We use GitHub Actions and tfsec to check our terraform code using static analysis to spot potential security issues. However, we needed to skip some checks. The list of those checks is below:
Layer | Security issue | Description | Why skipped? |
---|---|---|---|
layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.cluster_egress_internet[0]' defines a fully open egress security group rule. | We use recommended option. More info |
layer1-aws/aws-eks.tf | aws-eks-enable-control-plane-logging | Resource 'module.eks:aws_eks_cluster.this[0]' is missing the control plane log type 'scheduler' | By default we enable only audit logs. Can be changed via variable eks_cluster_enabled_log_types |
layer1-aws/aws-eks.tf | aws-eks-encrypt-secrets | Resource 'module.eks:aws_eks_cluster.this[0]' has no encryptionConfigBlock block | By default encryption is disabled, but can be enabled via setting eks_cluster_encryption_config_enable = true in your tfvars file. |
layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access | Resource 'module.eks:aws_eks_cluster.this[0]' has public access is explicitly set to enabled | By default we create public accessible EKS cluster from anywhere |
layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access-to-cidr | Resource 'module.eks:aws_eks_cluster.this[0]' has public access cidr explicitly set to wide open | By default we create public accessible EKS cluster from anywhere |
layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.workers_egress_internet[0]' defines a fully open egress security group rule | We use recommended option. More info |
modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.egress_with_cidr_blocks[0]' defines a fully open egress security group rule. | This is a VPN server and it need to have egress traffic to anywhere by default |
modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.ingress_with_cidr_blocks[1]' defines a fully open ingress security group rule. | This is a VPN server and by default it needs to have ingress traffic from anywhere |
modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_secrets[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources. | We use this policy for external-secrets and grant it access to all secrets. |
modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_autoscaler[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use condition to allow run actions only for certain autoscaling groups |
modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.eks_alb_ingress[0]:module.aws_iam_aws_loadbalancer_controller:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use recommended policy |
layer2-k8s/eks-elk.tf | general-secrets-sensitive-in-attribute-value | Block 'locals.' includes potentially sensitive data. Password literal text | tfsec complains on local.elk_metricbeat_values |
layer2-k8s/eks-elk.tf | general-secrets-sensitive-in-attribute-value | Block 'locals.' includes potentially sensitive data. Password literal text | tfsec complains on local.elk_filebeat_values |
layer2-k8s/eks-elk.tf | general-secrets-sensitive-in-attribute-value | Block 'locals.' includes potentially sensitive data. Password literal text | tfsec complains on local.elk_apm_values |
modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_dns[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use the policy from the documentation |
modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_cert_manager[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | Certmanager uses Route53 to create DNS records and validate wildcard certificates. By default we allow it to manage all zones |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[5]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[4]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.external_secrets_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.external_secrets_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[3]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[4]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[4]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[3]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[4]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[3]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[3]' allows ingress traffic from the internet | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[4]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.external_secrets_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[5]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[4]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[2]' allows ingress traffic from the internet | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[2]' allows ingress traffic from the internet | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[3]' allows ingress traffic from the internet | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[4]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[2]' allows ingress traffic from the internet | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |