Ensure Kubernetes cluster node group does not have public IP addresses.

Description

This policy checks whether a Kubernetes cluster node group has public IP addresses enabled. Having public IP addresses on node groups can expose the cluster to unnecessary security risks, as it increases the attack surface. It is recommended to keep node groups private and only expose necessary services through ingress controllers or load balancers. By disabling public IP addresses, the security of the cluster can be improved.

Code Example

terraform

resource "yandex_kubernetes_node_group" "example" {
  instance_template {
    network_interface {
      nat = false
    }
  }
}

Remediation

Ensure the node group does not have public IP addresses by setting the 'nat' property to False in the instance template's network interface.

Rule Details

Field	Value
ID	IAC-1339
Severity	MEDIUM
IaC Type	Terraform
Frameworks	yandex_kubernetes_node_group
Checkov ID	CKV_YC_6

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Ensure Kubernetes cluster node group does not have public IP addresses.

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Ensure Kubernetes cluster node group does not have public IP addresses. ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Ensure Kubernetes cluster node group does not have public IP addresses.

Description

Code Example

Remediation

Rule Details

References