[Blocked] Policy for GKE private google access #177
Conversation
charliewolf
requested review from
AdrienWalkowiak,
briantkennedy,
joecheuk,
morgante and
t12g
as code owners
| cluster := asset.resource.data | ||
| private_google_access_disabled(cluster) | ||
|
|
||
| message := sprintf("Stackdriver monitoring is disabled in cluster %v.", [asset.name]) |
| cluster := asset.resource.data | ||
| private_google_access_disabled(cluster) | ||
|
|
||
| message := sprintf("Stackdriver monitoring is disabled in cluster %v.", [asset.name]) |
charliewolf
force-pushed
the
feature/private-google-access
branch
from
ec8b2c2
to
ec92f02
Compare
|
This rule won't work with Forseti today due to the pagination and the need for this rule to reference data that may not be available. @joecheuk can you work to define how we should annotate this in regards to not usable with Forseti. I suspect this rule will work fine in Gatekeeper since all the k8s data will all be available at eval time. |
|
@dekuhn This certainly wouldn't work in Gatekeeper because it depends on looking at the configuration of the subnets which GKE is running on (information which is never actually exposed to k8s). |
|
@morgante would this be a useful in CFT Scorecard? @blueandgold @ryanismert the team should think about how we could run such a scan within Forseti. We will have this challenge with other rules going forward I am sure. |
|
@dekuhn It would be, if/when we support referential constraints. |
|
@blueandgold @charliewolf @joecheuk I don't think we want to accept this rule due to the referential data and the decision by the CV team to no support referential constraints at this time. Should we close this PR as it and preserve its details. We could reopen at some point in the future when referential constraints will be supported. |
dekuhn
changed the title
Blocked Details: This PR is blocked due to the need for referential data in the Rego rule.