From 73b3175197b4beb9fa4fa70d923bd72ea813180e Mon Sep 17 00:00:00 2001 From: Ricardo Maloloy-on Date: Tue, 12 Dec 2023 19:27:07 +0800 Subject: [PATCH 1/7] IE-1164-modifying-few-templates Signed-off-by: Ricardo Maloloy-on --- policies/constraints/gcp_enforce_naming.yaml | 20 +++-- .../gcp_gke_node_auto_repair_v1.yaml | 79 ------------------- .../gcp_gke_node_auto_upgrade_v1.yaml | 79 ------------------- .../gke_node_pool_auto_repair.yaml | 27 +++++++ .../gke_node_pool_auto_upgrade.yaml | 32 ++++++++ policies/constraints/sql_backup.yaml | 4 +- policies/templates/gcp_enforce_naming_v1.yaml | 4 +- 7 files changed, 73 insertions(+), 172 deletions(-) delete mode 100644 policies/constraints/gcp_gke_node_auto_repair_v1.yaml delete mode 100644 policies/constraints/gcp_gke_node_auto_upgrade_v1.yaml create mode 100644 policies/constraints/gke_node_pool_auto_repair.yaml create mode 100644 policies/constraints/gke_node_pool_auto_upgrade.yaml diff --git a/policies/constraints/gcp_enforce_naming.yaml b/policies/constraints/gcp_enforce_naming.yaml index 26bb0aea..d113b28b 100644 --- a/policies/constraints/gcp_enforce_naming.yaml +++ b/policies/constraints/gcp_enforce_naming.yaml @@ -33,30 +33,28 @@ spec: - "cert-self-signed-.*" - resource: "compute.googleapis.com/Instance" # asset_type field from inventory patterns: - - "^mv-(\\w+)-(\\w+)-(\\w+)-gce-(\\d+)$" + - "^mv-(dev|stg|prod)-[a-z0-9]+-[a-z0-9]+-gce-[a-z0-9]+$" - resource: "sqladmin.googleapis.com/Instance" # asset_type field from inventory patterns: - - "^cloudsql-(\\w+)-mv-(\\w+)-(\\w+)-.*" + - "^cloudsql-[a-z0-9]+-mv-(dev|stg|prod)-[a-z0-9]+" - resource: "redis.googleapis.com/Instance" # asset_type field from inventory patterns: - - "^redis-(\\w+)-mv-(\\w+)-multi-app$" + - "^redis-[a-z0-9]+-mv-(dev|stg|prod)-multi-app$" - resource: "storage.googleapis.com/Bucket" # asset_type field from inventory patterns: - - "^mv-(\\w+)-(\\w+)-(\\w+)$" + - "^mv-(dev|stg|prod)-[a-z0-9]+-[a-z0-9]+$" - resource: "compute.googleapis.com/Network" # asset_type field from inventory patterns: - - "^mv-(\\w+)-(\\w+)-vpc-(\\d+)$" + - "^mv-(dev|stg|prod)-[a-z0-9]+-vpc-[a-z0-9]+$" - resource: "compute.googleapis.com/Subnetwork" # asset_type field from inventory patterns: - - "^mv-(\\w+)-(\\w+)-(\\w+)-sn-(\\d+)$" + - "^mv-(dev|stg|prod)-[a-z0-9]+-[a-z0-9]+-sn-[a-z0-9]+$" - resource: "compute.googleapis.com/Route" # asset_type field from inventory patterns: - - "^mv-(\\w+)-(\\w+)-route-(\\d+)$" + - "^mv-(dev|stg|prod)-[a-z0-9]+-route-[a-z0-9]+$" - resource: "compute.googleapis.com/Firewall" # asset_type field from inventory patterns: - - "^mv-(\\w+)-allow-(\\w+)$" - - "^mv-(\\w+)-deny-(\\w+)$" + - "^mv-[a-z0-9]+-(allow|deny)-(all|icmp|tcp|udp)-access$" - resource: "container.googleapis.com/Cluster" # asset_type field from inventory patterns: - - "^mv-(\\w+)-(\\w+)-(\\w+)-gke-(\\d+)$" - + - "^mv-(dev|stg|prod)-[a-z0-9]+-[a-z0-9]+-gke-[a-z0-9]+$" diff --git a/policies/constraints/gcp_gke_node_auto_repair_v1.yaml b/policies/constraints/gcp_gke_node_auto_repair_v1.yaml deleted file mode 100644 index 621b5f6c..00000000 --- a/policies/constraints/gcp_gke_node_auto_repair_v1.yaml +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright 2019 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Check to see if auto repair is disabled on node pool. -# https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-repair - -apiVersion: templates.gatekeeper.sh/v1alpha1 -kind: ConstraintTemplate -metadata: - name: gcp-gke-node-auto-repair-v1 -spec: - crd: - spec: - names: - kind: GCPGKENodeAutoRepairConstraintV1 - validation: - openAPIV3Schema: - properties: {} - targets: - validation.gcp.forsetisecurity.org: - rego: | #INLINE("validator/gke_node_auto_repair.rego") - # - # Copyright 2018 Google LLC - # - # Licensed under the Apache License, Version 2.0 (the "License"); - # you may not use this file except in compliance with the License. - # You may obtain a copy of the License at - # - # http://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, - # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - # See the License for the specific language governing permissions and - # limitations under the License. - # - - package templates.gcp.GCPGKENodeAutoRepairConstraintV1 - - import data.validator.gcp.lib as lib - - deny[{ - "msg": message, - "details": metadata, - }] { - constraint := input.constraint - asset := input.asset - asset.asset_type == "container.googleapis.com/Cluster" - - container := asset.resource.data - node_pools := lib.get_default(container, "nodePools", []) - node_pool := node_pools[_] - not auto_repair_enabled(node_pool) - - message := sprintf("Auto repair is not enabled on node pool '%v'.", [node_pool.name]) - - metadata := {"resource": asset.name, "node_pool": node_pool.name} - } - - ########################### - # Rule Utilities - ########################### - auto_repair_enabled(node_pool) { - management := lib.get_default(node_pool, "management", {}) - auto_repair_enabled := lib.get_default(management, "autoRepair", false) - auto_repair_enabled == true - } - #ENDINLINE diff --git a/policies/constraints/gcp_gke_node_auto_upgrade_v1.yaml b/policies/constraints/gcp_gke_node_auto_upgrade_v1.yaml deleted file mode 100644 index 9c2f361b..00000000 --- a/policies/constraints/gcp_gke_node_auto_upgrade_v1.yaml +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright 2019 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Check to see if auto upgrade is disabled on node pool. -# https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#automatically_upgrade_your_nodes - -apiVersion: templates.gatekeeper.sh/v1alpha1 -kind: ConstraintTemplate -metadata: - name: gcp-gke-node-auto-upgrade-v1 -spec: - crd: - spec: - names: - kind: GCPGKENodeAutoUpgradeConstraintV1 - validation: - openAPIV3Schema: - properties: {} - targets: - validation.gcp.forsetisecurity.org: - rego: | #INLINE("validator/gke_node_auto_upgrade.rego") - # - # Copyright 2018 Google LLC - # - # Licensed under the Apache License, Version 2.0 (the "License"); - # you may not use this file except in compliance with the License. - # You may obtain a copy of the License at - # - # http://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, - # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - # See the License for the specific language governing permissions and - # limitations under the License. - # - - package templates.gcp.GCPGKENodeAutoUpgradeConstraintV1 - - import data.validator.gcp.lib as lib - - deny[{ - "msg": message, - "details": metadata, - }] { - constraint := input.constraint - asset := input.asset - asset.asset_type == "container.googleapis.com/Cluster" - - container := asset.resource.data - node_pools := lib.get_default(container, "nodePools", []) - node_pool := node_pools[_] - not auto_upgrade_enabled(node_pool) - - message := sprintf("Auto upgrade is not enabled on node pool '%v'.", [node_pool.name]) - - metadata := {"resource": asset.name, "node_pool": node_pool.name} - } - - ########################### - # Rule Utilities - ########################### - auto_upgrade_enabled(node_pool) { - management := lib.get_default(node_pool, "management", {}) - auto_upgrade_enabled := lib.get_default(management, "autoUpgrade", false) - auto_upgrade_enabled == true - } - #ENDINLINE diff --git a/policies/constraints/gke_node_pool_auto_repair.yaml b/policies/constraints/gke_node_pool_auto_repair.yaml new file mode 100644 index 00000000..b974f990 --- /dev/null +++ b/policies/constraints/gke_node_pool_auto_repair.yaml @@ -0,0 +1,27 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: constraints.gatekeeper.sh/v1alpha1 +kind: GCPGKENodeAutoRepairConstraintV1 +metadata: + name: enable_auto_repair + annotations: + description: Ensure automatic node repair is enabled on all node pools in a GKE cluster + # This constraint is not certified by CIS. + bundles.validator.forsetisecurity.org/cis-v1.1: 7.07 + bundles.validator.forsetisecurity.org/scorecard-v1: security +spec: + severity: high + + parameters: {} diff --git a/policies/constraints/gke_node_pool_auto_upgrade.yaml b/policies/constraints/gke_node_pool_auto_upgrade.yaml new file mode 100644 index 00000000..15326da9 --- /dev/null +++ b/policies/constraints/gke_node_pool_auto_upgrade.yaml @@ -0,0 +1,32 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: constraints.gatekeeper.sh/v1alpha1 +kind: GCPGKENodeAutoUpgradeConstraintV1 +metadata: + name: enable_auto_upgrade + annotations: + description: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes + # This constraint has not been validated by the formal CIS certification process. + bundles.validator.forsetisecurity.org/cis-v1.0: 7.08 + bundles.validator.forsetisecurity.org/cis-v1.1: 7.08 + bundles.validator.forsetisecurity.org/gke-hardening-v2019.11.11: ENABLED_NODE_AUTO_UPGRADE + bundles.validator.forsetisecurity.org/gke-hardening-v2022: ENABLED_NODE_AUTO_UPGRADE + bundles.validator.forsetisecurity.org/scorecard-v1: security +spec: + severity: high + match: + ancestries: + - "organizations/**" + parameters: {} diff --git a/policies/constraints/sql_backup.yaml b/policies/constraints/sql_backup.yaml index e9bd8848..f297e212 100644 --- a/policies/constraints/sql_backup.yaml +++ b/policies/constraints/sql_backup.yaml @@ -13,6 +13,8 @@ # See the License for the specific language governing permissions and # limitations under the License. # +# Applied only for 'mv-dev-ricardo' project ID +# - "projects/mv-dev-ricardo" apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: GCPSQLBackupConstraintV1 @@ -24,4 +26,4 @@ spec: severity: high match: ancestries: - - "organizations/**" + - "organizations/**" # Applied to All Projects diff --git a/policies/templates/gcp_enforce_naming_v1.yaml b/policies/templates/gcp_enforce_naming_v1.yaml index 648c64c8..528f756f 100644 --- a/policies/templates/gcp_enforce_naming_v1.yaml +++ b/policies/templates/gcp_enforce_naming_v1.yaml @@ -76,7 +76,7 @@ spec: no_name_match(name, patterns) trace(sprintf("no match name:%v, patterns:%v", [name, patterns])) - message := sprintf("%v does not obey the naming convention. Full address: %v", [name, asset.name]) + message := sprintf("Does not obey the naming convention %v. Full address - %v", [name, asset.name]) metadata := { "asset_name": name, "asset_full_address": asset.name, @@ -105,4 +105,4 @@ spec: match_name(name, patterns) { re_match(patterns[_], name) } - #ENDINLINE \ No newline at end of file + #ENDINLINE From f0fab465b1b175217385f1833e5e3b0c1f83527b Mon Sep 17 00:00:00 2001 From: Ricardo Maloloy-on Date: Wed, 13 Dec 2023 13:59:25 +0800 Subject: [PATCH 2/7] feat(policy): update naming convention Signed-off-by: Ricardo Maloloy-on --- policies/constraints/gcp_enforce_naming.yaml | 2 +- policies/constraints/storage_location.yaml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/policies/constraints/gcp_enforce_naming.yaml b/policies/constraints/gcp_enforce_naming.yaml index d113b28b..c826b75e 100644 --- a/policies/constraints/gcp_enforce_naming.yaml +++ b/policies/constraints/gcp_enforce_naming.yaml @@ -51,7 +51,7 @@ spec: - "^mv-(dev|stg|prod)-[a-z0-9]+-[a-z0-9]+-sn-[a-z0-9]+$" - resource: "compute.googleapis.com/Route" # asset_type field from inventory patterns: - - "^mv-(dev|stg|prod)-[a-z0-9]+-route-[a-z0-9]+$" + - "^mv-(dev|stg|prod)-[a-z0-9]+-[a-z0-9]+-route-[a-z0-9]+$" - resource: "compute.googleapis.com/Firewall" # asset_type field from inventory patterns: - "^mv-[a-z0-9]+-(allow|deny)-(all|icmp|tcp|udp)-access$" diff --git a/policies/constraints/storage_location.yaml b/policies/constraints/storage_location.yaml index 79cc0ede..9371c95b 100644 --- a/policies/constraints/storage_location.yaml +++ b/policies/constraints/storage_location.yaml @@ -28,5 +28,9 @@ spec: parameters: mode: "allowlist" locations: + - us-central1 + - us-east4 + - southamerica-east1 + - europe-west3 - asia-southeast1 exemptions: [] From 47d71a51e722fcbdca101c0401adfa1571e9a1b0 Mon Sep 17 00:00:00 2001 From: Ricardo Maloloy-on Date: Thu, 14 Dec 2023 13:10:18 +0800 Subject: [PATCH 3/7] feat(policy-library): update templates and constraint Signed-off-by: Ricardo Maloloy-on --- policies/constraints/iam_required_roles.yaml | 2 +- policies/templates/gcp_gke_legacy_abac_v1.yaml | 2 +- .../gcp_gke_master_authorized_networks_enabled_v1.yaml | 2 +- policies/templates/gcp_gke_restrict_client_auth_methods_v1.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/policies/constraints/iam_required_roles.yaml b/policies/constraints/iam_required_roles.yaml index 52397947..6b0f0eb9 100644 --- a/policies/constraints/iam_required_roles.yaml +++ b/policies/constraints/iam_required_roles.yaml @@ -25,4 +25,4 @@ spec: members: - "user:*@mindvalley.com" - "group:*@mindvalley.com" - # - "user:required-user@random-group.com" + - "user:tech-sre-members@mindvalley.com" diff --git a/policies/templates/gcp_gke_legacy_abac_v1.yaml b/policies/templates/gcp_gke_legacy_abac_v1.yaml index 252271c6..2a4f4acd 100644 --- a/policies/templates/gcp_gke_legacy_abac_v1.yaml +++ b/policies/templates/gcp_gke_legacy_abac_v1.yaml @@ -61,7 +61,7 @@ spec: enabled := legacy_abac_enabled(container) enabled == true - message := sprintf("%v has legacy ABAC enabled.", [asset.name]) + message := sprintf("Has legacy ABAC enabled %v.", [asset.name]) metadata := {"resource": asset.name} } diff --git a/policies/templates/gcp_gke_master_authorized_networks_enabled_v1.yaml b/policies/templates/gcp_gke_master_authorized_networks_enabled_v1.yaml index 9a710cb8..8ac6f84a 100644 --- a/policies/templates/gcp_gke_master_authorized_networks_enabled_v1.yaml +++ b/policies/templates/gcp_gke_master_authorized_networks_enabled_v1.yaml @@ -70,7 +70,7 @@ spec: forbidden := forbidden_networks(cluster, params) count(forbidden) > 0 - message := sprintf("%v master is accessible from unauthorized networks: %v", [asset.name, forbidden]) + message := sprintf("Master %v is accessible from unauthorized networks - %v", [asset.name, forbidden]) metadata := {"resource": asset.name} } diff --git a/policies/templates/gcp_gke_restrict_client_auth_methods_v1.yaml b/policies/templates/gcp_gke_restrict_client_auth_methods_v1.yaml index f41e322b..4da39c87 100644 --- a/policies/templates/gcp_gke_restrict_client_auth_methods_v1.yaml +++ b/policies/templates/gcp_gke_restrict_client_auth_methods_v1.yaml @@ -63,7 +63,7 @@ spec: not check_all_disabled(master_auth, cluster_version) - message := sprintf("%v has client certificate or static password authentication enabled.", [asset.name]) + message := sprintf("Has client certificate or static password authentication enabled %v.", [asset.name]) metadata := {"resource": asset.name} } From c61587ba6f3c5731eff5dd40eaea1730ba7c4a6f Mon Sep 17 00:00:00 2001 From: Ricardo Maloloy-on Date: Tue, 19 Dec 2023 15:32:57 +0800 Subject: [PATCH 4/7] feat(policy-library): update the naming convention within redis Signed-off-by: Ricardo Maloloy-on --- policies/constraints/gcp_enforce_naming.yaml | 2 +- policies/templates/gcp_iam_required_bindings_v1.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policies/constraints/gcp_enforce_naming.yaml b/policies/constraints/gcp_enforce_naming.yaml index c826b75e..a563a392 100644 --- a/policies/constraints/gcp_enforce_naming.yaml +++ b/policies/constraints/gcp_enforce_naming.yaml @@ -39,7 +39,7 @@ spec: - "^cloudsql-[a-z0-9]+-mv-(dev|stg|prod)-[a-z0-9]+" - resource: "redis.googleapis.com/Instance" # asset_type field from inventory patterns: - - "^redis-[a-z0-9]+-mv-(dev|stg|prod)-multi-app$" + - "^redis-[a-z0-9]+-mv-(dev|stg|prod)-[a-z0-9]+" - resource: "storage.googleapis.com/Bucket" # asset_type field from inventory patterns: - "^mv-(dev|stg|prod)-[a-z0-9]+-[a-z0-9]+$" diff --git a/policies/templates/gcp_iam_required_bindings_v1.yaml b/policies/templates/gcp_iam_required_bindings_v1.yaml index 3ce989b1..a6f11830 100644 --- a/policies/templates/gcp_iam_required_bindings_v1.yaml +++ b/policies/templates/gcp_iam_required_bindings_v1.yaml @@ -99,7 +99,7 @@ spec: metadata := { "resource": asset.name, - "required_member": params_member, + "required_member": params_member, "role": role, } } From c57f880ce06f7812e66ca80fe58283a8fc4e62c3 Mon Sep 17 00:00:00 2001 From: Ricardo Maloloy-on Date: Fri, 22 Dec 2023 17:33:31 +0800 Subject: [PATCH 5/7] chore(policy-library): update and remove few constraints but it will apply in the future if needed Signed-off-by: Ricardo Maloloy-on --- .../constraints/bigquery_table_retention.yaml | 29 ---------------- policies/constraints/bq_dataset_location.yaml | 28 ---------------- policies/constraints/compute_zone.yaml | 30 ----------------- .../gke_allow_only_private_cluster.yaml | 1 + .../gke_allowed_node_sa_scope.yaml | 1 + .../constraints/gke_cluster_location.yaml | 1 + policies/constraints/gke_cluster_version.yaml | 31 ----------------- .../gke_container_optimized_os.yaml | 1 + .../gke_enable_shielded_nodes.yaml | 33 ------------------- .../constraints/gke_restrict_pod_traffic.yaml | 1 + policies/constraints/iam_required_roles.yaml | 4 +-- .../constraints/network_restrict_default.yaml | 26 --------------- policies/constraints/sql_location.yaml | 1 + policies/constraints/sql_public_ip.yaml | 17 +++++++++- .../constraints/vpc_sc_allowlist_regions.yaml | 1 + 15 files changed, 25 insertions(+), 180 deletions(-) delete mode 100644 policies/constraints/bigquery_table_retention.yaml delete mode 100644 policies/constraints/bq_dataset_location.yaml delete mode 100644 policies/constraints/compute_zone.yaml delete mode 100644 policies/constraints/gke_cluster_version.yaml delete mode 100644 policies/constraints/gke_enable_shielded_nodes.yaml delete mode 100644 policies/constraints/network_restrict_default.yaml diff --git a/policies/constraints/bigquery_table_retention.yaml b/policies/constraints/bigquery_table_retention.yaml deleted file mode 100644 index d07cb8de..00000000 --- a/policies/constraints/bigquery_table_retention.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -apiVersion: constraints.gatekeeper.sh/v1alpha1 -kind: GCPBigQueryTableRetentionConstraintV1 -metadata: - name: bq_table_minimum_maximum_retention - annotations: - description: Checks if a BigQuery table violates retention policy. -spec: - severity: high - match: - ancestries: - - "organizations/**" - parameters: - minimum_retention_days: 100 - maximum_retention_days: 200 - exemptions: [] diff --git a/policies/constraints/bq_dataset_location.yaml b/policies/constraints/bq_dataset_location.yaml deleted file mode 100644 index 8188fabf..00000000 --- a/policies/constraints/bq_dataset_location.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2019 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -apiVersion: constraints.gatekeeper.sh/v1alpha1 -kind: GCPBigQueryDatasetLocationConstraintV1 -metadata: - name: bq_dataset_allowed_locations - annotations: - description: Checks in which locations BigQuery datasets exist. - bundles.validator.forsetisecurity.org/healthcare-baseline-v1: security -spec: - severity: high - parameters: - mode: "allowlist" - locations: - - EU - exemptions: [] diff --git a/policies/constraints/compute_zone.yaml b/policies/constraints/compute_zone.yaml deleted file mode 100644 index e6651d46..00000000 --- a/policies/constraints/compute_zone.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright 2019 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -apiVersion: constraints.gatekeeper.sh/v1alpha1 -kind: GCPComputeZoneConstraintV1 -metadata: - name: compute_zone_allowlist_one - annotations: - description: Checks the instances and Persistent Disks are in desired zones. -spec: - severity: high - parameters: - mode: "allowlist" - zones: - - us-central1-.* - - us-east4-.* - - europe-west3-.* - - southamerica-east1-.* - exemptions: [] diff --git a/policies/constraints/gke_allow_only_private_cluster.yaml b/policies/constraints/gke_allow_only_private_cluster.yaml index fabb78ba..c02e3a7c 100644 --- a/policies/constraints/gke_allow_only_private_cluster.yaml +++ b/policies/constraints/gke_allow_only_private_cluster.yaml @@ -12,6 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # +# master_ipv4_cidr_block = "192.168.5.0/28" apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: GCPGKEPrivateClusterConstraintV1 metadata: diff --git a/policies/constraints/gke_allowed_node_sa_scope.yaml b/policies/constraints/gke_allowed_node_sa_scope.yaml index fa07993a..cc668a7e 100644 --- a/policies/constraints/gke_allowed_node_sa_scope.yaml +++ b/policies/constraints/gke_allowed_node_sa_scope.yaml @@ -12,6 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # +# - "projects/mv-dev-ricardo" -- For specific project only (ancestries) apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: GCPGKEAllowedNodeSAConstraintV1 metadata: diff --git a/policies/constraints/gke_cluster_location.yaml b/policies/constraints/gke_cluster_location.yaml index 8cba05ff..d9c84e07 100644 --- a/policies/constraints/gke_cluster_location.yaml +++ b/policies/constraints/gke_cluster_location.yaml @@ -29,4 +29,5 @@ spec: locations: - us-central1 - us-east4 + - asia-southeast1 exemptions: [] diff --git a/policies/constraints/gke_cluster_version.yaml b/policies/constraints/gke_cluster_version.yaml deleted file mode 100644 index 2d806586..00000000 --- a/policies/constraints/gke_cluster_version.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -apiVersion: constraints.gatekeeper.sh/v1alpha1 -kind: GKEClusterVersionConstraintV1 -metadata: - name: gke-cluster-version - annotations: - description: Checks if a GKE cluster is using a master version type other than 1.27.3-gke.100. -spec: - severity: high - match: - ancestries: - - "organizations/**" - parameters: - mode: "allowlist" - version_type: "master" - versions: - - 1.27.3-gke.100 - exemptions: [] diff --git a/policies/constraints/gke_container_optimized_os.yaml b/policies/constraints/gke_container_optimized_os.yaml index e1e92396..b71bb62a 100644 --- a/policies/constraints/gke_container_optimized_os.yaml +++ b/policies/constraints/gke_container_optimized_os.yaml @@ -12,6 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # +# - "projects/mv-dev-ricardo" -- For specific project only (ancestries) apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: GCPGKEContainerOptimizedOSConstraintV1 metadata: diff --git a/policies/constraints/gke_enable_shielded_nodes.yaml b/policies/constraints/gke_enable_shielded_nodes.yaml deleted file mode 100644 index a92736d2..00000000 --- a/policies/constraints/gke_enable_shielded_nodes.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 2019 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -############################### -# shielded_instance_config { -# enable_secure_boot = true -# } -############################### - -apiVersion: constraints.gatekeeper.sh/v1alpha1 -kind: GCPGKEEnableShieldedNodesConstraintV1 -metadata: - name: enable_gke_shielded_nodes - annotations: - description: Checks that GKE is using Shielded nodes (secure boot). - bundles.validator.forsetisecurity.org/gke-hardening-v2022: ENABLE_SHIELDED_GKE_NODES -spec: - severity: high - match: - ancestries: - - "organizations/**" - parameters: {} diff --git a/policies/constraints/gke_restrict_pod_traffic.yaml b/policies/constraints/gke_restrict_pod_traffic.yaml index d8e11a2e..37515aa0 100644 --- a/policies/constraints/gke_restrict_pod_traffic.yaml +++ b/policies/constraints/gke_restrict_pod_traffic.yaml @@ -12,6 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # +# equivalent to this command (gcloud container clusters update) apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: GCPGKERestrictPodTrafficConstraintV2 metadata: diff --git a/policies/constraints/iam_required_roles.yaml b/policies/constraints/iam_required_roles.yaml index 6b0f0eb9..500bf973 100644 --- a/policies/constraints/iam_required_roles.yaml +++ b/policies/constraints/iam_required_roles.yaml @@ -11,7 +11,8 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +# +# - "user:distribution-list@mindvalley.com" -- other domain would be acceptable apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: GCPIAMRequiredBindingsConstraintV1 metadata: @@ -25,4 +26,3 @@ spec: members: - "user:*@mindvalley.com" - "group:*@mindvalley.com" - - "user:tech-sre-members@mindvalley.com" diff --git a/policies/constraints/network_restrict_default.yaml b/policies/constraints/network_restrict_default.yaml deleted file mode 100644 index fbe640b5..00000000 --- a/policies/constraints/network_restrict_default.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright 2019 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -apiVersion: constraints.gatekeeper.sh/v1alpha1 -kind: GCPNetworkRestrictDefaultV1 -metadata: - name: network_restrict_default - annotations: - description: "Restrict default networks with open firewall rules" -spec: - severity: high - match: - ancestries: - - "organizations/**" - parameters: {} diff --git a/policies/constraints/sql_location.yaml b/policies/constraints/sql_location.yaml index ed9b9874..9deed9b0 100644 --- a/policies/constraints/sql_location.yaml +++ b/policies/constraints/sql_location.yaml @@ -32,4 +32,5 @@ spec: - us-east4 - europe-west3 - southamerica-east1 + - asia-southeast1 exemptions: [] diff --git a/policies/constraints/sql_public_ip.yaml b/policies/constraints/sql_public_ip.yaml index 0e313027..aa77f0a3 100644 --- a/policies/constraints/sql_public_ip.yaml +++ b/policies/constraints/sql_public_ip.yaml @@ -26,5 +26,20 @@ spec: severity: high match: ancestries: - - "organizations/**" + - "projects/mindvalleyadvertisingai" + - "projects/mv-blogs" + - "projects/mv-prod-coaching" + - "projects/mv-prod-linode" + - "projects/mv-prod-overmind2" + - "projects/mv-prod-spaces" + - "projects/mv-stg-coaching" + - "projects/mv-stg-connect" + - "projects/mv-stg-insights" + - "projects/mv-stg-lifebook" + - "projects/mv-stg-lifebook" + - "projects/mv-stg-overmind2" + - "projects/mv-stg-spaces" + - "projects/mv-stg-stories" + - "projects/mv-stg-usermanager" + # - "organizations/**" excludedAncestries: [] # optional, default is no exclusions diff --git a/policies/constraints/vpc_sc_allowlist_regions.yaml b/policies/constraints/vpc_sc_allowlist_regions.yaml index 598deed5..82a61943 100644 --- a/policies/constraints/vpc_sc_allowlist_regions.yaml +++ b/policies/constraints/vpc_sc_allowlist_regions.yaml @@ -30,3 +30,4 @@ spec: - us-east4 - europe-west3 - southamerica-east1 + - asia-southeast1 From 2ad5f925237bd88ced54ade0d9e71cd22c15b72b Mon Sep 17 00:00:00 2001 From: Ricardo Maloloy-on Date: Thu, 4 Jan 2024 11:17:28 +0800 Subject: [PATCH 6/7] feat(policy-library): modified gcs public access and vm external IP Signed-off-by: Ricardo Maloloy-on --- .../constraints/storage_denylist_public.yaml | 12 ++++++++++- policies/constraints/vm_external_ip.yaml | 21 +++++++++++++++---- 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/policies/constraints/storage_denylist_public.yaml b/policies/constraints/storage_denylist_public.yaml index 70988077..4562c81f 100644 --- a/policies/constraints/storage_denylist_public.yaml +++ b/policies/constraints/storage_denylist_public.yaml @@ -26,6 +26,16 @@ spec: match: ancestries: - "organizations/**" - excludedAncestries: [] # optional, default is no exclusions + excludedAncestries: + - "projects/event-stream-staging" + - "projects/mv-auxiliary" + - "projects/mv-blogs" + - "projects/mv-brain" + - "projects/mv-dev-mulail" + - "projects/mv-dev-ricardo" + - "projects/mv-page-builder" + - "projects/mv-page-builder-stg" + - "projects/mv-prod-linode" + - "projects/mv-stg-auxiliary" parameters: exemptions: [] # optional, default is no exemptions diff --git a/policies/constraints/vm_external_ip.yaml b/policies/constraints/vm_external_ip.yaml index 2254bce5..f39b2090 100644 --- a/policies/constraints/vm_external_ip.yaml +++ b/policies/constraints/vm_external_ip.yaml @@ -24,12 +24,25 @@ spec: severity: high parameters: # modes can be [allowlist, denylist] - mode: allowlist + mode: denylist # match_mode can be [exact, regex], default is exact. match_mode: regex instances: [] - # regex example: - # - //compute.googleapis.com/projects/mv-dev-ricardo/.* - # exact match example: + # regex example: + - //compute.googleapis.com/projects/event-stream-staging/.* + - //compute.googleapis.com/projects/mindvalley-event-stream/.* + - //compute.googleapis.com/projects/mv-brain/.* + - //compute.googleapis.com/projects/mv-dev-ricardo/.* + - //compute.googleapis.com/projects/mv-etl-staging/.* + - //compute.googleapis.com/projects/mv-gdrive-portal/.* + - //compute.googleapis.com/projects/mv-page-builder-stg/.* + - //compute.googleapis.com/projects/mv-prod-careers/.* + - //compute.googleapis.com/projects/mv-prod-linode/.* + - //compute.googleapis.com/projects/mv-prod-stories/.* + - //compute.googleapis.com/projects/mv-stg-applications-hub/.* + - //compute.googleapis.com/projects/mv-stg-brain/.* + - //compute.googleapis.com/projects/mv-stg-stories/.* + + # exact match example: # - //compute.googleapis.com/projects/mv-dev-ricardo/zones/us-east1-b/instances/vm-external-ip From f3cb8fc98856d2dc062a50be1264839b90a48c71 Mon Sep 17 00:00:00 2001 From: Ricardo Maloloy-on Date: Thu, 4 Jan 2024 13:40:12 +0800 Subject: [PATCH 7/7] feat(policy-library): allow the list of projects that VM created with external IP Signed-off-by: Ricardo Maloloy-on --- policies/constraints/vm_external_ip.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/constraints/vm_external_ip.yaml b/policies/constraints/vm_external_ip.yaml index f39b2090..2c77898d 100644 --- a/policies/constraints/vm_external_ip.yaml +++ b/policies/constraints/vm_external_ip.yaml @@ -24,7 +24,7 @@ spec: severity: high parameters: # modes can be [allowlist, denylist] - mode: denylist + mode: allowlist # match_mode can be [exact, regex], default is exact. match_mode: regex instances: []