fix: Remove PodSecurityPolicy requirement for gcp_gke_restrict_pod_tr…

…affic constraint template (#415) * fix: Remove PodSecurityPolicy requirement for pod communication template * fix: Archive gcp_gke_restrict_pod_traffic_v1 and create v2 Co-authored-by: Morgante Pell <morgantep@google.com>
GoogleCloudPlatform · Nov 22, 2021 · c873feb · c873feb
1 parent 671c270
commit c873feb
Show file tree

Hide file tree

Showing 7 changed files with 126 additions and 189 deletions.
diff --git a/policies/templates/gcp_gke_restrict_pod_traffic_v2.yaml b/policies/templates/gcp_gke_restrict_pod_traffic_v2.yaml
@@ -0,0 +1,91 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Check to see if GKE pod traffic is restricted with network policy.
+
+apiVersion: templates.gatekeeper.sh/v1alpha1
+kind: ConstraintTemplate
+metadata:
+  name: gcp-restrict-pod-traffic-v2
+spec:
+  crd:
+    spec:
+      names:
+        kind: GCPGKERestrictPodTrafficConstraintV2
+      validation:
+        openAPIV3Schema:
+          properties: {}
+  targets:
+    validation.gcp.forsetisecurity.org:
+      rego: | #INLINE("validator/gke_restrict_pod_traffic.rego")
+         #
+         # Copyright 2018 Google LLC
+         #
+         # Licensed under the Apache License, Version 2.0 (the "License");
+         # you may not use this file except in compliance with the License.
+         # You may obtain a copy of the License at
+         #
+         #      http://www.apache.org/licenses/LICENSE-2.0
+         #
+         # Unless required by applicable law or agreed to in writing, software
+         # distributed under the License is distributed on an "AS IS" BASIS,
+         # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+         # See the License for the specific language governing permissions and
+         # limitations under the License.
+         #
+         
+         package templates.gcp.GCPGKERestrictPodTrafficConstraintV2
+         
+         import data.validator.gcp.lib as lib
+         
+         deny[{
+         	"msg": message,
+         	"details": metadata,
+         }] {
+         	constraint := input.constraint
+         	asset := input.asset
+         	asset.asset_type == "container.googleapis.com/Cluster"
+         
+         	container := asset.resource.data
+         	not check_all_enabled(container)
+         
+         	message := sprintf("%v doesn't restrict traffic among pods with a network policy.", [asset.name])
+         	metadata := {"resource": asset.name}
+         }
+         
+         ###########################
+         # Rule Utilities
+         ###########################
+         check_all_enabled(container) {
+         	network_policy_config_enabled(container) == true
+         	network_policy_enabled(container) == true
+         }
+         
+         network_policy_config_enabled(container) {
+         	# URL to network policy config: 
+         	# https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#Cluster.NetworkPolicyConfig
+         	addons_config := lib.get_default(container, "addonsConfig", {})
+         	networkPolicyConfig := lib.get_default(addons_config, "networkPolicyConfig", {})
+         	network_policy_config_disabled := lib.get_default(networkPolicyConfig, "disabled", false)
+         	network_policy_config_disabled == false
+         }
+         
+         network_policy_enabled(container) = network_policy_enabled {
+         	# URL to network policy: 
+         	# https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#Cluster.NetworkPolicy
+         	network_policy := lib.get_default(container, "networkPolicy", {})
+         	network_policy_enabled := lib.get_default(network_policy, "enabled", false)
+         	network_policy_enabled == true
+         }
+         #ENDINLINE
diff --git a/...ates/gcp_gke_restrict_pod_traffic_v1.yaml → ...gacy/gcp_gke_restrict_pod_traffic_v1.yaml b/...ates/gcp_gke_restrict_pod_traffic_v1.yaml → ...gacy/gcp_gke_restrict_pod_traffic_v1.yaml
diff --git a/samples/gke_restrict_pod_traffic.yaml b/samples/gke_restrict_pod_traffic.yaml
@@ -13,7 +13,7 @@
 # limitations under the License.
 #
 apiVersion: constraints.gatekeeper.sh/v1alpha1
-kind: GCPGKERestrictPodTrafficConstraintV1
+kind: GCPGKERestrictPodTrafficConstraintV2
 metadata:
   name: gke_restrict_pod_traffic
   annotations:

diff --git a/samples/legacy/gke_restrict_pod_traffic_v1.yaml b/samples/legacy/gke_restrict_pod_traffic_v1.yaml
@@ -0,0 +1,28 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+apiVersion: constraints.gatekeeper.sh/v1alpha1
+kind: GCPGKERestrictPodTrafficConstraintV1
+metadata:
+  name: gke_restrict_pod_traffic
+  annotations:
+    benchmark: GKE_HARDENING_GUIDELINE
+    bundles.validator.forsetisecurity.org/scorecard-v1: security
+    description: Checks that GKE clusters have a Network Policy installed.
+spec:
+  severity: high
+  match:
+    target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"}
+    - "organizations/**"
+  parameters: {}
diff --git a/validator/gke_restrict_pod_traffic.rego b/validator/gke_restrict_pod_traffic.rego
@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-package templates.gcp.GCPGKERestrictPodTrafficConstraintV1
+package templates.gcp.GCPGKERestrictPodTrafficConstraintV2
 
 import data.validator.gcp.lib as lib
 
@@ -38,7 +38,6 @@ deny[{
 ###########################
 check_all_enabled(container) {
 	network_policy_config_enabled(container) == true
-	pod_security_policy_config_enabled(container) == true
 	network_policy_enabled(container) == true
 }
 
@@ -51,14 +50,6 @@ network_policy_config_enabled(container) {
 	network_policy_config_disabled == false
 }
 
-pod_security_policy_config_enabled(container) = pod_security_policy_config_enabled {
-	# URL to security policy config:
-	# https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#Cluster.PodSecurityPolicyConfig
-	pod_security_policy_config := lib.get_default(container, "podSecurityPolicyConfig", {})
-	pod_security_policy_config_enabled := lib.get_default(pod_security_policy_config, "enabled", false)
-	pod_security_policy_config_enabled == true
-}
-
 network_policy_enabled(container) = network_policy_enabled {
 	# URL to network policy: 
 	# https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#Cluster.NetworkPolicy

diff --git a/validator/gke_restrict_pod_traffic_test.rego b/validator/gke_restrict_pod_traffic_test.rego
@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-package templates.gcp.GCPGKERestrictPodTrafficConstraintV1
+package templates.gcp.GCPGKERestrictPodTrafficConstraintV2
 
 import data.validator.gcp.lib as lib
 
@@ -42,20 +42,16 @@ good_config_no_violations[violation] {
 
 test_violations_basic {
 	# 3 violation cases in the test fixtures:
-	#   1. network_policy_config disabled
-	#   2. network_policy does not exist
-	#   3. network_policy exists and set to false
-	#   4. podsecurityconfig does not exist
-	#   5. podsecurityconfig exists and set to false
-	count(all_violations) == 5
+	#   1. network_policy_config enabled and network_policy does not exist
+	#   2. network_policy_config disabled
+	#   3. network_policy_config enabled and network_policy disabled
+	count(all_violations) == 3
 	violation := all_violations[_]
 	resource_names := {x | x = all_violations[_].details.resource}
 	expected_resource_name := {
 		"//container.googleapis.com/projects/transfer-repos/zones/us-central1-c/clusters/joe-clust",
 		"//container.googleapis.com/projects/transfer-repos/zones/us-central1-c/clusters/joe-clust2",
-		"//container.googleapis.com/projects/transfer-repos/zones/us-central1-c/clusters/joe-clust3",
 		"//container.googleapis.com/projects/transfer-repos/zones/us-central1-c/clusters/joe-clust5",
-		"//container.googleapis.com/projects/transfer-repos/zones/us-central1-c/clusters/joe-clust6",
 	}
 
 	resource_names == expected_resource_name

diff --git a/validator/test/fixtures/gke_restrict_pod_traffic/assets/data.json b/validator/test/fixtures/gke_restrict_pod_traffic/assets/data.json
@@ -154,89 +154,6 @@
       }
     }
   },
-  {
-    "name": "//container.googleapis.com/projects/transfer-repos/zones/us-central1-c/clusters/joe-clust3",
-    "asset_type": "container.googleapis.com/Cluster",
-    "resource": {
-      "version": "v1",
-      "discovery_document_uri": "https://container.googleapis.com/$discovery/rest",
-      "discovery_name": "Cluster",
-      "parent": "//cloudresourcemanager.googleapis.com/projects/282148707733",
-      "data": {
-        "addonsConfig": {
-          "networkPolicyConfig": {
-            "disabled": false
-          },
-          "kubernetesDashboard": {
-            "disabled": true
-          }
-        },
-        "networkPolicy": {
-          "provider": "this_is_a_provider",
-          "enabled": true
-        },
-        "clusterIpv4Cidr": "10.44.0.0/14",
-        "createTime": "2016-11-19T05:58:02+00:00",
-        "currentMasterVersion": "1.10.11-gke.1",
-        "currentNodeCount": 4,
-        "currentNodeVersion": "1.4.6",
-        "endpoint": "104.196.229.72",
-        "initialClusterVersion": "1.4.6",
-        "instanceGroupUrls": [
-          "https://www.googleapis.com/compute/v1/projects/pso-cicd8/zones/us-west1-b/instanceGroupManagers/gke-canary-west-default-pool-496ebc1d-grp"
-        ],
-        "legacyAbac": {
-          "enabled": true
-        },
-        "location": "us-west1-b",
-        "locations": ["us-west1-b"],
-        "loggingService": "logging.googleapis.com",
-        "monitoringService": "none",
-        "name": "canary-west",
-        "network": "default",
-        "networkConfig": {
-          "network": "projects/pso-cicd8/global/networks/default",
-          "subnetwork": "projects/pso-cicd8/regions/us-west1/subnetworks/default"
-        },
-        "nodeIpv4CidrSize": 24,
-        "nodePools": [
-          {
-            "autoscaling": {},
-            "config": {
-              "diskSizeGb": 100,
-              "imageType": "COS",
-              "machineType": "n1-standard-1",
-              "oauthScopes": [
-                "https://www.googleapis.com/auth/compute",
-                "https://www.googleapis.com/auth/devstorage.read_only",
-                "https://www.googleapis.com/auth/logging.write",
-                "https://www.googleapis.com/auth/servicecontrol",
-                "https://www.googleapis.com/auth/service.management.readonly",
-                "https://www.googleapis.com/auth/trace.append"
-              ],
-              "serviceAccount": "default"
-            },
-            "initialNodeCount": 2,
-            "instanceGroupUrls": [
-              "https://www.googleapis.com/compute/v1/projects/pso-cicd8/zones/us-west1-b/instanceGroupManagers/gke-canary-west-default-pool-496ebc1d-grp"
-            ],
-            "management": {
-              "autoUpgrade": "true"
-            },
-            "name": "default-pool",
-            "selfLink": "https://container.googleapis.com/v1/projects/pso-cicd8/zones/us-west1-b/clusters/canary-west/nodePools/default-pool",
-            "status": "RUNNING",
-            "version": "1.4.6"
-          }
-        ],
-        "selfLink": "https://container.googleapis.com/v1/projects/pso-cicd8/zones/us-west1-b/clusters/canary-west",
-        "servicesIpv4Cidr": "10.47.240.0/20",
-        "status": "RUNNING",
-        "subnetwork": "default",
-        "zone": "us-west1-b"
-      }
-    }
-  },
   {
     "name": "//container.googleapis.com/projects/transfer-repos/zones/us-central1-c/clusters/joe-clust4",
     "asset_type": "container.googleapis.com/Cluster",
@@ -408,91 +325,5 @@
         "zone": "us-west1-b"
       }
     }
-  },
-  {
-    "name": "//container.googleapis.com/projects/transfer-repos/zones/us-central1-c/clusters/joe-clust6",
-    "asset_type": "container.googleapis.com/Cluster",
-    "resource": {
-      "version": "v1",
-      "discovery_document_uri": "https://container.googleapis.com/$discovery/rest",
-      "discovery_name": "Cluster",
-      "parent": "//cloudresourcemanager.googleapis.com/projects/282148707733",
-      "data": {
-        "addonsConfig": {
-          "networkPolicyConfig": {
-            "disabled": false
-          },
-          "kubernetesDashboard": {
-            "disabled": true
-          }
-        },
-        "networkPolicy": {
-          "provider": "this_is_a_provider",
-          "enabled": true
-        },
-        "podSecurityPolicyConfig": {
-          "enabled": false
-        },
-        "clusterIpv4Cidr": "10.44.0.0/14",
-        "createTime": "2016-11-19T05:58:02+00:00",
-        "currentMasterVersion": "1.10.11-gke.1",
-        "currentNodeCount": 4,
-        "currentNodeVersion": "1.4.6",
-        "endpoint": "104.196.229.72",
-        "initialClusterVersion": "1.4.6",
-        "instanceGroupUrls": [
-          "https://www.googleapis.com/compute/v1/projects/pso-cicd8/zones/us-west1-b/instanceGroupManagers/gke-canary-west-default-pool-496ebc1d-grp"
-        ],
-        "legacyAbac": {
-          "enabled": true
-        },
-        "location": "us-west1-b",
-        "locations": ["us-west1-b"],
-        "loggingService": "logging.googleapis.com",
-        "monitoringService": "none",
-        "name": "canary-west",
-        "network": "default",
-        "networkConfig": {
-          "network": "projects/pso-cicd8/global/networks/default",
-          "subnetwork": "projects/pso-cicd8/regions/us-west1/subnetworks/default"
-        },
-        "nodeIpv4CidrSize": 24,
-        "nodePools": [
-          {
-            "autoscaling": {},
-            "config": {
-              "diskSizeGb": 100,
-              "imageType": "COS",
-              "machineType": "n1-standard-1",
-              "oauthScopes": [
-                "https://www.googleapis.com/auth/compute",
-                "https://www.googleapis.com/auth/devstorage.read_only",
-                "https://www.googleapis.com/auth/logging.write",
-                "https://www.googleapis.com/auth/servicecontrol",
-                "https://www.googleapis.com/auth/service.management.readonly",
-                "https://www.googleapis.com/auth/trace.append"
-              ],
-              "serviceAccount": "default"
-            },
-            "initialNodeCount": 2,
-            "instanceGroupUrls": [
-              "https://www.googleapis.com/compute/v1/projects/pso-cicd8/zones/us-west1-b/instanceGroupManagers/gke-canary-west-default-pool-496ebc1d-grp"
-            ],
-            "management": {
-              "autoUpgrade": "true"
-            },
-            "name": "default-pool",
-            "selfLink": "https://container.googleapis.com/v1/projects/pso-cicd8/zones/us-west1-b/clusters/canary-west/nodePools/default-pool",
-            "status": "RUNNING",
-            "version": "1.4.6"
-          }
-        ],
-        "selfLink": "https://container.googleapis.com/v1/projects/pso-cicd8/zones/us-west1-b/clusters/canary-west",
-        "servicesIpv4Cidr": "10.47.240.0/20",
-        "status": "RUNNING",
-        "subnetwork": "default",
-        "zone": "us-west1-b"
-      }
-    }
   }
 ]