GithubHelp home page GithubHelp logo

google / gke-policy-automation Goto Github PK

View Code? Open in Web Editor NEW
508.0 11.0 26.0 2.47 MB

Tool and policy library for reviewing Google Kubernetes Engine clusters against best practices

License: Apache License 2.0

Makefile 0.26% Open Policy Agent 42.94% Go 52.49% Shell 0.63% Dockerfile 0.10% Python 0.70% HCL 2.88%
gcp gke opa rego policy

gke-policy-automation's Introduction

GKE Policy Automation logo

GKE Policy Automation

This repository contains the tool and the policy library for validating GKE clusters against configuration best practices and scalability limits.

Build Policy tests Version Go Report Card GoDoc GitHub

GKE Policy Automation Demo

Note: this is not an officially supported Google product.

Table of Contents

Installation

Container image

The container images with GKE Policy Automation tool are hosted on ghcr.io. Check the packages page for a list of all tags and versions.

docker pull ghcr.io/google/gke-policy-automation:latest
docker run --rm ghcr.io/google/gke-policy-automation check \
-project my-project -location europe-west2 -name my-cluster

Krew

The GKE Policy Automation is available as a Krew plugin.

kubectl krew install gke-policy
kubectl gke-policy check --discovery -p my-project

Binary

Binaries for Linux, Windows and Mac are available as tarballs in the release page.

Source code

Go v1.21 or newer is required. Check the development guide for more details.

git clone https://github.com/google/gke-policy-automation.git
cd gke-policy-automation
make build
./gke-policy check \
--project my-project --location europe-west2 --name my-cluster

Usage

Full user guide: GKE Policy Automation User Guide.

Checking best practices

The configuration best practices check validates GKE clusters against the set of GKE configuration policies.

./gke-policy check \
--project my-project --location europe-west2 --name my-cluster

Checking scalability limits

The scalability limits check validates GKE clusters against the GKE quotas and limits. The tool will report violations when the current values will cross the certain thresholds.

./gke-policy check scalability \
--project my-project --location europe-west2 --name my-cluster

NOTE: you need to run kube-state-metrics to export cluster metrics to use cluster scalability limits check. Refer to the kube-state-metrics installation & configuration guide for more details.

The tool assumes that metrics are available in Cloud Monitoring, i.e. in a result of Google Cloud Managed Service for Prometheus based metrics collection. If self managed Prometheus collection is used, be sure to:

  • Configure Prometheus scraping for kube-state-metrics using PodMonitor / ServiceMonitor and corresponding annotations, i.e. prometheus.io/scrape

  • Configure custom Prometheus API server address in a tool

    • Prepare config.yaml:

      inputs:
  metricsAPI:
    enabled: true
    address: http://my-prometheus-svc:8080 # Prometheus server API endpoint
    username: user   # username for basic authentication (optional)
    password: secret # password for basic authentication (optional)

    • Run ./gke-policy check scalability -c config.yaml

Common check options

The common options apply to all types of check commands.

Selecting multiple clusters

Check multiple GKE clusters using the config file.

./gke-policy check -c config.yaml

The config.yaml file:

clusters:
  - name: prod-central
    project: my-project-one
    location: europe-central2
  - id: projects/my-project-two/locations/europe-west2/clusters/prod-west

Using cluster discovery

Check multiple clusters by discovering them in a selected GCP projects, folders or in the entire organization using Cloud Asset Inventory and configuration file.

./gke-policy check -c config.yaml

The config.yaml file:

clusterDiscovery:
  enabled: true
  organization: "123456789012"

It is possible to use cluster discovery on a given project using command line flags only:

./gke-policy check --discovery -p my-project-id

Defining inputs

Data for cluster validation can be retrieved from multiple data sources, eg. GKE API, Cloud Monitoring API or local JSON file exported from GKE API. For best practices checks GKE API is enabled by default, and for scalability checks, metrics API is enabled as well. Check Inputs user guide for more details.

Example:

  • Metrics API input from Cloud Monitoring configured in dedicated project and other values set with defaults for scalability check
inputs:
  gkeAPI:
    enabled: true
  gkeLocal:
    enabled: false
    file:
  metricsAPI:
    enabled: true
    project: sample-project
    metrics:

Defining outputs

The cluster validation results can be published to multiple outputs, including JSON file, Pub/Sub topic, Cloud Storage bucket or Security Command Center. Check Outputs user guide for more details.

Examples:

  • JSON file output with command line flags

    ./gke-policy check \
--project my-project --location europe-west2 --name my-cluster \
--out-file output.json

  • All outputs enabled in a configuration file

    clusters:
  - name: my-cluster
    project: my-project
    location: europe-west2
outputs:
  - file: output.json
  - pubsub:
      topic: Test
      project: my-pubsub-project
  - cloudStorage:
      bucket: bucket-name
      path: path/to/write
  - securityCommandCenter:
      organization: "153963171798"

Custom Policy repository

Specify custom repository with the GKE cluster best practices and check the cluster against them.

  • Custom policies source with command line flags

    ./gke-policy check \
--project my-project --location europe-west2 --name my-cluster \
--git-policy-repo "https://github.com/google/gke-policy-automation" \
--git-policy-branch "main" \
--git-policy-dir "gke-policies-v2"

  • Custom policies source with configuration file

    ./gke-policy check -c config.yaml

    The config.yaml file:

    clusters:
  - name: my-cluster
    project: my-project
    location: europe-west2
policies:
  - repository: https://domain.com/your/custom/repository
    branch: main
    directory: gke-policies-v2

Authentication

The tool is fetching GKE cluster details using GCP APIs. The application default credentials are used by default.

  • When running the tool in GCP environment, the tool will use the attached service account by default
  • When running locally, use gcloud auth application-default login command to get application default credentials
  • To use credentials from service account key file pass --creds parameter with a path to the file.

The minimum required IAM role is roles/container.clusterViewer on a cluster projects. Additional roles may be needed, depending on configured outputs - check authentication section in the user guide.

Serverless execution

The GKE Policy Automation tool can be executed in a serverless way to perform automatic evaluations of a clusters running in your organization. Please check our reference Terraform Solution that leverages GCP serverless solutions including Cloud Scheduler and Cloud Run.

Contributing

Please check out Contributing and Code of Conduct docs before contributing.

Development

Please check GKE Policy Automation development for guides on building and developing the application.

Policy authoring

Please check GKE Policy authoring guide for guides on authoring REGO rules for GKE Policy Automation.

License

Apache License 2.0

gke-policy-automation's People

Contributors

ajayk avatar anderseknert avatar annamuscarella avatar danielmarzini avatar dependabot[bot] avatar ewojtach avatar mikouaj avatar ravi-dalal avatar rickygodoy avatar spawar-apex avatar steenblik avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

tanbinh123 isabella232 mikouaj uneidel butangero sunjeewa danielmarzini skidogofvail ssteo muresanr terrorizer1980 aongwen kchanqualys jaysonv digitalarche sheeeng ajayk pritishacharyacmc mandeeps13k iq-scm megalucio raysaini19 spawar-apex 600lyy aizuddin85 acumenix

gke-policy-automation's Issues

Policy: use vpc-native clusters

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that checks if cluster is VPC-native as per our official best practices.

References

Policy Evaluation result JSON output to local file

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Introduce possibility of storing policy evaluation results in a JSON format.
Such results can be further stored in a multiple ways (i.e. pub/sub, cloud storage). The goal of this issue is to enable storing them to the local file.

  • #32
  • Introduce local file writer for JSON results
  • Introduce command line options to trigger JSON serialisation to the file
  • introduce configuration file option to trigger JSON serialisation to the file

References

N/A

Policy: enable NodeLocal DNSCache

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that checks if cluster has NodeLocalDNS enabled.

References

Policy: use RBAC instead of legacy ABAC authorization

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that checks if cluster is using RBAC instead of legacy ABAC authorization. RBAC is default for all clusters but it is still possible to enable legacy authorization i.e. with --enable-legacy-authorization.

References

Policy: Use Container Optimized OS in the node pools

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that checks if cluster is using COS in the node pools.

References

N/A

Add support for JSON output to stdout

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

It would be useful to have a flag or command-line parameter that would allow the gke-policy tool to stream JSON to STDOUT. Currently the only JSON support is writing to a JSON file. Streaming to STDOUT would allow for integration with other command-line tools such as jq.

References

  • No relevant/known issues or PRs

Terraform for serverless solution

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create Terraform code with infrastructure for serverless solution to run GKE Policy Automation tool on GCP.

References

  • N/A

Policy filtering feature

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

As a cloud engineer, I want to control which policies are evaluated on each cluster, in order to: treat different clusters or groups of clusters differently / limit the number of unwanted noise.

Example config:

policyExclusions:
  - policies:
      - gke.policy.cluster_binary_authorization
      - gke.policy.cluster_maintenance_window
    policyGroups:
      - Management
    policyLists:
- my-named-policy-list
    clusterSelectors:
      - matchLabels:
          env: prod
          team: test-team
      - matchExpressions:
          - key: location
            Operator: In
            values:
              - west
              - east
policyLists:
  - name: my-named-policy-list
     policies:
     - gke.policy.cluster_binary_authorization
     - gke.policy.cluster_maintenance_window

References

N/A

Policy Evaluation result JSON output to Cloud Storage

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Introduce possibility of storing JSON policy evaluation results in a Cloud Storage bucket.

  • #32
  • Introduce Cloud Storage writer of JSON results
  • introduce configuration file option to trigger JSON serialisation to Cloud Storage bucket

References

N/A

Policy check command

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Introduce ./gke-policy policy check command that will validate policy files from the defined sources.
The validation should check REGO syntax and required metadata. This feature can be used to validate custom policy repositories and can be included in CI processes.

References

N/A

Il y a quelqu'un pour me ร  filer un coup mains

N ### Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Debug Output

Panic Output

Steps to Reproduce

Expected Behavior

Actual Behavior

References

  • #0000

Cloud Storage output: add datetime prefix to objects

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Current Cloud Storage output always writes a single object with a configured given name and prefix.
Subsequent executions of a tool will overwrite existing file. In order to maintain history of a reports, the objects can be prefixed with a generated datetime i.e. gke_report_20220516_2141.json (YYYYMMDD_HHMM prefix).

References

N/A

Policy: use Cloud Logging and Monitoring

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create a policy to ensure that cluster is using Cloud Logging and Monitoring.

This is covered in CIS for GKE Benchmark v1.2.0, id 5.7.1.

References

Use of K8S resources data in Rego policies

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

We want to go beyond the GCP container model in policy evaluations and use Kubernetes objects data as well.
This will allow us to build policies around GKE scalability limits, for example:

  • maximum number of HPAs
  • maximum number of secrets

By having data from two sources (GCP container API, k8s API) we can also build policies around correlated scalability limits.

  • #66
  • #67
  • #73
  • Introduce configuration driven filtering of kubernetes objects

References

N/A

Missing configuration parameters should cause tool to fail fast

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Debug Output

N/A

Panic Output

N/A

Steps to Reproduce

  1. Run ./gke-policy cluster review command

Expected Behavior

Tool should fail fast as there are no cluster configuration parameters specified.
Contextual (depending on a given command) config validation should happen right after loading the config from cli flags or a file.

Actual Behavior

Tool performs several actions before failing: fetches policies from the default source and parses them.

Reading policy files... [GIT repository: https://github.com/google/gke-policy-automation, branch: main, directory: gke-policies]
Parsing REGO policies...
Error: could not get cluster name: cluster parameters not set

References

N/A

Policy: use GCE Persistent Disk CSI driver

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Add policy to check if cluster is using GCE Persistent Disk CSI driver instead of gcePersistentDisk in-tree volume plugin.

References

Policy: use ILB subsetting for larger clusters

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that checks if ILB subsetting is enabled for lager (250nodes) clusters.

References

Introduce data inputs concept

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

The goal is to introduce modularised inputs in a similar fashion as current outputs.
This will make the tool more extensible and configurable, especially that the number of inputs has a tendency to grow (we already have 3 different data sources). It will also make code architecture cleaner.

  • #137
    • Introduce inputs interface in a dedicated package
    • Introduce inputs in a configuration / CLI
    • Extend cluster data model with a map[string]interface{} for input data storing
    • Introduce function to get data from all inputs for all clusters in a concurrent way and return extended cluster model
  • #139
    • Enhance policy model with inputs
    • Add inputs to the existing policies
    • Filter policies based on configured inputs. This should happen on early stage, before inputs are fetched and policies evaluated
  • #145
  • #142
  • #143
  • #146
  • Replace existing clients with new inputs
  • Update the documentation

References

N/A

Create kube-api client

Create kube-api client with capabilities of: detecting resource APIs in a cluster, fetching list of namespaces, fetching object data from the namespace(s)

Specifying --local-policy-dir CLI flag is not stopping from reading default GIT repo

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Debug Output

N/A

Panic Output

N/A

Steps to Reproduce

  1. Run ./gke-policy cluster review --local-policy-dir ./gke-policies
    • gke-policies is a local folder with policies.

Expected Behavior

The tool should read policy files from specified local source only.

Actual Behavior

The tool fetches policy files from default GIT source in addition to specified local source.

./gke-policy cluster review --local-policy-dir ./gke-policies
Reading policy files... [local directory: ./gke-policies]
Reading policy files... [GIT repository: https://github.com/google/gke-policy-automation, branch: main, directory: gke-policies]
Parsing REGO policies...

References

N/A

Tool should not fail on a discovered cluster that does not exist

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Debug Output

N/A

Panic Output

N/A

Steps to Reproduce

  1. Create new GKE cluster
  2. Wait and ensure that GKE Cluster is visible in Assent Inventory
  3. Delete GKE cluster
  4. Run the tool

Expected Behavior

The tool produces warning.
If there is more than one cluster to process, the remaining clusters are checked.

Actual Behavior

The tool produces an error and exists with system code 1.
If there are multiple clusters to check, there is a high chance that not all of them will be processed.

References

N/A

Policy: use regional node pools

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that checks if cluster's node pools are regional.

References

Policy: Nodepool follows version skew policy

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that checks if nodepools follow version skew policy.
The difference between cluster control plane version and nodepools should not be greater than 2 minor versions.

References

Policy: Use Cluster Autoscaler on a node pools

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that checks if cluster autoscaler is enabled on a node pools.

References

N/A

Policy: encrypt secrets at the application layer

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that checks if cluster encrypts secrets at the application layer.

References

Implement or disable print method when -k option is used

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Debug Output

Panic Output

Steps to Reproduce

Expected Behavior

Actual Behavior

References

  • #0000

Policies: ensure proper NAP configuration

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create set of policies around NAP configuration.
If NAP is disabled then just pass them.

  • Forbid default Service Account in NAP
  • Ensure that node pool locations are covering one than more zone (or not enforced at all)
  • Ensure that nodes in NAP node pools will use integrity monitoring
  • Ensure that nodes in NAP node pools will use COS

References

Policy: use Binary Authorization in a cluster

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that checks if cluster uses Binary Authorization.

References

Policy: Use Workload Identity

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that checks if workload identity was enabled on a cluster.

References

Specifying multiple clusters in config.yaml causes panic

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Debug Output

N/A

Panic Output

https://gist.github.com/mikouaj/cf1df1fa33a9d3638d9cfbfa5283fb4c

Steps to Reproduce

  1. Create zconfig.yaml` file with a two clusters and local policy dir i.e.
clusters:
  - name: public-zonal
    project: XXX
    location: europe-west2-a
  - name: private-regional-nochannel
    project: XXX
    location: europe-central2
policies:
  - local: ./gke-policies
  1. Run ./gke-policy cluster review -c config.yaml

Expected Behavior

Application should print evaluation output for each cluster

Actual Behavior

Application panics

References

N / A

Tool fetches cluster details even if there are no policies

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Debug Output

https://gist.github.com/mikouaj/d650889e4f2c70782b21d3875ae1bd7d

Panic Output

N/A

Steps to Reproduce

  1. Run ./gke-policy cluster review with a valid cluster details and valid but empty policy source i.e. empty dir, empty rep

Expected Behavior

The tool fetches from policy sources, detects that there are no actual policies and fails / exists.

Actual Behavior

The tool fetches from policy sources, then fetches cluster details and evaluates them (against nothing).

References

N/A

Policy: restrict cluster traffic using network policies

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that checks if cluster is crated with networking policies enabled or uses GKE Dataplane v2.

References

Policy: use secure boot on the nodes

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that ensures that secure boot is enabled on a node pools.
Secure boot is a node pool setting that's disabled by default on GKE because third-party unsigned kernel modules cannot be loaded when secure boot is enabled.

This is covered in CIS for GKE Benchmark v1.2.0, id 5.5.7.

References

Policy: Google Groups for RBAC enabled

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that ensure that cluster has configured Google Groups for RBAC.

This is covered in CIS for GKE Benchmark v1.2.0, id 5.8.3.

References

Introduce version command

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Introduce ./gke-policy version command to print out current version of a tool.
Version information should be equal either to:

  • version from GH release for binaries created by goreleaser
  • commit SHA otherwise

References

N/A

Policy Evaluation result JSON output to Pub/Sub

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Introduce possibility of sending JSON policy evaluation results to Pub/Sub topic.

  • #32
  • Introduce pub/sub writer of JSON results
  • introduce configuration file option relevant for Pub/Sub integration

References

N/A

Add Office Open XML file output format

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Add support for Office Open XML format to the file output.

References

Improve efficiency of K8S resources fetching

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

The current implementation fetches resources from K8S API server in a serial way in a main thread.
This is a bottleneck and for clusters with larger amount of resources it is a no go. The goal is to improve efficiency of how we fetch K8S resources i.e. by adding more threads or tweaking K8S dynamic client.

References

N/A

Policy descriptions: add recommendation description and documentation links

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

As GKE Policy Automation user, I would like to see recommended actions and documentation links for any violated policy, so I will be able to promptly address the issue.

The idea is to enhance existing policy metadata with:

  • Recommendations: string describing recommended actions to solve the problem.
  • List of URLs to the web pages with additional information about the issue and solution (i.e. feature documentation, best practices docs)

The metadata can be then used in JSON output, Security Command Center and possibly console output (with verbosity in mind).

References

N/A

Policy: use node integrity monitoring on a node pools

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that checks if node pools are using integrity monitoring.

References

Policy: use GKE shielded nodes

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that checks if cluster is using shielded nodes.

References

Policy: forbid using default service account for GKE nodes

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction
    to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do
    not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Create policy that checks if cluster is using default compute service account on a nodes.

References

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.