Cluster labels disabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Cluster labels disabled

Metadata

Id: 65c1bc7a-4835-4ac4-a2b6-13d310b0648d

Cloud Provider: gcp

Framework: Terraform

Severity: Low

Category: Insecure Configurations

Learn More

Provider Reference

Description

Kubernetes clusters should be configured with labels by defining the resource_labels attribute in the google_container_cluster resource. Missing cluster labels make it harder to organize, identify, and apply policies to Kubernetes environments, potentially leading to management issues and security policy gaps. To mitigate this, clusters must include the resource_labels block as shown below:

resource "google_container_cluster" "example" {
  name               = "my-cluster"
  location           = "us-central1-a"
  initial_node_count = 3

  resource_labels {
    environment = "production"
    team        = "devops"
  }
}

Compliant Code Examples

#this code is a correct code for which the query should not find any result
resource "google_container_cluster" "negative1" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3

  resource_labels {
      
  }

  timeouts {
    create = "30m"
    update = "40m"
  }
}

Non-Compliant Code Examples

#this is a problematic code where the query should report a result(s)
resource "google_container_cluster" "positive1" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3

  timeouts {
    create = "30m"
    update = "40m"
  }
}