OCI Kubernetes Engine Cluster boot volume is not configured with in-transit data encryption
Description
This policy is assessing whether the Kubernetes Engine Cluster boot volume is set up with in-transit data encryption. The reason why failing to implement this can be harmful is because unencrypted data can be easily intercepted during transit, potentially leading to a confidentiality breach. Enabling in-transit data encryption ensures that the data being transferred cannot be understood if intercepted, and hence, prevents unauthorized access to sensitive information.
Code Example
hcl
resource "oci_containerengine_node_pool" "example" {
...
node_config_details {
- is_pv_encryption_in_transit_enabled = false
}
}Remediation
Terraform
- Resource: oci_containerengine_node_pool
- Arguments: node_config_details.is_pv_encryption_in_transit_enabled
To fix the issue, you should enable in-transit data encryption for the boot volume of the Kubernetes Engine Cluster. You can do this by setting the "is_pv_encryption_in_transit_enabled" attribute to "TRUE" in your resource block.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1255 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_OCI_5 |