Skip to content
This repository was archived by the owner on Aug 20, 2025. It is now read-only.

[Blocked] Policy for GKE private google access#177

Open
charliewolf wants to merge 1 commit intoGoogleCloudPlatform:mainfrom
charliewolf:feature/private-google-access
Open

[Blocked] Policy for GKE private google access#177
charliewolf wants to merge 1 commit intoGoogleCloudPlatform:mainfrom
charliewolf:feature/private-google-access

Conversation

@charliewolf
Copy link
Copy Markdown
Contributor

@charliewolf charliewolf commented Sep 23, 2019
edited by dekuhn
Loading

Blocked Details: This PR is blocked due to the need for referential data in the Rego rule.

Red-Five
Red-Five reviewed Oct 16, 2019
View reviewed changes
policies/templates/gcp_gke_enable_private_google_access_v1.yaml Outdated
cluster := asset.resource.data
private_google_access_disabled(cluster)

message := sprintf("Stackdriver monitoring is disabled in cluster %v.", [asset.name])
Copy link
Copy Markdown

@Red-Five Red-Five Oct 16, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Message doesn't match the rule.

Red-Five
Red-Five reviewed Oct 16, 2019
View reviewed changes
validator/gke_enable_private_google_access.rego Outdated
cluster := asset.resource.data
private_google_access_disabled(cluster)

message := sprintf("Stackdriver monitoring is disabled in cluster %v.", [asset.name])
Copy link
Copy Markdown

@Red-Five Red-Five Oct 16, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Message doesn't match the rule

@charliewolf charliewolf force-pushed the feature/private-google-access branch from ec8b2c2 to ec92f02 Compare October 16, 2019 15:57
@dekuhn
Copy link
Copy Markdown
Contributor

dekuhn commented Oct 21, 2019

This rule won't work with Forseti today due to the pagination and the need for this rule to reference data that may not be available. @joecheuk can you work to define how we should annotate this in regards to not usable with Forseti.

I suspect this rule will work fine in Gatekeeper since all the k8s data will all be available at eval time.

@morgante
Copy link
Copy Markdown
Contributor

morgante commented Oct 21, 2019

@dekuhn This certainly wouldn't work in Gatekeeper because it depends on looking at the configuration of the subnets which GKE is running on (information which is never actually exposed to k8s).

@dekuhn
Copy link
Copy Markdown
Contributor

dekuhn commented Oct 21, 2019

@morgante would this be a useful in CFT Scorecard?

@blueandgold @ryanismert the team should think about how we could run such a scan within Forseti. We will have this challenge with other rules going forward I am sure.

@morgante
Copy link
Copy Markdown
Contributor

morgante commented Oct 21, 2019

@dekuhn It would be, if/when we support referential constraints.

@dekuhn
Copy link
Copy Markdown
Contributor

dekuhn commented Oct 22, 2019

@blueandgold @charliewolf @joecheuk I don't think we want to accept this rule due to the referential data and the decision by the CV team to no support referential constraints at this time.

Should we close this PR as it and preserve its details. We could reopen at some point in the future when referential constraints will be supported.

@dekuhn dekuhn changed the title Policy for GKE private google access [Blocked] Policy for GKE private google access Oct 24, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@AdrienWalkowiak AdrienWalkowiak Awaiting requested review from AdrienWalkowiak

@briantkennedy briantkennedy Awaiting requested review from briantkennedy

@joecheuk joecheuk Awaiting requested review from joecheuk

@morgante morgante Awaiting requested review from morgante

@t12g t12g Awaiting requested review from t12g

1 more reviewer

@Red-Five Red-Five Red-Five left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

cla: yes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@charliewolf @dekuhn @morgante @Red-Five @googlebot