Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Samples seem wrong and documentation seems lacking on target combined with Forseti v2.25.2 #385

Open
vvdaal opened this issue Nov 10, 2020 · 3 comments
Open

Samples seem wrong and documentation seems lacking on target combined with Forseti v2.25.2 #385

vvdaal opened this issue Nov 10, 2020 · 3 comments

Comments

@vvdaal
Copy link

vvdaal commented Nov 10, 2020
edited

https://github.com/forseti-security/policy-library/blob/master/docs/user_guide.md mentions "organizations" (plural).
Pretty much all examples on https://github.com/forseti-security/policy-library/tree/master/samples also mention "organizations" (plural).

However when you use Forseti v2.25.2 (Used the Forseti Terraform Module to install it) it seems any constraint with the use of "organizations" for the target fails to work. What I mean with fails to work is that the constraints are not being processed and do nothing.

This seems related to: #372

Example that works on Forseti v2.25.2 (Note the non-plural organization):

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPEnforceLabelConstraintV1
metadata:
 name: require_labels
spec:
 severity: high
 match:
   target:
   - organization/123456789
 parameters:
   # required parameter: list of label objects that resources should have.
   # A label object is composed of a key value pair like:
   #
   #   "label_key": "label_value_regex_to_match"
   #
   # Any missing label results in a violation. For instance a resource with no label1 or label2 label,
   # in this sample case, would raise 2 violations: one for label1 being absent and one for label2.
   #
   # In the same spirit, a resource with label1 or label2 present, but with values not matching their respective regex
   # would also raise one violation per mismatch.
   #
   # In the following example, valid values for a label named "label1" would be only "label1-value",
   # but a label named label2 could have various values like "label2-value", "label2-valueOK" etc.
   #
   # A violation is raised if the label value does not match the pattern passed as a parameter here.
   mandatory_labels:
     - "owner": "^[a-zA-Z0-9]+$"
     - "service": "^[a-zA-Z0-9-]+$"
     - "environment": "prod|dta"

   # optional parameter: list of resource types to scan for labels
   # In this case we want to scan all resources so we comment this out.
   # any resource that is not of these types will not raise any violation.
   # In this sample use case, only non-compliant projects and buckets would be flagged.
   # If not passed, all tested resource types would be scanned for (see template for full list)
   #resource_types_to_scan:
   #  - "cloudresourcemanager.googleapis.com/Project"
   #  - "storage.googleapis.com/Bucket"

Non working on Forseti v2.25.2 (Note the plural organizations):

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPEnforceLabelConstraintV1
metadata:
 name: require_labels
spec:
 severity: high
 match:
   target:
   - organizations/123456789
 parameters:
   # required parameter: list of label objects that resources should have.
   # A label object is composed of a key value pair like:
   #
   #   "label_key": "label_value_regex_to_match"
   #
   # Any missing label results in a violation. For instance a resource with no label1 or label2 label,
   # in this sample case, would raise 2 violations: one for label1 being absent and one for label2.
   #
   # In the same spirit, a resource with label1 or label2 present, but with values not matching their respective regex
   # would also raise one violation per mismatch.
   #
   # In the following example, valid values for a label named "label1" would be only "label1-value",
   # but a label named label2 could have various values like "label2-value", "label2-valueOK" etc.
   #
   # A violation is raised if the label value does not match the pattern passed as a parameter here.
   mandatory_labels:
     - "owner": "^[a-zA-Z0-9]+$"
     - "service": "^[a-zA-Z0-9-]+$"
     - "environment": "prod|dta"

   # optional parameter: list of resource types to scan for labels
   # In this case we want to scan all resources so we comment this out.
   # any resource that is not of these types will not raise any violation.
   # In this sample use case, only non-compliant projects and buckets would be flagged.
   # If not passed, all tested resource types would be scanned for (see template for full list)
   #resource_types_to_scan:
   #  - "cloudresourcemanager.googleapis.com/Project"
   #  - "storage.googleapis.com/Bucket"

Why am I seeing this behavior? Are the docs and samples wrong? Is Forseti v2.25.2 having a bug? Any leads would be helpful.
@ralsu091
Copy link

I think you are right, I tried using the `always_violates_all' constraint with "organizations/*" and that didn't work (nothing was reported). I used the singular form of organization and folder and Forseti was able to report violations.

Hopefully we can get clarification on when should we use plural vs singular.

@morgante
Copy link
Contributor

@gkowalski-google Is Forseti on an old version of Config Validator?

@vvdaal
Copy link
Author

vvdaal commented Nov 12, 2020

I also tested the master branch of this repo which uses the new docker config validator (with the default tag). Same problem.

@ralsu091 ralsu091 mentioned this issue Dec 23, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@morgante @vvdaal @ralsu091