GCP012

Checks for service account defined for GKE nodes

Explanation

You should create and use a minimally privileged service account to run your GKE cluster instead of using the Compute Engine default service account.

Insecure Example

The following example will fail the GCP012 check.

resource "google_container_cluster" "my-cluster" {
	node_config {
	}
}

Secure Example

The following example will pass the GCP012 check.

resource "google_container_cluster" "my-cluster" {
	node_config {
		service_account = "cool-service-account@example.com"
	}
}