking required for advanced network policies and proper pod communication. This rule flags alicloud_cs_kubernetes resources missing either the required addons entry or the pod_vswitch_ids attribute.

Compliant Code Examples

terraform {
  required_providers {
    alicloud = {
      source = "aliyun/alicloud"
      version = "1.160.0"
    }
  }
}

provider "alicloud" {
  access_key = "xxxxxx"
  secret_key = "xxxxxx"
}

resource "alicloud_cs_kubernetes" "k8s" {
  worker_number = 4
  worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"]
  master_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"]
  master_instance_types  = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"]
  worker_instance_types  = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"]

  addons {
    config = ""
    name   = "terway-eniip"
  }

  pod_vswitch_ids = ["id1"]
}

Non-Compliant Code Examples

terraform {
  required_providers {
    alicloud = {
      source = "aliyun/alicloud"
      version = "1.160.0"
    }
  }
}

provider "alicloud" {
  access_key = "xxxxxx"
  secret_key = "xxxxxx"
}

resource "alicloud_cs_kubernetes" "positive1" {
  worker_number = 4
  worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"]
  master_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"]
  master_instance_types  = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"]
  worker_instance_types  = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"]
}

terraform {
  required_providers {
    alicloud = {
      source = "aliyun/alicloud"
      version = "1.160.0"
    }
  }
}

provider "alicloud" {
  access_key = "xxxxxx"
  secret_key = "xxxxxx"
}

resource "alicloud_cs_kubernetes" "positive2" {
  worker_number = 4
  worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"]
  master_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"]
  master_instance_types  = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"]
  worker_instance_types  = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"]

  addons {
    config = ""
    name   = "terway-eniip"
  }
}

terraform {
  required_providers {
    alicloud = {
      source = "aliyun/alicloud"
      version = "1.160.0"
    }
  }
}

provider "alicloud" {
  access_key = "xxxxxx"
  secret_key = "xxxxxx"
}

resource "alicloud_cs_kubernetes" "positive3" {
  worker_number = 4
  worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"]
  master_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"]
  master_instance_types  = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"]
  worker_instance_types  = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"]

  pod_vswitch_ids = ["id1"]
}