Gomboc-AI · ztalarick · Oct 1, 2025 · Oct 1, 2025 · Oct 1, 2025
@@ -0,0 +1,64 @@
+resource "google_container_cluster" "non_compliant_cluster" {
+  name     = var.cluster_name
+  location = var.location
+
+  # Enable RBAC
+  enable_legacy_abac = true
+
+  # The non-compliant setting: allow anonymous access by enabling the legacy ABAC
+  # This allows unauthenticated users (system:anonymous) to have access,
+  # which violates the CIS recommendation to avoid bindings to system:anonymous.
+
+  # Minimal required settings for a valid cluster
+  initial_node_count = 1
+
+  node_config {
+    machine_type = var.machine_type
+  }
+
+  rbac_binding_config {
+    enable_insecure_binding_system_unauthenticated = false
+  }
+}
+
+resource "google_container_cluster" "non_compliant_cluster_explicit" {
+  name     = var.cluster_name
+  location = var.location
+
+  # Enable RBAC
+  enable_legacy_abac = true
+
+  # The non-compliant setting: allow anonymous access by enabling the legacy ABAC
+  # This allows unauthenticated users (system:anonymous) to have access,
+  # which violates the CIS recommendation to avoid bindings to system:anonymous.
+
+  # Minimal required settings for a valid cluster
+  initial_node_count = 1
+
+  node_config {
+    machine_type = var.machine_type
+  }
+
+  rbac_binding_config {
+    enable_insecure_binding_system_unauthenticated = false
+  }
+}
+
+resource "google_container_cluster" "compliant_cluster" {
+  name     = var.cluster_name
+  location = var.location
+
+  # Enable RBAC
+  enable_legacy_abac = true
+
+  # Minimal required settings for a valid cluster
+  initial_node_count = 1
+
+  node_config {
+    machine_type = var.machine_type
+  }
+
+  rbac_binding_config {
+    enable_insecure_binding_system_unauthenticated = false
+  }
+}
@@ -0,0 +1,22 @@
+variable "gcp_project" {
+  type        = string
+  description = "The GCP project to create the cluster in"
+}
+
+variable "cluster_name" {
+  type        = string
+  description = "The name of the GKE cluster"
+  default     = "uut-cluster"
+}
+
+variable "location" {
+  type        = string
+  description = "The location/region for the cluster"
+  default     = "us-central1"
+}
+
+variable "machine_type" {
+  type        = string
+  description = "The machine type for the cluster nodes"
+  default     = "e2-medium"
+}
@@ -0,0 +1,16 @@
+# yaml-language-server: $schema=../../../../gomboc-schema/test-case.yaml
+
+name: Avoid bindings to system:anonymous
+
+provider: GCP
+iac:
+  language: terraform
+  version: v1.5.8
+
+canBeApplied: false
+
+benchmarkRecommendations:
+  - id: "4.1.8"
+    name: "Avoid bindings to system:anonymous"
+    benchmark: CIS Google Kubernetes Engine (GKE) Autopilot Benchmark
+    benchmarkVersion: v1.0.0
@@ -0,0 +1,57 @@
+resource "google_container_cluster" "non_compliant_cluster" {
+  name     = var.cluster_name
+  location = var.location
+
+  # Enable RBAC
+  enable_legacy_abac = true
+
+  # The non-compliant setting: allow anonymous access by enabling the legacy ABAC
+  # This allows unauthenticated users (system:anonymous) to have access,
+  # which violates the CIS recommendation to avoid bindings to system:anonymous.
+
+  # Minimal required settings for a valid cluster
+  initial_node_count = 1
+
+  node_config {
+    machine_type = var.machine_type
+  }
+}
+
+resource "google_container_cluster" "non_compliant_cluster_explicit" {
+  name     = var.cluster_name
+  location = var.location
+
+  # Enable RBAC
+  enable_legacy_abac = true
+
+  # The non-compliant setting: allow anonymous access by enabling the legacy ABAC
+  # This allows unauthenticated users (system:anonymous) to have access,
+  # which violates the CIS recommendation to avoid bindings to system:anonymous.
+
+  # Minimal required settings for a valid cluster
+  initial_node_count = 1
+
+  node_config {
+    machine_type = var.machine_type
+  }
+
+}
+
+resource "google_container_cluster" "compliant_cluster" {
+  name     = var.cluster_name
+  location = var.location
+
+  # Enable RBAC
+  enable_legacy_abac = true
+
+  # Minimal required settings for a valid cluster
+  initial_node_count = 1
+
+  node_config {
+    machine_type = var.machine_type
+  }
+
+  rbac_binding_config {
+    enable_insecure_binding_system_unauthenticated = false
+  }
+}
@@ -0,0 +1,19 @@
+# Provider config
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 6.13.0"
+    }
+  }
+
+  required_version = ">= 1.1.0"
+}
+
+provider "google" {
+  project = var.gcp_project
+  default_labels = {
+    "test-repo" = "rattleback",
+    "test-path" = "gcp/terraform/container-cluster-avoid-bindings-to-system-anonymous"
+  }
+}
@@ -0,0 +1,22 @@
+variable "gcp_project" {
+  type        = string
+  description = "The GCP project to create the cluster in"
+}
+
+variable "cluster_name" {
+  type        = string
+  description = "The name of the GKE cluster"
+  default     = "uut-cluster"
+}
+
+variable "location" {
+  type        = string
+  description = "The location/region for the cluster"
+  default     = "us-central1"
+}
+
+variable "machine_type" {
+  type        = string
+  description = "The machine type for the cluster nodes"
+  default     = "e2-medium"
+}