feat: adds 5 additional constraints to the gke hardening bundle (#424)

* feat:adds 5 additional constraints to the gke hardening bundle * fixes description typo * updates bundle name
damiansztankowski · Mar 7, 2022 · b52f94f · b52f94f
1 parent 45c1680
commit b52f94f
Show file tree

Hide file tree

Showing 18 changed files with 58 additions and 10 deletions.
diff --git a/bundler/src/generate_docs.ts b/bundler/src/generate_docs.ts
@@ -207,7 +207,7 @@ This bundle can be installed via kpt:
 export BUNDLE=${bundle.getName()}
 kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library
 kpt fn source policy-library/samples/ | \\
-  kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \\
+  kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \\
   kpt fn sink policy-library/policies/constraints/
 \`\`\`
 

diff --git a/docs/bundles/cis-v1.0.md b/docs/bundles/cis-v1.0.md
@@ -6,7 +6,7 @@ This bundle can be installed via kpt:
 export BUNDLE=cis-v1.0
 kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library
 kpt fn source policy-library/samples/ | \
-  kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
+  kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
   kpt fn sink policy-library/policies/constraints/
 ```
 

diff --git a/docs/bundles/cis-v1.1.md b/docs/bundles/cis-v1.1.md
@@ -6,7 +6,7 @@ This bundle can be installed via kpt:
 export BUNDLE=cis-v1.1
 kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library
 kpt fn source policy-library/samples/ | \
-  kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
+  kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
   kpt fn sink policy-library/policies/constraints/
 ```
 
@@ -16,6 +16,8 @@ kpt fn source policy-library/samples/ | \
 | ----------------------------------------------------------------------------------------------------------------------------- | ------- | ------------------------------------------------------------------------------------------------- |
 | [block_serviceaccount_token_creator](../../samples/iam_block_service_account_creator_role.yaml)                               | 1.0X    | Ban any users from being granted Service Account Token Creator access                             |
 | [cmek_rotation](../../samples/cmek_rotation.yaml)                                                                             | 1.08    | Checks that CMEK rotation policy is in place and is sufficiently short.                           |
+| [compute-enable-oslogin-project](../../samples/compute_enable_oslogin_project.yaml)                                           | 4.04    | Verifies that all VMs in a project have OS login enabled.                                         |
+| [compute_block_ssh_keys](../../samples/compute_block_ssh_keys.yaml)                                                           | 4.03    | Checks if "Block Project-wide SSH keys" is enabled for VM instances                               |
 | [deny_role](../../samples/iam_deny_role.yaml)                                                                                 | 1.05    | Ban any users from being granted Service Account User access                                      |
 | [disable_gke_dashboard](../../samples/gke_dashboard_disable.yaml)                                                             | 7.06    | Ensure Kubernetes web UI / Dashboard is disabled                                                  |
 | [disable_gke_default_service_account](../../samples/gke_disable_default_service_account.yaml)                                 | 7.17    | Ensure default Service account is not used for Project access in Kubernetes Clusters              |

diff --git a/docs/bundles/forseti-security.md b/docs/bundles/forseti-security.md
@@ -6,7 +6,7 @@ This bundle can be installed via kpt:
 export BUNDLE=forseti-security
 kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library
 kpt fn source policy-library/samples/ | \
-  kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
+  kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
   kpt fn sink policy-library/policies/constraints/
 ```
 

diff --git a/docs/bundles/gke-hardening-v2019.11.11.md b/docs/bundles/gke-hardening-v2019.11.11.md
@@ -6,7 +6,7 @@ This bundle can be installed via kpt:
 export BUNDLE=gke-hardening-v2019.11.11
 kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library
 kpt fn source policy-library/samples/ | \
-  kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
+  kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
   kpt fn sink policy-library/policies/constraints/
 ```
 

diff --git a/docs/bundles/gke-hardening-v2022.md b/docs/bundles/gke-hardening-v2022.md
@@ -0,0 +1,26 @@
+# gke-hardening-v2022
+
+This bundle can be installed via kpt:
+
+```
+export BUNDLE=gke-hardening-v2022
+kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library
+kpt fn source policy-library/samples/ | \
+  kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
+  kpt fn sink policy-library/policies/constraints/
+```
+
+## Constraints
+
+| Constraint                                                                                         | Control                           | Description                                                                               |
+| -------------------------------------------------------------------------------------------------- | --------------------------------- | ----------------------------------------------------------------------------------------- |
+| [allow_only_private_cluster](../../samples/gke_allow_only_private_cluster.yaml)                    | PRIVATE_CLUSTERS_ONLY             | Verifies all GKE clusters are Private Clusters.                                           |
+| [disable_gke_dashboard](../../samples/gke_dashboard_disable.yaml)                                  | DISABLED_GKE_DASHBOARD            | Ensure Kubernetes web UI / Dashboard is disabled                                          |
+| [disable_gke_legacy_abac](../../samples/gke_legacy_abac.yaml)                                      | DISABLED_LEGACY_AUTHORIZATION     | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters              |
+| [enable_alias_ip_ranges](../../samples/gke_enable_alias_ip_ranges.yaml)                            | ENABLE_IP_ALIAS                   | Ensure Kubernetes Cluster is created with Alias IP ranges enabled                         |
+| [enable_auto_upgrade](../../samples/gke_node_pool_auto_upgrade.yaml)                               | ENABLED_NODE_AUTO_UPGRADE         | Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes             |
+| [enable_gke_master_authorized_networks](../../samples/gke_master_authorized_networks_enabled.yaml) | ENABLED_MASTER_AUTHORIZED_NETWORK | Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters         |
+| [enable_gke_shielded_nodes](../../samples/gke_enable_shielded_nodes.yaml)                          | ENABLE_SHIELDED_GKE_NODES         | Checks that GKE is using Shielded nodes (secure boot).                                    |
+| [enable_gke_workload_identity](../../samples/gke_enable_workload_identity.yaml)                    | ENABLE_WORKLOAD_IDENTITY          | Ensure Workload Identity is enabled on a GKE cluster                                      |
+| [gke_enable_private_endpoint](../../samples/gke_enable_private_endpoint.yaml)                      | ENABLE_PRIVATE_ENDPOINT           | Enable a private endpoint for the cluster to be accessible from an internal network only. |
+
diff --git a/docs/bundles/healthcare-baseline-v1.md b/docs/bundles/healthcare-baseline-v1.md
@@ -6,7 +6,7 @@ This bundle can be installed via kpt:
 export BUNDLE=healthcare-baseline-v1
 kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library
 kpt fn source policy-library/samples/ | \
-  kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
+  kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
   kpt fn sink policy-library/policies/constraints/
 ```
 

diff --git a/docs/bundles/scorecard-v1.md b/docs/bundles/scorecard-v1.md
@@ -6,7 +6,7 @@ This bundle can be installed via kpt:
 export BUNDLE=scorecard-v1
 kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library
 kpt fn source policy-library/samples/ | \
-  kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
+  kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
   kpt fn sink policy-library/policies/constraints/
 ```
 
@@ -33,6 +33,7 @@ kpt fn source policy-library/samples/ | \
 | [gke_container_optimized_os](../../samples/gke_container_optimized_os.yaml)                        | security               | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters                        |
 | [gke_restrict_client_auth_methods](../../samples/gke_restrict_client_auth_methods.yaml)            | security               | Checks that client certificate and password authentication methods are disabled for GKE clusters. |
 | [gke_restrict_pod_traffic](../../samples/gke_restrict_pod_traffic.yaml)                            | security               | Checks that GKE clusters have a Network Policy installed.                                         |
+| [gke_restrict_pod_traffic](../../samples/legacy/gke_restrict_pod_traffic_v1.yaml)                  | security               | Checks that GKE clusters have a Network Policy installed.                                         |
 | [prevent-public-ip-cloudsql](../../samples/sql_public_ip.yaml)                                     | security               | Prevents a public IP from being assigned to a Cloud SQL instance.                                 |
 | [require_bq_table_iam](../../samples/bigquery_world_readable.yaml)                                 | security               | Checks if BigQuery datasets are publicly readable or allAuthenticatedUsers.                       |
 | [require_bucket_policy_only](../../samples/storage_bucket_policy_only.yaml)                        | security               | Checks if Cloud Storage buckets have Bucket Only Policy turned on.                                |