diff --git a/bundler/src/generate_docs.ts b/bundler/src/generate_docs.ts index 21d22da..be89a18 100644 --- a/bundler/src/generate_docs.ts +++ b/bundler/src/generate_docs.ts @@ -207,7 +207,7 @@ This bundle can be installed via kpt: export BUNDLE=${bundle.getName()} kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library kpt fn source policy-library/samples/ | \\ - kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \\ + kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \\ kpt fn sink policy-library/policies/constraints/ \`\`\` diff --git a/docs/bundles/cis-v1.0.md b/docs/bundles/cis-v1.0.md index ff12f64..e3ae2a7 100644 --- a/docs/bundles/cis-v1.0.md +++ b/docs/bundles/cis-v1.0.md @@ -6,7 +6,7 @@ This bundle can be installed via kpt: export BUNDLE=cis-v1.0 kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library kpt fn source policy-library/samples/ | \ - kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \ + kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \ kpt fn sink policy-library/policies/constraints/ ``` diff --git a/docs/bundles/cis-v1.1.md b/docs/bundles/cis-v1.1.md index c96d26d..70fa71c 100644 --- a/docs/bundles/cis-v1.1.md +++ b/docs/bundles/cis-v1.1.md @@ -6,7 +6,7 @@ This bundle can be installed via kpt: export BUNDLE=cis-v1.1 kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library kpt fn source policy-library/samples/ | \ - kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \ + kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \ kpt fn sink policy-library/policies/constraints/ ``` @@ -16,6 +16,8 @@ kpt fn source policy-library/samples/ | \ | ----------------------------------------------------------------------------------------------------------------------------- | ------- | ------------------------------------------------------------------------------------------------- | | [block_serviceaccount_token_creator](../../samples/iam_block_service_account_creator_role.yaml) | 1.0X | Ban any users from being granted Service Account Token Creator access | | [cmek_rotation](../../samples/cmek_rotation.yaml) | 1.08 | Checks that CMEK rotation policy is in place and is sufficiently short. | +| [compute-enable-oslogin-project](../../samples/compute_enable_oslogin_project.yaml) | 4.04 | Verifies that all VMs in a project have OS login enabled. | +| [compute_block_ssh_keys](../../samples/compute_block_ssh_keys.yaml) | 4.03 | Checks if "Block Project-wide SSH keys" is enabled for VM instances | | [deny_role](../../samples/iam_deny_role.yaml) | 1.05 | Ban any users from being granted Service Account User access | | [disable_gke_dashboard](../../samples/gke_dashboard_disable.yaml) | 7.06 | Ensure Kubernetes web UI / Dashboard is disabled | | [disable_gke_default_service_account](../../samples/gke_disable_default_service_account.yaml) | 7.17 | Ensure default Service account is not used for Project access in Kubernetes Clusters | diff --git a/docs/bundles/forseti-security.md b/docs/bundles/forseti-security.md index d6cacf1..b0f7491 100644 --- a/docs/bundles/forseti-security.md +++ b/docs/bundles/forseti-security.md @@ -6,7 +6,7 @@ This bundle can be installed via kpt: export BUNDLE=forseti-security kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library kpt fn source policy-library/samples/ | \ - kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \ + kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \ kpt fn sink policy-library/policies/constraints/ ``` diff --git a/docs/bundles/gke-hardening-v2019.11.11.md b/docs/bundles/gke-hardening-v2019.11.11.md index 274f6e2..7b4853f 100644 --- a/docs/bundles/gke-hardening-v2019.11.11.md +++ b/docs/bundles/gke-hardening-v2019.11.11.md @@ -6,7 +6,7 @@ This bundle can be installed via kpt: export BUNDLE=gke-hardening-v2019.11.11 kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library kpt fn source policy-library/samples/ | \ - kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \ + kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \ kpt fn sink policy-library/policies/constraints/ ``` diff --git a/docs/bundles/gke-hardening-v2022.md b/docs/bundles/gke-hardening-v2022.md new file mode 100644 index 0000000..854fba7 --- /dev/null +++ b/docs/bundles/gke-hardening-v2022.md @@ -0,0 +1,26 @@ +# gke-hardening-v2022 + +This bundle can be installed via kpt: + +``` +export BUNDLE=gke-hardening-v2022 +kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library +kpt fn source policy-library/samples/ | \ + kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \ + kpt fn sink policy-library/policies/constraints/ +``` + +## Constraints + +| Constraint | Control | Description | +| -------------------------------------------------------------------------------------------------- | --------------------------------- | ----------------------------------------------------------------------------------------- | +| [allow_only_private_cluster](../../samples/gke_allow_only_private_cluster.yaml) | PRIVATE_CLUSTERS_ONLY | Verifies all GKE clusters are Private Clusters. | +| [disable_gke_dashboard](../../samples/gke_dashboard_disable.yaml) | DISABLED_GKE_DASHBOARD | Ensure Kubernetes web UI / Dashboard is disabled | +| [disable_gke_legacy_abac](../../samples/gke_legacy_abac.yaml) | DISABLED_LEGACY_AUTHORIZATION | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | +| [enable_alias_ip_ranges](../../samples/gke_enable_alias_ip_ranges.yaml) | ENABLE_IP_ALIAS | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | +| [enable_auto_upgrade](../../samples/gke_node_pool_auto_upgrade.yaml) | ENABLED_NODE_AUTO_UPGRADE | Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes | +| [enable_gke_master_authorized_networks](../../samples/gke_master_authorized_networks_enabled.yaml) | ENABLED_MASTER_AUTHORIZED_NETWORK | Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters | +| [enable_gke_shielded_nodes](../../samples/gke_enable_shielded_nodes.yaml) | ENABLE_SHIELDED_GKE_NODES | Checks that GKE is using Shielded nodes (secure boot). | +| [enable_gke_workload_identity](../../samples/gke_enable_workload_identity.yaml) | ENABLE_WORKLOAD_IDENTITY | Ensure Workload Identity is enabled on a GKE cluster | +| [gke_enable_private_endpoint](../../samples/gke_enable_private_endpoint.yaml) | ENABLE_PRIVATE_ENDPOINT | Enable a private endpoint for the cluster to be accessible from an internal network only. | + diff --git a/docs/bundles/healthcare-baseline-v1.md b/docs/bundles/healthcare-baseline-v1.md index 8ecb2d7..fd0546e 100644 --- a/docs/bundles/healthcare-baseline-v1.md +++ b/docs/bundles/healthcare-baseline-v1.md @@ -6,7 +6,7 @@ This bundle can be installed via kpt: export BUNDLE=healthcare-baseline-v1 kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library kpt fn source policy-library/samples/ | \ - kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \ + kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \ kpt fn sink policy-library/policies/constraints/ ``` diff --git a/docs/bundles/scorecard-v1.md b/docs/bundles/scorecard-v1.md index c50ace3..53ccf6b 100644 --- a/docs/bundles/scorecard-v1.md +++ b/docs/bundles/scorecard-v1.md @@ -6,7 +6,7 @@ This bundle can be installed via kpt: export BUNDLE=scorecard-v1 kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library kpt fn source policy-library/samples/ | \ - kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \ + kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \ kpt fn sink policy-library/policies/constraints/ ``` @@ -33,6 +33,7 @@ kpt fn source policy-library/samples/ | \ | [gke_container_optimized_os](../../samples/gke_container_optimized_os.yaml) | security | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters | | [gke_restrict_client_auth_methods](../../samples/gke_restrict_client_auth_methods.yaml) | security | Checks that client certificate and password authentication methods are disabled for GKE clusters. | | [gke_restrict_pod_traffic](../../samples/gke_restrict_pod_traffic.yaml) | security | Checks that GKE clusters have a Network Policy installed. | +| [gke_restrict_pod_traffic](../../samples/legacy/gke_restrict_pod_traffic_v1.yaml) | security | Checks that GKE clusters have a Network Policy installed. | | [prevent-public-ip-cloudsql](../../samples/sql_public_ip.yaml) | security | Prevents a public IP from being assigned to a Cloud SQL instance. | | [require_bq_table_iam](../../samples/bigquery_world_readable.yaml) | security | Checks if BigQuery datasets are publicly readable or allAuthenticatedUsers. | | [require_bucket_policy_only](../../samples/storage_bucket_policy_only.yaml) | security | Checks if Cloud Storage buckets have Bucket Only Policy turned on. | diff --git a/docs/index.md b/docs/index.md index a8aa93d..612bf0d 100644 --- a/docs/index.md +++ b/docs/index.md @@ -35,12 +35,14 @@ you can explore these policy bundles: | [GCPCMEKRotationConstraintV1](../policies/templates/gcp_cmek_rotation_v1.yaml) | [cmek_rotation](../samples/cmek_rotation.yaml), [cmek_rotation_one_hundred_days](../samples/cmek_rotation_100_days.yaml) | | [GCPCMEKSettingsConstraintV1](../policies/templates/gcp_cmek_settings_v1.yaml) | [cmek_rotation](../samples/cmek_settings.yaml) | | [GCPComputeAllowedNetworksConstraintV2](../policies/templates/gcp_compute_allowed_networks.yaml) | [allowed-networks](../samples/compute_allowed_networks.yaml) | +| [GCPComputeBlockSSHKeysConstraintV1](../policies/templates/gcp_compute_block_ssh_keys_v1.yaml) | [compute_block_ssh_keys](../samples/compute_block_ssh_keys.yaml) | | [GCPComputeDiskResourcePoliciesConstraintV1](../policies/templates/gcp_compute_disk_resource_policies_v1.yaml) | [compute_disk_resource_policies_allowlist_one](../samples/compute_disk_resource_policies.yaml) | | [GCPComputeExternalIpAccessConstraintV1](../policies/templates/legacy/gcp_compute_external_ip_access_v1.yaml) | | | [GCPComputeExternalIpAccessConstraintV2](../policies/templates/gcp_compute_external_ip_address.yaml) | [forbid_external_ip](../samples/vm_external_ip.yaml) | | [GCPComputeIpForwardConstraintV1](../policies/templates/legacy/gcp_compute_ip_forward_v1.yaml) | | | [GCPComputeIpForwardConstraintV2](../policies/templates/gcp_compute_ip_forward.yaml) | [forbid_ip_forward](../samples/compute_forbid_ip_forward.yaml) | | [GCPComputeNetworkInterfaceWhitelistConstraintV1](../policies/templates/legacy/gcp_compute_network_interface_whitelist_v1.yaml) | | +| [GCPComputeRequireOSLoginConstraintV1](../policies/templates/gcp_compute_enable_oslogin_project_v1.yaml) | [compute-enable-oslogin-project](../samples/compute_enable_oslogin_project.yaml) | | [GCPComputeZoneConstraintV1](../policies/templates/gcp_compute_zone_v1.yaml) | [compute_zone_allowlist_one](../samples/compute_zone.yaml) | | [GCPDNSSECConstraintV1](../policies/templates/gcp_dnssec_v1.yaml) | [require_dnssec](../samples/dnssec.yaml) | | [GCPDNSSECPreventRSASHA1ConstraintV1](../policies/templates/gcp_dnssec_prevent_rsasha1_v1.yaml) | [dnssec_prevent_rsasha1_ksk](../samples/dnssec_prevent_rsasha1_ksk.yaml), [dnssec_prevent_rsasha1_zsk](../samples/dnssec_prevent_rsasha1_zsk.yaml) | @@ -54,6 +56,7 @@ you can explore these policy bundles: | [GCPGKEDisableDefaultServiceAccountConstraintV1](../policies/templates/gcp_gke_disable_default_service_account_v1.yaml) | [disable_gke_default_service_account](../samples/gke_disable_default_service_account.yaml) | | [GCPGKEDisableLegacyEndpointsConstraintV1](../policies/templates/gcp_gke_disable_legacy_endpoints_v1.yaml) | [disable_gke_legacy_endpoints](../samples/gke_disable_legacy_endpoints.yaml) | | [GCPGKEEnableAliasIPRangesConstraintV1](../policies/templates/gcp_gke_enable_alias_ip_ranges.yaml) | [enable_alias_ip_ranges](../samples/gke_enable_alias_ip_ranges.yaml) | +| [GCPGKEEnableBinAuthzConstraintV1](../policies/templates/gcp_gke_enable_binauthz_v1.yaml) | [gke-enable-binary-authorization](../samples/gke_enable_binauthz.yaml) | | [GCPGKEEnablePrivateEndpointConstraintV1](../policies/templates/gcp_gke_enable_private_endpoint.yaml) | [gke_enable_private_endpoint](../samples/gke_enable_private_endpoint.yaml) | | [GCPGKEEnableShieldedNodesConstraintV1](../policies/templates/gcp_gke_enable_shielded_nodes_v1.yaml) | [enable_gke_shielded_nodes](../samples/gke_enable_shielded_nodes.yaml) | | [GCPGKEEnableStackdriverKubernetesEngineMonitoringV1](../policies/templates/gcp_gke_enable_stackdriver_kubernetes_engine_monitoring_v1.yaml) | [enable_gke_stackdriver_kubernetes_engine_monitoring](../samples/gke_enable_stackdriver_kubernetes_engine_monitoring.yaml) | @@ -66,7 +69,8 @@ you can explore these policy bundles: | [GCPGKENodeAutoUpgradeConstraintV1](../policies/templates/gcp_gke_node_auto_upgrade_v1.yaml) | [enable_auto_upgrade](../samples/gke_node_pool_auto_upgrade.yaml) | | [GCPGKEPrivateClusterConstraintV1](../policies/templates/gcp_gke_private_cluster_v1.yaml) | [allow_only_private_cluster](../samples/gke_allow_only_private_cluster.yaml) | | [GCPGKERestrictClientAuthenticationMethodsConstraintV1](../policies/templates/gcp_gke_restrict_client_auth_methods_v1.yaml) | [gke_restrict_client_auth_methods](../samples/gke_restrict_client_auth_methods.yaml) | -| [GCPGKERestrictPodTrafficConstraintV1](../policies/templates/gcp_gke_restrict_pod_traffic_v1.yaml) | [gke_restrict_pod_traffic](../samples/gke_restrict_pod_traffic.yaml) | +| [GCPGKERestrictPodTrafficConstraintV1](../policies/templates/legacy/gcp_gke_restrict_pod_traffic_v1.yaml) | [gke_restrict_pod_traffic](../samples/legacy/gke_restrict_pod_traffic_v1.yaml) | +| [GCPGKERestrictPodTrafficConstraintV2](../policies/templates/gcp_gke_restrict_pod_traffic_v2.yaml) | [gke_restrict_pod_traffic](../samples/gke_restrict_pod_traffic.yaml) | | [GCPGLBExternalIpAccessConstraintV1](../policies/templates/gcp_glb_external_ip_access_constraint_v1.yaml) | [glb_external_ip_allowlist](../samples/gcp_glb_external_ip.yaml) | | [GCPIAMAllowedBindingsConstraintV1](../policies/templates/legacy/gcp_iam_allowed_bindings_v1.yaml) | | | [GCPIAMAllowedBindingsConstraintV2](../policies/templates/legacy/gcp_iam_allowed_bindings_v2.yaml) | | @@ -139,6 +143,8 @@ The repo also contains a number of sample constraints: | [cmek_rotation](../samples/cmek_settings.yaml) | [Link](../policies/templates/gcp_cmek_settings_v1.yaml) | Checks multiple CMEK key settings (protection level, algorithm, purpose, rotation period). | | [cmek_rotation](../samples/cmek_rotation.yaml) | [Link](../policies/templates/gcp_cmek_rotation_v1.yaml) | Checks that CMEK rotation policy is in place and is sufficiently short. | | [cmek_rotation_one_hundred_days](../samples/cmek_rotation_100_days.yaml) | [Link](../policies/templates/gcp_cmek_rotation_v1.yaml) | Checks that CMEK rotation policy is in place and is sufficiently short. | +| [compute-enable-oslogin-project](../samples/compute_enable_oslogin_project.yaml) | [Link](../policies/templates/gcp_compute_enable_oslogin_project_v1.yaml) | Verifies that all VMs in a project have OS login enabled. | +| [compute_block_ssh_keys](../samples/compute_block_ssh_keys.yaml) | [Link](../policies/templates/gcp_compute_block_ssh_keys_v1.yaml) | Checks if "Block Project-wide SSH keys" is enabled for VM instances | | [compute_disk_resource_policies_allowlist_one](../samples/compute_disk_resource_policies.yaml) | [Link](../policies/templates/gcp_compute_disk_resource_policies_v1.yaml) | Checks that Persistent Disks have correct resource policies (eg. snapshot schedules) attached to them. | | [compute_zone_allowlist_one](../samples/compute_zone.yaml) | [Link](../policies/templates/gcp_compute_zone_v1.yaml) | Checks the instances and Persistent Disks are in desired zones. | | [deny_allusers](../samples/iam_deny_public.yaml) | [Link](../policies/templates/gcp_iam_allowed_bindings.yaml) | Prevent public users from having access to resources via IAM | @@ -175,12 +181,14 @@ The repo also contains a number of sample constraints: | [gke-cluster-allowed-locations](../samples/gke_cluster_location.yaml) | | Checks which zones are allowed/disallowed for GKE clusters. | | [gke-cluster-enable-logging](../samples/gke_enable_logging.yaml) | [Link](../policies/templates/gcp_resource_value_pattern_v1.yaml) | Ensure Kubernetes Clusters have logging enabled. | | [gke-cluster-version](../samples/gke_cluster_version.yaml) | [Link](../policies/templates/gcp_gke_cluster_version_v1.yaml) | Checks if a GKE cluster is using a master version type other than 1.12.10-gke.17. | +| [gke-enable-binary-authorization](../samples/gke_enable_binauthz.yaml) | [Link](../policies/templates/gcp_gke_enable_binauthz_v1.yaml) | | | [gke_allowed_node_service_account_scope_default](../samples/gke_allowed_node_sa_scope.yaml) | [Link](../policies/templates/gcp_gke_allowed_node_sa_v1.yaml) | Checks that certain service account scopes are not assigned to nodes. | | [gke_cluster_location](../samples/legacy/gke_cluster_location.yaml) | [Link](../policies/templates/legacy/gcp_gke_cluster_location_v1.yaml) | | | [gke_container_optimized_os](../samples/gke_container_optimized_os.yaml) | [Link](../policies/templates/gcp_gke_container_optimized_os.yaml) | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters | -| [gke_enable_private_endpoint](../samples/gke_enable_private_endpoint.yaml) | [Link](../policies/templates/gcp_gke_enable_private_endpoint.yaml) | | +| [gke_enable_private_endpoint](../samples/gke_enable_private_endpoint.yaml) | [Link](../policies/templates/gcp_gke_enable_private_endpoint.yaml) | Enable a private endpoint for the cluster to be accessible from an internal network only. | | [gke_restrict_client_auth_methods](../samples/gke_restrict_client_auth_methods.yaml) | [Link](../policies/templates/gcp_gke_restrict_client_auth_methods_v1.yaml) | Checks that client certificate and password authentication methods are disabled for GKE clusters. | -| [gke_restrict_pod_traffic](../samples/gke_restrict_pod_traffic.yaml) | [Link](../policies/templates/gcp_gke_restrict_pod_traffic_v1.yaml) | Checks that GKE clusters have a Network Policy installed. | +| [gke_restrict_pod_traffic](../samples/legacy/gke_restrict_pod_traffic_v1.yaml) | [Link](../policies/templates/legacy/gcp_gke_restrict_pod_traffic_v1.yaml) | Checks that GKE clusters have a Network Policy installed. | +| [gke_restrict_pod_traffic](../samples/gke_restrict_pod_traffic.yaml) | [Link](../policies/templates/gcp_gke_restrict_pod_traffic_v2.yaml) | Checks that GKE clusters have a Network Policy installed. | | [glb_external_ip_allowlist](../samples/gcp_glb_external_ip.yaml) | [Link](../policies/templates/gcp_glb_external_ip_access_constraint_v1.yaml) | Checks if Global Load Balancers have external IPs. | | [iam-restrict-service-account-key-age-ninety-days](../samples/gcp_iam_restrict_service_account_key_age.yaml) | [Link](../policies/templates/gcp_iam_restrict_service_account_key_age_v1.yaml) | Checks if service account keys are older than 90 days. | | [iam-restrict-service-account-key-age-one-hundred-days](../samples/gcp_iam_restrict_service_account_key_age_100_days.yaml) | [Link](../policies/templates/gcp_iam_restrict_service_account_key_age_v1.yaml) | Checks if service account keys are older than 100 days. | diff --git a/samples/gke_allow_only_private_cluster.yaml b/samples/gke_allow_only_private_cluster.yaml index c12e6ca..fabb78b 100644 --- a/samples/gke_allow_only_private_cluster.yaml +++ b/samples/gke_allow_only_private_cluster.yaml @@ -19,6 +19,7 @@ metadata: annotations: benchmark: GKE_HARDENING_GUIDELINE bundles.validator.forsetisecurity.org/scorecard-v1: security + bundles.validator.forsetisecurity.org/gke-hardening-v2022: PRIVATE_CLUSTERS_ONLY description: Verifies all GKE clusters are Private Clusters. spec: severity: high diff --git a/samples/gke_dashboard_disable.yaml b/samples/gke_dashboard_disable.yaml index d37a2fb..bcf3e5e 100644 --- a/samples/gke_dashboard_disable.yaml +++ b/samples/gke_dashboard_disable.yaml @@ -22,6 +22,7 @@ metadata: bundles.validator.forsetisecurity.org/cis-v1.0: 7.06 bundles.validator.forsetisecurity.org/cis-v1.1: 7.06 bundles.validator.forsetisecurity.org/gke-hardening-v2019.11.11: DISABLED_GKE_DASHBOARD + bundles.validator.forsetisecurity.org/gke-hardening-v2022: DISABLED_GKE_DASHBOARD bundles.validator.forsetisecurity.org/scorecard-v1: security spec: severity: high diff --git a/samples/gke_enable_alias_ip_ranges.yaml b/samples/gke_enable_alias_ip_ranges.yaml index 1293444..1b005ab 100644 --- a/samples/gke_enable_alias_ip_ranges.yaml +++ b/samples/gke_enable_alias_ip_ranges.yaml @@ -21,6 +21,7 @@ metadata: # This constraint is not certified by CIS. bundles.validator.forsetisecurity.org/cis-v1.1: 7.13 bundles.validator.forsetisecurity.org/scorecard-v1: security + bundles.validator.forsetisecurity.org/gke-hardening-v2022: ENABLE_IP_ALIAS spec: severity: high match: diff --git a/samples/gke_enable_private_endpoint.yaml b/samples/gke_enable_private_endpoint.yaml index cbb204f..1bb463a 100644 --- a/samples/gke_enable_private_endpoint.yaml +++ b/samples/gke_enable_private_endpoint.yaml @@ -16,6 +16,9 @@ apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: GCPGKEEnablePrivateEndpointConstraintV1 metadata: name: gke_enable_private_endpoint + annotations: + description: Enable a private endpoint for the cluster to be accessible from an internal network only. + bundles.validator.forsetisecurity.org/gke-hardening-v2022: ENABLE_PRIVATE_ENDPOINT spec: severity: high parameters: {} diff --git a/samples/gke_enable_shielded_nodes.yaml b/samples/gke_enable_shielded_nodes.yaml index a3cfb5d..4a182cc 100644 --- a/samples/gke_enable_shielded_nodes.yaml +++ b/samples/gke_enable_shielded_nodes.yaml @@ -18,6 +18,7 @@ metadata: name: enable_gke_shielded_nodes annotations: description: Checks that GKE is using Shielded nodes (secure boot). + bundles.validator.forsetisecurity.org/gke-hardening-v2022: ENABLE_SHIELDED_GKE_NODES spec: severity: high match: diff --git a/samples/gke_enable_workload_identity.yaml b/samples/gke_enable_workload_identity.yaml index 563b324..ca491e6 100644 --- a/samples/gke_enable_workload_identity.yaml +++ b/samples/gke_enable_workload_identity.yaml @@ -18,6 +18,7 @@ metadata: name: enable_gke_workload_identity annotations: description: Ensure Workload Identity is enabled on a GKE cluster + bundles.validator.forsetisecurity.org/gke-hardening-v2022: ENABLE_WORKLOAD_IDENTITY spec: severity: high match: diff --git a/samples/gke_legacy_abac.yaml b/samples/gke_legacy_abac.yaml index fb117f0..4760223 100644 --- a/samples/gke_legacy_abac.yaml +++ b/samples/gke_legacy_abac.yaml @@ -21,6 +21,7 @@ metadata: # This constraint has not been validated by the formal CIS certification process. bundles.validator.forsetisecurity.org/cis-v1.1: 7.03 bundles.validator.forsetisecurity.org/gke-hardening-v2019.11.11: DISABLED_LEGACY_AUTHORIZATION + bundles.validator.forsetisecurity.org/gke-hardening-v2022: DISABLED_LEGACY_AUTHORIZATION bundles.validator.forsetisecurity.org/scorecard-v1: security spec: severity: high diff --git a/samples/gke_master_authorized_networks_enabled.yaml b/samples/gke_master_authorized_networks_enabled.yaml index d2b1564..16223d7 100644 --- a/samples/gke_master_authorized_networks_enabled.yaml +++ b/samples/gke_master_authorized_networks_enabled.yaml @@ -21,6 +21,7 @@ metadata: # This constraint has not been validated by the formal CIS certification process. bundles.validator.forsetisecurity.org/cis-v1.1: 7.04 bundles.validator.forsetisecurity.org/gke-hardening-v2019.11.11: ENABLED_MASTER_AUTHORIZED_NETWORK + bundles.validator.forsetisecurity.org/gke-hardening-v2022: ENABLED_MASTER_AUTHORIZED_NETWORK bundles.validator.forsetisecurity.org/scorecard-v1: security spec: severity: high diff --git a/samples/gke_node_pool_auto_upgrade.yaml b/samples/gke_node_pool_auto_upgrade.yaml index 1593caa..87e84fb 100644 --- a/samples/gke_node_pool_auto_upgrade.yaml +++ b/samples/gke_node_pool_auto_upgrade.yaml @@ -22,6 +22,7 @@ metadata: bundles.validator.forsetisecurity.org/cis-v1.0: 7.08 bundles.validator.forsetisecurity.org/cis-v1.1: 7.08 bundles.validator.forsetisecurity.org/gke-hardening-v2019.11.11: ENABLED_NODE_AUTO_UPGRADE + bundles.validator.forsetisecurity.org/gke-hardening-v2022: ENABLED_NODE_AUTO_UPGRADE bundles.validator.forsetisecurity.org/scorecard-v1: security spec: severity: high