--- title: Kubernetes cluster without Terway as CNI network plugin description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Kubernetes cluster without Terway as CNI network plugin --- # Kubernetes cluster without Terway as CNI network plugin {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-alicloud-kubernetes-cluster-without-terway-as-cni-network-plugin` **Provider:** Alicloud **Platform:** Terraform **Severity:** Low **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/cs_kubernetes#cluster_network_type) ### Description{% #description %} Kubernetes clusters (`alicloud_cs_kubernetes`) must include the Terway CNI network plugin and define `pod_vswitch_ids`. Specifically, the `addons` block must include an entry for `terway-eniip`, and the `pod_vswitch_ids` attribute must be defined and not null. Terway enables ENI-based networking required for advanced network policies and proper pod communication. This rule flags `alicloud_cs_kubernetes` resources missing either the required `addons` entry or the `pod_vswitch_ids` attribute. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform terraform { required_providers { alicloud = { source = "aliyun/alicloud" version = "1.160.0" } } } provider "alicloud" { access_key = "xxxxxx" secret_key = "xxxxxx" } resource "alicloud_cs_kubernetes" "k8s" { worker_number = 4 worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] master_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] master_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] worker_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] addons { config = "" name = "terway-eniip" } pod_vswitch_ids = ["id1"] } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform terraform { required_providers { alicloud = { source = "aliyun/alicloud" version = "1.160.0" } } } provider "alicloud" { access_key = "xxxxxx" secret_key = "xxxxxx" } resource "alicloud_cs_kubernetes" "positive1" { worker_number = 4 worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] master_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] master_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] worker_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] } ``` ```terraform terraform { required_providers { alicloud = { source = "aliyun/alicloud" version = "1.160.0" } } } provider "alicloud" { access_key = "xxxxxx" secret_key = "xxxxxx" } resource "alicloud_cs_kubernetes" "positive2" { worker_number = 4 worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] master_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] master_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] worker_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] addons { config = "" name = "terway-eniip" } } ``` ```terraform terraform { required_providers { alicloud = { source = "aliyun/alicloud" version = "1.160.0" } } } provider "alicloud" { access_key = "xxxxxx" secret_key = "xxxxxx" } resource "alicloud_cs_kubernetes" "positive3" { worker_number = 4 worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] master_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] master_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] worker_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] pod_vswitch_ids = ["id1"] } ```