Skip to content

Commit

Permalink
feat(arm): add CKV_AZURE_168 to ensure that Azure Kubernetes Cluster …
Browse files Browse the repository at this point in the history 
…(AKS) nodes should use a minimum number of 50 pods (#6385)

* added a new arm policy for resource: AKSMaxPodsMinimum

* update new arm policy for resource: AKSMaxPodsMinimum

* update new arm policy for resource: AKSMaxPodsMinimum

* update arm policy for resource: AKSMaxPodsMinimum

---------

Co-authored-by: ChanochShayner <[email protected]>
  • Loading branch information
@tehila86127 @ChanochShayner
tehila86127 and ChanochShayner authored Jun 27, 2024
1 parent 4117577 commit eec7d41
Show file tree
Hide file tree
Showing 9 changed files with 769 additions and 4 deletions.
34 changes: 34 additions & 0 deletions checkov/arm/checks/resource/AKSMaxPodsMinimum.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
from typing import Optional


class AKSMaxPodsMinimum(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods."
id = "CKV_AZURE_168"
supported_resources = ("Microsoft.ContainerService/managedClusters",
"Microsoft.ContainerService/managedClusters/agentPools", )
categories = (CheckCategories.KUBERNETES,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)

def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
max_pods: Optional[int] = 30

properties = conf.get("properties")
if properties and isinstance(properties, dict):
max_pods = properties.get("maxPods")

if "agentPoolProfiles" in properties:
if "maxPods" in properties["agentPoolProfiles"][0]:
max_pods = properties["agentPoolProfiles"][0]["maxPods"]

if max_pods is None or max_pods < 50:
return CheckResult.FAILED

return CheckResult.PASSED


check = AKSMaxPodsMinimum()
134 changes: 134 additions & 0 deletions ...s/arm/checks/resource/example_AKSMaxPodsMinimum/agentPoolProfiles_with_maxPods_fail4.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.5.6.12127",
"templateHash": "12705365244308198684"
}
},
"parameters": {
"aksClusterName": {
"type": "string",
"defaultValue": "aks101cluster-vmss",
"metadata": {
"description": "The name of the Managed Cluster resource."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The location of AKS resource."
}
},
"dnsPrefix": {
"type": "string",
"metadata": {
"description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
}
},
"osDiskSizeGB": {
"type": "int",
"defaultValue": 0,
"maxValue": 1023,
"minValue": 0,
"metadata": {
"description": "Disk size (in GiB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
}
},
"agentCount": {
"type": "int",
"defaultValue": 3,
"maxValue": 100,
"minValue": 1,
"metadata": {
"description": "The number of nodes for the cluster. 1 Node is enough for Dev/Test and minimum 3 nodes, is recommended for Production"
}
},
"agentVMSize": {
"type": "string",
"defaultValue": "Standard_D2s_v3",
"metadata": {
"description": "The size of the Virtual Machine."
}
},
"osType": {
"type": "string",
"defaultValue": "Linux",
"allowedValues": [
"Linux",
"Windows"
],
"metadata": {
"description": "The type of operating system."
}
}
},
"resources": [
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2020-03-01",
"name": "agentPoolProfiles_with_maxPods_fail4",
"location": "[parameters('location')]",
"sku": {
"name": "Basic",
"tier": "Free"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"kubernetesVersion": "[parameters('kubernetesVersion')]",
"dnsPrefix": "[variables('dnsPrefix')]",
"agentPoolProfiles":[
{
"name": "agentpool",
"count": 3,
"vmSize": "[parameters('agentVMSize')]",
"osDiskSizeGB": "[parameters('osDiskSizeGB')]",
"maxPods": 28,
"type": "VirtualMachineScaleSets",
"orchestratorVersion": "[parameters('kubernetesVersion')]",
"mode": "System",
"osType": "Linux"
}
]
,
"linuxProfile": {
"adminUsername": "[parameters('linuxAdminUsername')]",
"ssh": {
"publicKeys": [
{
"keyData": "[parameters('sshRSAPublicKey')]"
}
]
}
},
"servicePrincipalProfile": {
"clientId": "msi"
},
"nodeResourceGroup": "[concat('MC_', resourceGroup().name,'_', parameters('clusterName'), '_',parameters('location'))]",
"enableRBAC": true,
"networkProfile": {
"networkPlugin": "kubenet",
"loadBalancerSku": "Basic",
"podCidr": "[parameters('podCidr')]",
"serviceCidr": "[parameters('serviceCidr')]",
"dnsServiceIP": "[parameters('dnsServiceIP')]",
"dockerBridgeCidr": "[parameters('dockerBridgeCidr')]",
"outboundType": "loadBalancer"
}
}
}


],
"outputs": {
"controlPlaneFQDN": {
"type": "string",
"value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))).fqdn]"
}
}
}
132 changes: 132 additions & 0 deletions tests/arm/checks/resource/example_AKSMaxPodsMinimum/agentPoolProfiles_with_maxPods_pass.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.5.6.12127",
"templateHash": "12705365244308198684"
}
},
"parameters": {
"aksClusterName": {
"type": "string",
"defaultValue": "aks101cluster-vmss",
"metadata": {
"description": "The name of the Managed Cluster resource."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The location of AKS resource."
}
},
"dnsPrefix": {
"type": "string",
"metadata": {
"description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
}
},
"osDiskSizeGB": {
"type": "int",
"defaultValue": 0,
"maxValue": 1023,
"minValue": 0,
"metadata": {
"description": "Disk size (in GiB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
}
},
"agentCount": {
"type": "int",
"defaultValue": 3,
"maxValue": 100,
"minValue": 1,
"metadata": {
"description": "The number of nodes for the cluster. 1 Node is enough for Dev/Test and minimum 3 nodes, is recommended for Production"
}
},
"agentVMSize": {
"type": "string",
"defaultValue": "Standard_D2s_v3",
"metadata": {
"description": "The size of the Virtual Machine."
}
},
"osType": {
"type": "string",
"defaultValue": "Linux",
"allowedValues": [
"Linux",
"Windows"
],
"metadata": {
"description": "The type of operating system."
}
}
},
"resources": [

{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2020-03-01",
"name": "agentPoolProfiles_with_maxPods_pass",
"location": "[parameters('location')]",
"sku": {
"name": "Basic",
"tier": "Free"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"kubernetesVersion": "[parameters('kubernetesVersion')]",
"dnsPrefix": "[variables('dnsPrefix')]",
"agentPoolProfiles":[
{
"name": "agentpool",
"count": 3,
"vmSize": "[parameters('agentVMSize')]",
"osDiskSizeGB": "[parameters('osDiskSizeGB')]",
"maxPods": 51,
"type": "VirtualMachineScaleSets",
"orchestratorVersion": "[parameters('kubernetesVersion')]",
"mode": "System",
"osType": "Linux"
}
],
"linuxProfile": {
"adminUsername": "[parameters('linuxAdminUsername')]",
"ssh": {
"publicKeys": [
{
"keyData": "[parameters('sshRSAPublicKey')]"
}
]
}
},
"servicePrincipalProfile": {
"clientId": "msi"
},
"nodeResourceGroup": "[concat('MC_', resourceGroup().name,'_', parameters('clusterName'), '_',parameters('location'))]",
"enableRBAC": true,
"networkProfile": {
"networkPlugin": "kubenet",
"loadBalancerSku": "Basic",
"podCidr": "[parameters('podCidr')]",
"serviceCidr": "[parameters('serviceCidr')]",
"dnsServiceIP": "[parameters('dnsServiceIP')]",
"dockerBridgeCidr": "[parameters('dockerBridgeCidr')]",
"outboundType": "loadBalancer"
}
}
}
],
"outputs": {
"controlPlaneFQDN": {
"type": "string",
"value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))).fqdn]"
}
}
}
Loading

0 comments on commit eec7d41

Please sign in to comment.