Kubernetes clusters should be auto-upgraded to ensure that they always contain the latest security patches.
Default Severity: critical
Explanation
Possible Impact
Not running the latest security patches on your Kubernetes cluster can make it a target for penetration.
Suggested Resolution
Set maintenance policy deterministically when auto upgrades are enabled
Insecure Example
The following example will fail the digitalocean-compute-kubernetes-auto-upgrades-not-enabled check.
resource "digitalocean_kubernetes_cluster" "foo" {
name = "foo"
region = "nyc1"
version = "1.20.2-do.0"
auto_upgrade = false
node_pool {
name = "autoscale-worker-pool"
size = "s-2vcpu-2gb"
auto_scale = true
min_nodes = 1
max_nodes = 5
}
}
Secure Example
The following example will pass the digitalocean-compute-kubernetes-auto-upgrades-not-enabled check.
resource "digitalocean_kubernetes_cluster" "foo" {
name = "foo"
region = "nyc1"
version = "1.20.2-do.0"
auto_upgrade = true
node_pool {
name = "autoscale-worker-pool"
size = "s-2vcpu-2gb"
auto_scale = true
min_nodes = 1
max_nodes = 5
}
}