--- title: TKE cluster has public access description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > TKE cluster has public access --- # TKE cluster has public access {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-tencentcloud-tke-cluster-has-public-access` **Provider:** TencentCloud **Platform:** Terraform **Severity:** Medium **Category:** Insecure Configurations #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/kubernetes_cluster#public_ip_assigned) ### Description{% #description %} In a TKE cluster, `public_ip_assigned` should be set to `false`. A `tencentcloud_kubernetes_cluster` is noncompliant if either `master_config` or `worker_config` sets `public_ip_assigned` to `true` while `internet_max_bandwidth_out` is greater than `0`. It is also noncompliant if `public_ip_assigned` is undefined and `internet_max_bandwidth_out` is greater than `0`; in such cases, `internet_max_bandwidth_out` should be set to `0` or left undefined. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform locals { first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id sg_id = tencentcloud_security_group.sg.id image_id = data.tencentcloud_images.default.image_id } data "tencentcloud_vpc_subnets" "vpc_one" { is_default = true availability_zone = "ap-guangzhou-3" } data "tencentcloud_vpc_subnets" "vpc_two" { is_default = true availability_zone = "ap-guangzhou-4" } resource "tencentcloud_security_group" "sg" { name = "tf-example-sg" } resource "tencentcloud_security_group_lite_rule" "sg_rule" { security_group_id = tencentcloud_security_group.sg.id ingress = [ "ACCEPT#10.0.0.0/16#ALL#ALL", "ACCEPT#172.16.0.0/22#ALL#ALL", "DROP#0.0.0.0/0#ALL#ALL", ] egress = [ "ACCEPT#172.16.0.0/22#ALL#ALL", ] } data "tencentcloud_images" "default" { image_type = ["PUBLIC_IMAGE"] image_name_regex = "Final" } resource "tencentcloud_kubernetes_cluster" "example" { vpc_id = local.first_vpc_id cluster_cidr = "10.31.0.0/16" cluster_max_pod_num = 32 cluster_name = "tf_example_cluster" cluster_desc = "example for tke cluster" cluster_max_service_num = 32 cluster_internet = false cluster_internet_security_group = local.sg_id cluster_version = "1.22.5" cluster_deploy_type = "MANAGED_CLUSTER" master_config { count = 1 availability_zone = "ap-guangzhou-3" instance_type = "SA2.2XLARGE16" system_disk_type = "CLOUD_SSD" system_disk_size = 60 subnet_id = local.first_subnet_id img_id = local.image_id data_disk { disk_type = "CLOUD_PREMIUM" disk_size = 50 } enhanced_security_service = false enhanced_monitor_service = false } worker_config { count = 1 availability_zone = "ap-guangzhou-4" instance_type = "SA2.2XLARGE16" system_disk_type = "CLOUD_SSD" system_disk_size = 60 subnet_id = local.second_subnet_id data_disk { disk_type = "CLOUD_PREMIUM" disk_size = 50 } enhanced_security_service = false enhanced_monitor_service = false cam_role_name = "CVM_QcsRole" } labels = { "test1" = "test1", "test2" = "test2", } } ``` ```terraform locals { first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id sg_id = tencentcloud_security_group.sg.id image_id = data.tencentcloud_images.default.image_id } data "tencentcloud_vpc_subnets" "vpc_one" { is_default = true availability_zone = "ap-guangzhou-3" } data "tencentcloud_vpc_subnets" "vpc_two" { is_default = true availability_zone = "ap-guangzhou-4" } resource "tencentcloud_security_group" "sg" { name = "tf-example-sg" } resource "tencentcloud_security_group_lite_rule" "sg_rule" { security_group_id = tencentcloud_security_group.sg.id ingress = [ "ACCEPT#10.0.0.0/16#ALL#ALL", "ACCEPT#172.16.0.0/22#ALL#ALL", "DROP#0.0.0.0/0#ALL#ALL", ] egress = [ "ACCEPT#172.16.0.0/22#ALL#ALL", ] } data "tencentcloud_images" "default" { image_type = ["PUBLIC_IMAGE"] image_name_regex = "Final" } resource "tencentcloud_kubernetes_cluster" "example" { vpc_id = local.first_vpc_id cluster_cidr = "10.31.0.0/16" cluster_max_pod_num = 32 cluster_name = "tf_example_cluster" cluster_desc = "example for tke cluster" cluster_max_service_num = 32 cluster_internet = false cluster_internet_security_group = local.sg_id cluster_version = "1.22.5" cluster_deploy_type = "MANAGED_CLUSTER" master_config { count = 1 availability_zone = "ap-guangzhou-3" instance_type = "SA2.2XLARGE16" system_disk_type = "CLOUD_SSD" system_disk_size = 60 public_ip_assigned = false subnet_id = local.first_subnet_id img_id = local.image_id data_disk { disk_type = "CLOUD_PREMIUM" disk_size = 50 } enhanced_security_service = false enhanced_monitor_service = false } worker_config { count = 1 availability_zone = "ap-guangzhou-4" instance_type = "SA2.2XLARGE16" system_disk_type = "CLOUD_SSD" system_disk_size = 60 public_ip_assigned = false subnet_id = local.second_subnet_id data_disk { disk_type = "CLOUD_PREMIUM" disk_size = 50 } enhanced_security_service = false enhanced_monitor_service = false cam_role_name = "CVM_QcsRole" } labels = { "test1" = "test1", "test2" = "test2", } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform locals { first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id sg_id = tencentcloud_security_group.sg.id image_id = data.tencentcloud_images.default.image_id } data "tencentcloud_vpc_subnets" "vpc_one" { is_default = true availability_zone = "ap-guangzhou-3" } data "tencentcloud_vpc_subnets" "vpc_two" { is_default = true availability_zone = "ap-guangzhou-4" } resource "tencentcloud_security_group" "sg" { name = "tf-example-sg" } resource "tencentcloud_security_group_lite_rule" "sg_rule" { security_group_id = tencentcloud_security_group.sg.id ingress = [ "ACCEPT#10.0.0.0/16#ALL#ALL", "ACCEPT#172.16.0.0/22#ALL#ALL", "DROP#0.0.0.0/0#ALL#ALL", ] egress = [ "ACCEPT#172.16.0.0/22#ALL#ALL", ] } data "tencentcloud_images" "default" { image_type = ["PUBLIC_IMAGE"] image_name_regex = "Final" } resource "tencentcloud_kubernetes_cluster" "example" { vpc_id = local.first_vpc_id cluster_cidr = "10.31.0.0/16" cluster_max_pod_num = 32 cluster_name = "tf_example_cluster" cluster_desc = "example for tke cluster" cluster_max_service_num = 32 cluster_internet = true cluster_internet_security_group = local.sg_id cluster_version = "1.22.5" cluster_deploy_type = "MANAGED_CLUSTER" master_config { count = 1 availability_zone = "ap-guangzhou-3" instance_type = "SA2.2XLARGE16" system_disk_type = "CLOUD_SSD" system_disk_size = 60 internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" internet_max_bandwidth_out = 100 public_ip_assigned = true subnet_id = local.first_subnet_id img_id = local.image_id data_disk { disk_type = "CLOUD_PREMIUM" disk_size = 50 } enhanced_security_service = false enhanced_monitor_service = false } worker_config { count = 1 availability_zone = "ap-guangzhou-4" instance_type = "SA2.2XLARGE16" system_disk_type = "CLOUD_SSD" system_disk_size = 60 internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" internet_max_bandwidth_out = 100 public_ip_assigned = true subnet_id = local.second_subnet_id data_disk { disk_type = "CLOUD_PREMIUM" disk_size = 50 } enhanced_security_service = false enhanced_monitor_service = false cam_role_name = "CVM_QcsRole" } labels = { "test1" = "test1", "test2" = "test2", } } ``` ```terraform locals { first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id sg_id = tencentcloud_security_group.sg.id image_id = data.tencentcloud_images.default.image_id } data "tencentcloud_vpc_subnets" "vpc_one" { is_default = true availability_zone = "ap-guangzhou-3" } data "tencentcloud_vpc_subnets" "vpc_two" { is_default = true availability_zone = "ap-guangzhou-4" } resource "tencentcloud_security_group" "sg" { name = "tf-example-sg" } resource "tencentcloud_security_group_lite_rule" "sg_rule" { security_group_id = tencentcloud_security_group.sg.id ingress = [ "ACCEPT#10.0.0.0/16#ALL#ALL", "ACCEPT#172.16.0.0/22#ALL#ALL", "DROP#0.0.0.0/0#ALL#ALL", ] egress = [ "ACCEPT#172.16.0.0/22#ALL#ALL", ] } data "tencentcloud_images" "default" { image_type = ["PUBLIC_IMAGE"] image_name_regex = "Final" } resource "tencentcloud_kubernetes_cluster" "example" { vpc_id = local.first_vpc_id cluster_cidr = "10.31.0.0/16" cluster_max_pod_num = 32 cluster_name = "tf_example_cluster" cluster_desc = "example for tke cluster" cluster_max_service_num = 32 cluster_internet = true cluster_internet_security_group = local.sg_id cluster_version = "1.22.5" cluster_deploy_type = "MANAGED_CLUSTER" master_config { count = 1 availability_zone = "ap-guangzhou-3" instance_type = "SA2.2XLARGE16" system_disk_type = "CLOUD_SSD" system_disk_size = 60 internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" internet_max_bandwidth_out = 100 subnet_id = local.first_subnet_id img_id = local.image_id data_disk { disk_type = "CLOUD_PREMIUM" disk_size = 50 } enhanced_security_service = false enhanced_monitor_service = false user_data = "dGVzdA==" } worker_config { count = 1 availability_zone = "ap-guangzhou-4" instance_type = "SA2.2XLARGE16" system_disk_type = "CLOUD_SSD" system_disk_size = 60 internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" internet_max_bandwidth_out = 100 subnet_id = local.second_subnet_id data_disk { disk_type = "CLOUD_PREMIUM" disk_size = 50 } enhanced_security_service = false enhanced_monitor_service = false cam_role_name = "CVM_QcsRole" } labels = { "test1" = "test1", "test2" = "test2", } } ``` ```terraform locals { first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id sg_id = tencentcloud_security_group.sg.id image_id = data.tencentcloud_images.default.image_id } data "tencentcloud_vpc_subnets" "vpc_one" { is_default = true availability_zone = "ap-guangzhou-3" } data "tencentcloud_vpc_subnets" "vpc_two" { is_default = true availability_zone = "ap-guangzhou-4" } resource "tencentcloud_security_group" "sg" { name = "tf-example-sg" } resource "tencentcloud_security_group_lite_rule" "sg_rule" { security_group_id = tencentcloud_security_group.sg.id ingress = [ "ACCEPT#10.0.0.0/16#ALL#ALL", "ACCEPT#172.16.0.0/22#ALL#ALL", "DROP#0.0.0.0/0#ALL#ALL", ] egress = [ "ACCEPT#172.16.0.0/22#ALL#ALL", ] } data "tencentcloud_images" "default" { image_type = ["PUBLIC_IMAGE"] image_name_regex = "Final" } resource "tencentcloud_kubernetes_cluster" "example" { vpc_id = local.first_vpc_id cluster_cidr = "10.31.0.0/16" cluster_max_pod_num = 32 cluster_name = "tf_example_cluster" cluster_desc = "example for tke cluster" cluster_max_service_num = 32 cluster_internet = true cluster_internet_security_group = local.sg_id cluster_version = "1.22.5" cluster_deploy_type = "MANAGED_CLUSTER" master_config { count = 1 availability_zone = "ap-guangzhou-3" instance_type = "SA2.2XLARGE16" system_disk_type = "CLOUD_SSD" system_disk_size = 60 internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" internet_max_bandwidth_out = 100 public_ip_assigned = true subnet_id = local.first_subnet_id img_id = local.image_id data_disk { disk_type = "CLOUD_PREMIUM" disk_size = 50 } enhanced_security_service = false enhanced_monitor_service = false } master_config { count = 1 availability_zone = "ap-guangzhou-3" instance_type = "SA2.2XLARGE16" system_disk_type = "CLOUD_SSD" system_disk_size = 60 internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" internet_max_bandwidth_out = 100 public_ip_assigned = true subnet_id = local.first_subnet_id img_id = local.image_id data_disk { disk_type = "CLOUD_PREMIUM" disk_size = 50 } enhanced_security_service = false enhanced_monitor_service = false } worker_config { count = 1 availability_zone = "ap-guangzhou-4" instance_type = "SA2.2XLARGE16" system_disk_type = "CLOUD_SSD" system_disk_size = 60 internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" internet_max_bandwidth_out = 100 public_ip_assigned = true subnet_id = local.second_subnet_id data_disk { disk_type = "CLOUD_PREMIUM" disk_size = 50 } enhanced_security_service = false enhanced_monitor_service = false cam_role_name = "CVM_QcsRole" } worker_config { count = 1 availability_zone = "ap-guangzhou-4" instance_type = "SA2.2XLARGE16" system_disk_type = "CLOUD_SSD" system_disk_size = 60 internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" internet_max_bandwidth_out = 100 public_ip_assigned = true subnet_id = local.second_subnet_id data_disk { disk_type = "CLOUD_PREMIUM" disk_size = 50 } enhanced_security_service = false enhanced_monitor_service = false cam_role_name = "CVM_QcsRole" } labels = { "test1" = "test1", "test2" = "test2", } } ```