Control: 7.8 Ensure ENI multiple IP mode support for Kubernetes Cluster
Description
Alibaba Cloud ENI (Elastic Network Interface) has supported assign ranges of internal IP addresses as aliases to a single virtual machine's ENI network interfaces. This is useful if you have lots of services running on a VM and you want to assign each service a different IP address without quota limitation.
Remediation
Only the Terway network plugin support the Network Policy feature, so please make sure not choose Flannel as network plugin when creating cluster.
From Console
- Logon to ACK console.
- Click the
Create Kubernetes Clusterbutton and selectTerwayinNetwork Pluginoption.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v100_7_8Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v100_7_8 --shareSQL
This control uses a named query:
with network_policy_enabled as ( select cluster_id from alicloud_cs_kubernetes_cluster, jsonb_array_elements(meta_data -> 'Addons') as a where a ->> 'name' = 'terway-eniip' and regexp_replace(a ->> 'config', '\\"', '"', 'g') :: jsonb @> '{"IPVlan":"true"}')select arn as resource, case when a.meta_data -> 'Addons' @> '[{"name": "flannel"}]' then 'skip' when n.cluster_id is null then 'alarm' else 'ok' end as status, case when a.meta_data -> 'Addons' @> '[{"name": "flannel"}]' then a.title || ' does not support IPVlan.' when n.cluster_id is null then a.title || ' IPVlan disabled.' else a.title || ' IPVlan enabled.' end as reason , a.account_id as account_id, a.region as regionfrom alicloud_cs_kubernetes_cluster a left join network_policy_enabled n on a.cluster_id = n.cluster_id;