From ad42befde14fb71368b8f61e0eb0fc1096825912 Mon Sep 17 00:00:00 2001 From: Charlie Wolf Date: Mon, 23 Dec 2019 04:18:29 -0800 Subject: [PATCH] CIS 4.07: Shielded VMs --- .../templates/gcp_compute_shielded_v1.yaml | 119 +++++++++ samples/compute_shielded.yaml | 24 ++ validator/compute_shielded.rego | 79 ++++++ validator/compute_shielded_test.rego | 164 ++++++++++++ .../compute_shielded/assets/data.json | 237 ++++++++++++++++++ .../constraints/shielded_blacklist/data.yaml | 24 ++ .../shielded_blacklist_all/data.yaml | 25 ++ .../constraints/shielded_default/data.yaml | 21 ++ .../shielded_regex_blacklist_all/data.yaml | 25 ++ .../shielded_regex_whitelist_all/data.yaml | 25 ++ .../constraints/shielded_whitelist/data.yaml | 24 ++ .../shielded_whitelist_all/data.yaml | 25 ++ 12 files changed, 792 insertions(+) create mode 100644 policies/templates/gcp_compute_shielded_v1.yaml create mode 100644 samples/compute_shielded.yaml create mode 100644 validator/compute_shielded.rego create mode 100644 validator/compute_shielded_test.rego create mode 100644 validator/test/fixtures/compute_shielded/assets/data.json create mode 100644 validator/test/fixtures/compute_shielded/constraints/shielded_blacklist/data.yaml create mode 100644 validator/test/fixtures/compute_shielded/constraints/shielded_blacklist_all/data.yaml create mode 100644 validator/test/fixtures/compute_shielded/constraints/shielded_default/data.yaml create mode 100644 validator/test/fixtures/compute_shielded/constraints/shielded_regex_blacklist_all/data.yaml create mode 100644 validator/test/fixtures/compute_shielded/constraints/shielded_regex_whitelist_all/data.yaml create mode 100644 validator/test/fixtures/compute_shielded/constraints/shielded_whitelist/data.yaml create mode 100644 validator/test/fixtures/compute_shielded/constraints/shielded_whitelist_all/data.yaml diff --git a/policies/templates/gcp_compute_shielded_v1.yaml b/policies/templates/gcp_compute_shielded_v1.yaml new file mode 100644 index 00000000..c7f206cb --- /dev/null +++ b/policies/templates/gcp_compute_shielded_v1.yaml @@ -0,0 +1,119 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: templates.gatekeeper.sh/v1alpha1 +kind: ConstraintTemplate +metadata: + name: gcp-compute-shielded-v1 +spec: + crd: + spec: + names: + kind: GCPComputeShieldedConstraintV1 + plural: gcpcomputeshieldedconstraintsv1 + validation: + openAPIV3Schema: + properties: + mode: + type: string + enum: [blacklist, whitelist] + match_mode: + type: string + enum: [exact, regex] + instances: + type: array + items: string + targets: + validation.gcp.forsetisecurity.org: + rego: | #INLINE("validator/compute_shielded.rego") + # + # Copyright 2018 Google LLC + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + # + + package templates.gcp.GCPComputeShieldedConstraintV1 + + import data.validator.gcp.lib as lib + + ########################### + # Find Whitelist/Blacklist Violations + ########################### + deny[{ + "msg": message, + "details": metadata, + }] { + constraint := input.constraint + lib.get_constraint_params(constraint, params) + asset := input.asset + asset.asset_type == "compute.googleapis.com/Instance" + + instance := asset.resource.data + shielded_config := lib.get_default(instance, "shieldedInstanceConfig", {}) + lib.get_default(shielded_config, "enableIntegrityMonitoring", false) != true + lib.get_default(shielded_config, "enableVtpm", false) != true + + # Check if instance is in blacklist/whitelist + match_mode := lib.get_default(params, "match_mode", "exact") + mode := lib.get_default(params, "mode", "whitelist") + target_instances := lib.get_default(params, "instances", []) + trace(sprintf("asset name:%v, target_instances: %v, mode: %v, match_mode: %v", [asset.name, target_instances, mode, match_mode])) + instance_name_targeted(asset.name, target_instances, mode, match_mode) + message := sprintf("%v is not shielded.", [asset.name]) + metadata := {"resource": asset.name} + } + + ########################### + # Rule Utilities + ########################### + instance_name_targeted(asset_name, instance_filters, mode, match_mode) { + mode == "whitelist" + match_mode == "exact" + matches := {asset_name} & cast_set(instance_filters) + count(matches) == 0 + } + + instance_name_targeted(asset_name, instance_filters, mode, match_mode) { + mode == "blacklist" + match_mode == "exact" + matches := {asset_name} & cast_set(instance_filters) + count(matches) > 0 + } + + instance_name_targeted(asset_name, instance_filters, mode, match_mode) { + mode == "whitelist" + match_mode == "regex" + not re_match_name(asset_name, instance_filters) + } + + instance_name_targeted(asset_name, instance_filters, mode, match_mode) { + mode == "blacklist" + match_mode == "regex" + re_match_name(asset_name, instance_filters) + } + + re_match_name(name, filters) { + re_match(filters[_], name) + } + #ENDINLINE diff --git a/samples/compute_shielded.yaml b/samples/compute_shielded.yaml new file mode 100644 index 00000000..259455f7 --- /dev/null +++ b/samples/compute_shielded.yaml @@ -0,0 +1,24 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: constraints.gatekeeper.sh/v1alpha1 +kind: GCPComputeIpForwardConstraintV1 +metadata: + name: forbid_ip_forward + annotations: + # This constraint is not certified by CIS. + bundles.validator.forsetisecurity.org/cis-v1.1: 4.07 +spec: + severity: high + parameters: {} diff --git a/validator/compute_shielded.rego b/validator/compute_shielded.rego new file mode 100644 index 00000000..e565b615 --- /dev/null +++ b/validator/compute_shielded.rego @@ -0,0 +1,79 @@ +# +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +package templates.gcp.GCPComputeShieldedConstraintV1 + +import data.validator.gcp.lib as lib + +########################### +# Find Whitelist/Blacklist Violations +########################### +deny[{ + "msg": message, + "details": metadata, +}] { + constraint := input.constraint + lib.get_constraint_params(constraint, params) + asset := input.asset + asset.asset_type == "compute.googleapis.com/Instance" + + instance := asset.resource.data + shielded_config := lib.get_default(instance, "shieldedInstanceConfig", {}) + lib.get_default(shielded_config, "enableIntegrityMonitoring", false) != true + lib.get_default(shielded_config, "enableVtpm", false) != true + + # Check if instance is in blacklist/whitelist + match_mode := lib.get_default(params, "match_mode", "exact") + mode := lib.get_default(params, "mode", "whitelist") + target_instances := lib.get_default(params, "instances", []) + trace(sprintf("asset name:%v, target_instances: %v, mode: %v, match_mode: %v", [asset.name, target_instances, mode, match_mode])) + instance_name_targeted(asset.name, target_instances, mode, match_mode) + message := sprintf("%v is not shielded.", [asset.name]) + metadata := {"resource": asset.name} +} + +########################### +# Rule Utilities +########################### +instance_name_targeted(asset_name, instance_filters, mode, match_mode) { + mode == "whitelist" + match_mode == "exact" + matches := {asset_name} & cast_set(instance_filters) + count(matches) == 0 +} + +instance_name_targeted(asset_name, instance_filters, mode, match_mode) { + mode == "blacklist" + match_mode == "exact" + matches := {asset_name} & cast_set(instance_filters) + count(matches) > 0 +} + +instance_name_targeted(asset_name, instance_filters, mode, match_mode) { + mode == "whitelist" + match_mode == "regex" + not re_match_name(asset_name, instance_filters) +} + +instance_name_targeted(asset_name, instance_filters, mode, match_mode) { + mode == "blacklist" + match_mode == "regex" + re_match_name(asset_name, instance_filters) +} + +re_match_name(name, filters) { + re_match(filters[_], name) +} diff --git a/validator/compute_shielded_test.rego b/validator/compute_shielded_test.rego new file mode 100644 index 00000000..e604b9e1 --- /dev/null +++ b/validator/compute_shielded_test.rego @@ -0,0 +1,164 @@ +# +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +package templates.gcp.GCPComputeShieldedConstraintV1 + +import data.test.fixtures.compute_shielded.assets as fixture_instances +import data.test.fixtures.compute_shielded.constraints as fixture_constraints + +# Find all violations on our test cases +find_violations[violation] { + instance := data.instances[_] + constraint := data.test_constraints[_] + + issues := deny with input.asset as instance + with input.constraint as constraint + + total_issues := count(issues) + + violation := issues[_] +} + +# Confim no violations with no instances +test_shielded_no_instances { + found_violations := find_violations with data.instances as [] + + count(found_violations) = 0 +} + +test_shielded_no_constraints { + found_violations := find_violations with data.instances as fixture_instances + with data.constraints as [] + + count(found_violations) = 0 +} + +violations_with_empty_parameters[violation] { + constraints := [fixture_constraints.shielded_default] + + found_violations := find_violations with data.instances as fixture_instances + with data.test_constraints as constraints + + violation := found_violations[_] +} + +test_shielded_default { + found_violations := violations_with_empty_parameters + + count(found_violations) = 2 +} + +whitelist_violations[violation] { + constraints := [fixture_constraints.shielded_whitelist] + + found_violations := find_violations with data.instances as fixture_instances + with data.test_constraints as constraints + + violation := found_violations[_] +} + +# Confirm only a single violation was found (whitelist constraint) +test_shielded_whitelist_violates_one { + found_violations := whitelist_violations + + count(found_violations) = 1 + + violation := found_violations[_] + resource_name := "//compute.googleapis.com/projects/test-project/zones/us-east1-b/instances/vm-unshielded" + + is_string(violation.msg) + is_object(violation.details) +} + +no_violation_due_to_whitelist[violation] { + constraints := [fixture_constraints.shielded_whitelist_all] + + found_violations := find_violations with data.instances as fixture_instances + with data.test_constraints as constraints + + violation := found_violations[_] +} + +# Confirm no violation when both VMs with exernal IP are whitelisted. +test_shielded_whitelist_all { + found_violations := no_violation_due_to_whitelist + + count(found_violations) = 0 +} + +blacklist_violations[violation] { + constraints := [fixture_constraints.shielded_blacklist] + + found_violations := find_violations with data.instances as fixture_instances + with data.test_constraints as constraints + + violation := found_violations[_] +} + +test_shielded_blacklist_violates_one { + found_violations := blacklist_violations + + count(found_violations) = 1 +} + +two_blacklist_violations[violation] { + constraints := [fixture_constraints.shielded_blacklist_all] + + found_violations := find_violations with data.instances as fixture_instances + with data.test_constraints as constraints + + violation := found_violations[_] +} + +# Confirm we get 2 violations when both VMs with external IP are blacklisted. +test_shielded_blacklist_all { + found_violations := two_blacklist_violations + + count(found_violations) = 2 +} + +test_blacklist_violations_regex { + constraints := [fixture_constraints.shielded_regex_blacklist_all] + + found_violations := find_violations with data.instances as fixture_instances + with data.test_constraints as constraints + + count(found_violations) == 2 +} + +test_whitelist_violations_regex { + constraints := [fixture_constraints.shielded_regex_whitelist_all] + + found_violations := find_violations with data.instances as fixture_instances + with data.test_constraints as constraints + + count(found_violations) == 0 +} + +test_instance_name_targeted_whitelist { + not instance_name_targeted("//compute/vm1", ["//compute/vm.*", "//compute/nomatch"], "whitelist", "regex") + not instance_name_targeted("//compute/vm1", ["//compute/vm1", "//compute/nomatch"], "whitelist", "exact") +} + +test_instance_name_targeted_whitelist_nomatch { + instance_name_targeted("//compute/vm1", ["//compute/nomatch1", "//compute/nomatch2"], "whitelist", "regex") + instance_name_targeted("//compute/vm1", ["//compute/nomatch1", "//compute/nomatch2"], "whitelist", "exact") +} + +test_instance_name_targeted_blacklist { + instance_name_targeted("//compute/vm1", ["//compute/vm.*", "//compute/nomatch"], "blacklist", "regex") + instance_name_targeted("//compute/vm1", ["//compute/vm1", "//compute/nomatch"], "blacklist", "exact") +} diff --git a/validator/test/fixtures/compute_shielded/assets/data.json b/validator/test/fixtures/compute_shielded/assets/data.json new file mode 100644 index 00000000..30e874fe --- /dev/null +++ b/validator/test/fixtures/compute_shielded/assets/data.json @@ -0,0 +1,237 @@ +[ + { + "name": "//compute.googleapis.com/projects/test-project/zones/us-east1-c/instances/vm-shielded", + "asset_type": "compute.googleapis.com/Instance", + "resource": { + "version": "v1", + "discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest", + "discovery_name": "Instance", + "parent": "//cloudresourcemanager.googleapis.com/projects/68478495408", + "data": { + "canIpForward": false, + "cpuPlatform": "Intel Haswell", + "creationTimestamp": "2018-01-18T12:16:22.261-08:00", + "deletionProtection": false, + "disk": [ + { + "autoDelete": true, + "boot": true, + "deviceName": "persistent-disk-0", + "guestOsFeature": [ + { + "type": "VIRTIO_SCSI_MULTIQUEUE" + } + ], + "index": 0, + "interface": "SCSI", + "license": [ + "https://www.googleapis.com/compute/v1/projects/debian-cloud/global/licenses/debian-9-stretch" + ], + "mode": "READ_WRITE", + "source": "https://www.googleapis.com/compute/v1/projects/test-project/zones/us-east1-c/disks/vm-no-ip", + "type": "PERSISTENT" + } + ], + "id": "8987947392482197114", + "labelFingerprint": "42WmSpB8rSM=", + "machineType": "https://www.googleapis.com/compute/v1/projects/test-project/zones/us-east1-c/machineTypes/g1-small", + "name": "vm-no-ip", + "networkInterfaces": [ + { + "fingerprint": "+QCnSman4bQ=", + "ipAddress": "10.1.0.2", + "name": "nic0", + "network": "https://www.googleapis.com/compute/v1/projects/test-project/global/networks/default", + "subnetwork": "https://www.googleapis.com/compute/v1/projects/test-project/regions/us-east1/subnetworks/default-us-east1" + } + ], + "scheduling": { + "automaticRestart": true, + "onHostMaintenance": "MIGRATE", + "preemptible": false + }, + "selfLink": "https://www.googleapis.com/compute/v1/projects/test-project/zones/us-east1-c/instances/vm-no-ip", + "serviceAccount": [ + { + "email": "66666666666-compute@developer.gserviceaccount.com", + "scope": [ + "https://www.googleapis.com/auth/cloud-platform" + ] + } + ], + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": true, + "enableSecureBoot": false, + "enableVtpm": true + }, + "startRestricted": false, + "status": "RUNNING", + "tags": { + "fingerprint": "42WmSpB8rSM=" + }, + "zone": "https://www.googleapis.com/compute/v1/projects/test-project/zones/us-east1-c" + } + } + }, + { + "name": "//compute.googleapis.com/projects/test-project/zones/us-east1-b/instances/vm-unshielded", + "asset_type": "compute.googleapis.com/Instance", + "resource": { + "version": "v1", + "discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest", + "discovery_name": "Instance", + "parent": "//cloudresourcemanager.googleapis.com/projects/68478495408", + "data": { + "canIpForward": true, + "cpuPlatform": "Unknown CPU Platform", + "creationTimestamp": "2018-06-20T14:46:40.689-07:00", + "deletionProtection": false, + "description": "", + "disk": [ + { + "autoDelete": true, + "boot": true, + "deviceName": "vm-shielded", + "guestOsFeature": [ + { + "type": "VIRTIO_SCSI_MULTIQUEUE" + } + ], + "index": 0, + "interface": "SCSI", + "license": [ + "https://www.googleapis.com/compute/v1/projects/debian-cloud/global/licenses/debian-9-stretch" + ], + "mode": "READ_WRITE", + "source": "https://www.googleapis.com/compute/v1/projects/test-project/zones/us-east1-b/disks/vm-shielded", + "type": "PERSISTENT" + } + ], + "id": "108591614595134928", + "labelFingerprint": "42WmSpB8rSM=", + "machineType": "https://www.googleapis.com/compute/v1/projects/test-project/zones/us-east1-b/machineTypes/n1-standard-1", + "name": "vm-shielded", + "networkInterfaces": [ + { + "accessConfigs": [ + { + "externalIp": "35.196.151.107", + "name": "external-nat", + "networkTier": "PREMIUM", + "type": "ONE_TO_ONE_NAT" + } + ], + "fingerprint": "FKYLBaTiCF0=", + "ipAddress": "10.142.0.2", + "name": "nic0", + "network": "https://www.googleapis.com/compute/v1/projects/test-project/global/networks/default", + "subnetwork": "https://www.googleapis.com/compute/v1/projects/test-project/regions/us-east1/subnetworks/default" + } + ], + "scheduling": { + "automaticRestart": true, + "onHostMaintenance": "MIGRATE", + "preemptible": false + }, + "selfLink": "https://www.googleapis.com/compute/v1/projects/test-project/zones/us-east1-b/instances/vm-unshielded", + "serviceAccount": [ + { + "email": "77777777-compute@developer.gserviceaccount.com", + "scope": [ + "https://www.googleapis.com/auth/cloud-platform" + ] + } + ], + "startRestricted": false, + "status": "TERMINATED", + "tags": { + "fingerprint": "42WmSpB8rSM=" + }, + "zone": "https://www.googleapis.com/compute/v1/projects/test-project/zones/us-east1-b" + } + } + }, + { + "name": "//compute.googleapis.com/projects/test-project/zones/us-east1-b/instances/vm-unshielded-two", + "asset_type": "compute.googleapis.com/Instance", + "resource": { + "version": "v1", + "discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest", + "discovery_name": "Instance", + "parent": "//cloudresourcemanager.googleapis.com/projects/68478495408", + "data": { + "canIpForward": true, + "cpuPlatform": "Unknown CPU Platform", + "creationTimestamp": "2018-06-20T14:46:40.689-07:00", + "deletionProtection": false, + "description": "", + "disk": [ + { + "autoDelete": true, + "boot": true, + "deviceName": "vm-shielded-two", + "guestOsFeature": [ + { + "type": "VIRTIO_SCSI_MULTIQUEUE" + } + ], + "index": 0, + "interface": "SCSI", + "license": [ + "https://www.googleapis.com/compute/v1/projects/debian-cloud/global/licenses/debian-9-stretch" + ], + "mode": "READ_WRITE", + "source": "https://www.googleapis.com/compute/v1/projects/test-project/zones/us-east1-b/disks/vm-shielded-two", + "type": "PERSISTENT" + } + ], + "id": "108591614595134928", + "labelFingerprint": "42WmSpB8rSM=", + "machineType": "https://www.googleapis.com/compute/v1/projects/test-project/zones/us-east1-b/machineTypes/n1-standard-1", + "name": "vm-shielded", + "networkInterfaces": [ + { + "accessConfigs": [ + { + "externalIp": "35.196.151.110", + "name": "external-nat", + "networkTier": "PREMIUM", + "type": "ONE_TO_ONE_NAT" + } + ], + "fingerprint": "FKYLBaTiCF0=", + "ipAddress": "10.142.0.2", + "name": "nic0", + "network": "https://www.googleapis.com/compute/v1/projects/test-project/global/networks/default", + "subnetwork": "https://www.googleapis.com/compute/v1/projects/test-project/regions/us-east1/subnetworks/default" + } + ], + "scheduling": { + "automaticRestart": true, + "onHostMaintenance": "MIGRATE", + "preemptible": false + }, + "selfLink": "https://www.googleapis.com/compute/v1/projects/test-project/zones/us-east1-b/instances/vm-unshielded-two", + "serviceAccount": [ + { + "email": "77777777-compute@developer.gserviceaccount.com", + "scope": [ + "https://www.googleapis.com/auth/cloud-platform" + ] + } + ], + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": false, + "enableSecureBoot": false, + "enableVtpm": false + }, + "startRestricted": false, + "status": "TERMINATED", + "tags": { + "fingerprint": "42WmSpB8rSM=" + }, + "zone": "https://www.googleapis.com/compute/v1/projects/test-project/zones/us-east1-b" + } + } + } +] diff --git a/validator/test/fixtures/compute_shielded/constraints/shielded_blacklist/data.yaml b/validator/test/fixtures/compute_shielded/constraints/shielded_blacklist/data.yaml new file mode 100644 index 00000000..1ddf2341 --- /dev/null +++ b/validator/test/fixtures/compute_shielded/constraints/shielded_blacklist/data.yaml @@ -0,0 +1,24 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: constraints.gatekeeper.sh/v1alpha1 +kind: GCPComputeShieldedConstraintV1 +metadata: + name: forbid_external_api_blacklist +spec: + severity: high + parameters: + mode: "blacklist" + instances: + - //compute.googleapis.com/projects/test-project/zones/us-east1-b/instances/vm-unshielded diff --git a/validator/test/fixtures/compute_shielded/constraints/shielded_blacklist_all/data.yaml b/validator/test/fixtures/compute_shielded/constraints/shielded_blacklist_all/data.yaml new file mode 100644 index 00000000..36354306 --- /dev/null +++ b/validator/test/fixtures/compute_shielded/constraints/shielded_blacklist_all/data.yaml @@ -0,0 +1,25 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: constraints.gatekeeper.sh/v1alpha1 +kind: GCPComputeShieldedConstraintV1 +metadata: + name: forbid_shielded_blacklist_all +spec: + severity: high + parameters: + mode: "blacklist" + instances: + - //compute.googleapis.com/projects/test-project/zones/us-east1-b/instances/vm-unshielded + - //compute.googleapis.com/projects/test-project/zones/us-east1-b/instances/vm-unshielded-two diff --git a/validator/test/fixtures/compute_shielded/constraints/shielded_default/data.yaml b/validator/test/fixtures/compute_shielded/constraints/shielded_default/data.yaml new file mode 100644 index 00000000..477843dd --- /dev/null +++ b/validator/test/fixtures/compute_shielded/constraints/shielded_default/data.yaml @@ -0,0 +1,21 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: constraints.gatekeeper.sh/v1alpha1 +kind: GCPComputeShieldedConstraintV1 +metadata: + name: forbid_shielded_default +spec: + severity: high + parameters: {} diff --git a/validator/test/fixtures/compute_shielded/constraints/shielded_regex_blacklist_all/data.yaml b/validator/test/fixtures/compute_shielded/constraints/shielded_regex_blacklist_all/data.yaml new file mode 100644 index 00000000..a1bcc137 --- /dev/null +++ b/validator/test/fixtures/compute_shielded/constraints/shielded_regex_blacklist_all/data.yaml @@ -0,0 +1,25 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: constraints.gatekeeper.sh/v1alpha1 +kind: GCPComputeShieldedConstraintV1 +metadata: + name: forbid_shielded_blacklist_all +spec: + severity: high + parameters: + mode: blacklist + match_mode: regex + instances: + - .*vm-unshielded.* diff --git a/validator/test/fixtures/compute_shielded/constraints/shielded_regex_whitelist_all/data.yaml b/validator/test/fixtures/compute_shielded/constraints/shielded_regex_whitelist_all/data.yaml new file mode 100644 index 00000000..88415052 --- /dev/null +++ b/validator/test/fixtures/compute_shielded/constraints/shielded_regex_whitelist_all/data.yaml @@ -0,0 +1,25 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: constraints.gatekeeper.sh/v1alpha1 +kind: GCPComputeShieldedConstraintV1 +metadata: + name: forbid_shielded_whitelist_all +spec: + severity: high + parameters: + mode: whitelist + match_mode: regex + instances: + - ".*vm-unshielded.*" diff --git a/validator/test/fixtures/compute_shielded/constraints/shielded_whitelist/data.yaml b/validator/test/fixtures/compute_shielded/constraints/shielded_whitelist/data.yaml new file mode 100644 index 00000000..ad02f335 --- /dev/null +++ b/validator/test/fixtures/compute_shielded/constraints/shielded_whitelist/data.yaml @@ -0,0 +1,24 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: constraints.gatekeeper.sh/v1alpha1 +kind: GCPComputeShieldedConstraintV1 +metadata: + name: forbid_external_api_whitelist +spec: + severity: high + parameters: + mode: "whitelist" + instances: + - //compute.googleapis.com/projects/test-project/zones/us-east1-b/instances/vm-unshielded-two diff --git a/validator/test/fixtures/compute_shielded/constraints/shielded_whitelist_all/data.yaml b/validator/test/fixtures/compute_shielded/constraints/shielded_whitelist_all/data.yaml new file mode 100644 index 00000000..6d97ca5f --- /dev/null +++ b/validator/test/fixtures/compute_shielded/constraints/shielded_whitelist_all/data.yaml @@ -0,0 +1,25 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: constraints.gatekeeper.sh/v1alpha1 +kind: GCPComputeShieldedConstraintV1 +metadata: + name: forbid_shielded_whitelist_all +spec: + severity: high + parameters: + mode: "whitelist" + instances: + - //compute.googleapis.com/projects/test-project/zones/us-east1-b/instances/vm-unshielded + - //compute.googleapis.com/projects/test-project/zones/us-east1-b/instances/vm-unshielded-two