-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Blocked] Policy for GKE private google access #177
base: main
Are you sure you want to change the base?
[Blocked] Policy for GKE private google access #177
Conversation
cluster := asset.resource.data | ||
private_google_access_disabled(cluster) | ||
|
||
message := sprintf("Stackdriver monitoring is disabled in cluster %v.", [asset.name]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Message doesn't match the rule.
cluster := asset.resource.data | ||
private_google_access_disabled(cluster) | ||
|
||
message := sprintf("Stackdriver monitoring is disabled in cluster %v.", [asset.name]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Message doesn't match the rule
ec8b2c2
to
ec92f02
Compare
This rule won't work with Forseti today due to the pagination and the need for this rule to reference data that may not be available. @joecheuk can you work to define how we should annotate this in regards to not usable with Forseti. I suspect this rule will work fine in Gatekeeper since all the k8s data will all be available at eval time. |
@dekuhn This certainly wouldn't work in Gatekeeper because it depends on looking at the configuration of the subnets which GKE is running on (information which is never actually exposed to k8s). |
@morgante would this be a useful in CFT Scorecard? @blueandgold @ryanismert the team should think about how we could run such a scan within Forseti. We will have this challenge with other rules going forward I am sure. |
@dekuhn It would be, if/when we support referential constraints. |
@blueandgold @charliewolf @joecheuk I don't think we want to accept this rule due to the referential data and the decision by the CV team to no support referential constraints at this time. Should we close this PR as it and preserve its details. We could reopen at some point in the future when referential constraints will be supported. |
Blocked Details: This PR is blocked due to the need for referential data in the Rego rule.