IBM Cloud Kubernetes clusters are accessible by using public endpoint in Terraform
Description
This policy detects whether Kubernetes clusters are accessible via public endpoints rather than private endpoints. Exposing clusters through public endpoints increases the risk of unauthorized access and potential vulnerabilities being exploited. By restricting access to private endpoints, sensitive workloads and data are protected from external threats, thereby enhancing the overall security of the Kubernetes environment.
Code Example
resource "ibm_container_cluster" "secure_cluster" {
...
+ public_service_endpoint = false
+ private_service_endpoint = true
}Remediation
Terraform
- Resource: ibm_container_cluster
- Arguments: private_service_endpoint, public_service_endpoint
Ensure the IBM Kubernetes cluster is only accessible via a private endpoint by setting the `private_service_endpoint` to `true`, and either omitting the `public_service_endpoint` attribute, or setting it to `false`.
In this example, the `public_service_endpoint` attribute is set to `false` and the `private_service_endpoint` attribute is set to `true` in the `ibm_container_cluster` resource to configure access to the Kubernetes cluster via a private endpoint only.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1078 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_IBM_7 |