google · mikouaj · Oct 30, 2023 · Oct 23, 2023 · Oct 23, 2023 · Oct 30, 2023
diff --git a/gke-policies-v2/README.md b/gke-policies-v2/README.md
diff --git a/gke-policies-v2/policy/cluster_binary_authorization.rego b/gke-policies-v2/policy/cluster_binary_authorization.rego
@@ -25,7 +25,7 @@
 #   externalURI: https://cloud.google.com/binary-authorization/docs/setting-up
 #   sccCategory: BINARY_AUTHORIZATION_DISABLED
 #   cis:
-#     version: "1.2"
+#     version: "1.4"
 #     id: "5.10.5"
 #   dataSource: gke
 

diff --git a/gke-policies-v2/policy/cluster_enable_security_posture.rego b/gke-policies-v2/policy/cluster_enable_security_posture.rego
@@ -0,0 +1,42 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# METADATA
+# title: Enable Security Posture dashboard
+# description: >-
+#   The Security Posture feature enables scanning of clusters and running workloads against standards and industry best practices.
+#   The dashboard displays the scan results and provides actionable recommendations for concerns. 
+# custom:
+#   group: Security
+#   severity: Medium
+#   recommendation: >
+#     Enable Container Security API on the cluster project.
+#     Next, navigate to the GKE page in Google Cloud Console and select the name of the cluster. Under Security, in the row for
+#     "Security posture", click the edit icon. Select the "Enable security posture" checkbox and click "Save changes".
+#   externalURI: https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard
+#   sccCategory: SECURITY_POSTURE_DISABLED
+#   dataSource: gke
+
+package gke.policy.cluster_security_posture
+
+default valid := false
+
+valid {
+  count(violation) == 0
+}
+
+violation[msg] {
+  not input.data.gke.security_posture_config.mode == 2
+  msg := "GKE cluster has not enabled Security Posture"
+}
diff --git a/gke-policies-v2/policy/cluster_enable_security_posture_test.rego b/gke-policies-v2/policy/cluster_enable_security_posture_test.rego
@@ -0,0 +1,51 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+package gke.policy.cluster_security_posture
+
+test_cluster_enabled_security_posture {
+    valid with input as {"data": {"gke": {
+        "name": "cluster-test", 
+        "security_posture_config": {
+           "mode": 2,
+           "vulnerability_mode": 0
+        }
+    }}}
+}
+
+test_cluster_unknown_security_posture {
+    not valid with input as {"data": {"gke": {
+        "name": "cluster-test", 
+        "security_posture_config": {
+           "mode": 0,
+           "vulnerability_mode": 0
+        }
+    }}}
+}
+
+test_cluster_disabled_security_posture {
+    not valid with input as {"data": {"gke": {
+        "name": "cluster-test", 
+        "security_posture_config": {
+           "mode": 1,
+           "vulnerability_mode": 0
+        }
+    }}}
+}
+
+test_cluster_missing_security_posture {
+    not valid with input as {"data": {"gke": {
+        "name": "cluster-test"
+    }}}
+}
diff --git a/gke-policies-v2/policy/cluster_enable_workload_scanning.rego b/gke-policies-v2/policy/cluster_enable_workload_scanning.rego
@@ -0,0 +1,44 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# METADATA
+# title: Enable Workload vulnerability scanning
+# description: >-
+#   The Workload vulnerability scanning is a set of capabilities in the security posture dashboard that automatically 
+#   scans for known vulnerabilities in your container images and in specific language packages during the runtime
+#   phase of software delivery lifecycle.
+# custom:
+#   group: Security
+#   severity: Medium
+#   recommendation: >
+#     Enable Container Security API on the cluster project.
+#     Next, navigate to the GKE page in Google Cloud Console and select the name of the cluster. Under Security, 
+#     in the row for "Workload vulnerability scanning", click the edit icon. Select the
+#     "Enable workload vulnerability scanning" checkbox and click "Save changes".
+#   externalURI: https://cloud.google.com/kubernetes-engine/docs/concepts/about-workload-vulnerability-scanning
+#   sccCategory: WORKLOAD_SCANNING_DISABLED
+#   dataSource: gke
+
+package gke.policy.cluster_workload_scanning
+
+default valid := false
+
+valid {
+  count(violation) == 0
+}
+
+violation[msg] {
+  not input.data.gke.security_posture_config.vulnerability_mode == 2
+  msg := "GKE cluster has not configured workload vulnerability scanning"
+}
diff --git a/gke-policies-v2/policy/cluster_enable_workload_scanning_test.rego b/gke-policies-v2/policy/cluster_enable_workload_scanning_test.rego
@@ -0,0 +1,51 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+package gke.policy.cluster_workload_scanning
+
+test_cluster_enabled_workload_scanning {
+    valid with input as {"data": {"gke": {
+        "name": "cluster-test", 
+        "security_posture_config": {
+           "mode": 2,
+           "vulnerability_mode": 2
+        }
+    }}}
+}
+
+test_cluster_disabled_workload_scanning {
+    not valid with input as {"data": {"gke": {
+        "name": "cluster-test", 
+        "security_posture_config": {
+           "mode": 1,
+           "vulnerability_mode": 1
+        }
+    }}}
+}
+
+test_cluster_unknown_workload_scanning {
+    not valid with input as {"data": {"gke": {
+        "name": "cluster-test", 
+        "security_posture_config": {
+           "mode": 1,
+           "vulnerability_mode": 0
+        }
+    }}}
+}
+
+test_cluster_missing_security_posture {
+    not valid with input as {"data": {"gke": {
+        "name": "cluster-test"
+    }}}
+}
diff --git a/gke-policies-v2/policy/cluster_release_channels.rego b/gke-policies-v2/policy/cluster_release_channels.rego
@@ -26,7 +26,7 @@
 #     Click "Save changes" once done.
 #   externalURI: https://cloud.google.com/kubernetes-engine/docs/concepts/release-channels
 #   cis:
-#     version: "1.2"
+#     version: "1.4"
 #     id: "5.5.4"
 #   dataSource: gke
 

diff --git a/gke-policies-v2/policy/control_plane_access.rego b/gke-policies-v2/policy/control_plane_access.rego
@@ -27,7 +27,7 @@
 #   externalURI: https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks
 #   sccCategory: CONTROL_PLANE_ACCESS_UNRESTRICTED
 #   cis:
-#     version: "1.2"
+#     version: "1.4"
 #     id: "5.6.3"
 #   dataSource: gke
 

diff --git a/gke-policies-v2/policy/control_plane_disable_cert_authentication.rego b/gke-policies-v2/policy/control_plane_disable_cert_authentication.rego
@@ -0,0 +1,49 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# METADATA
+# title: Control plane user certificate authentication
+# description: >-
+#   Disable Client Certificates, which require certificate rotation, for authentication. Instead,
+#   use another authentication method like OpenID Connect.
+# custom:
+#   group: Security
+#   severity: High
+#   recommendation: >
+#     Client certificate authentication cannot be disabled on the existing cluster.
+#     The new cluster has to be created with a "Client certificate" option disabled.
+#   externalURI: https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication#disabling_authentication_with_a_client_certificate
+#   sccCategory: CONTROL_PLANE_CERTIFICATE_AUTH
+#   cis:
+#     version: "1.4"
+#     id: "5.8.2"
+#   dataSource: gke
+
+package gke.policy.control_plane_certificate_auth
+
+default valid := false
+
+valid {
+	count(violation) == 0
+}
+
+violation[msg] {
+	input.data.gke.master_auth.client_certificate
+	msg := "The GKE cluster authentication should not be configured with a client certificate"
+}
+
+violation[msg] {
+	input.data.gke.master_auth.client_key
+	msg := "The GKE cluster authentication should not be configured with a client key"
+}
diff --git a/gke-policies-v2/policy/control_plane_disable_cert_authentication_test.rego b/gke-policies-v2/policy/control_plane_disable_cert_authentication_test.rego
@@ -0,0 +1,35 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+package gke.policy.control_plane_certificate_auth
+
+test_cluster_without_client_certificate {
+    valid with input as {"data": {"gke": {
+        "name": "cluster-test", 
+        "master_auth": {
+           "cluster_ca_certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMVENDQXBXZ0F3SUJBZ0lSQUpIeTI1V..."
+        }
+    }}}
+}
+
+test_cluster_client_certificate {
+    not valid with input as {"data": {"gke": {
+        "name": "cluster-test", 
+        "master_auth": {
+           "cluster_ca_certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMVENDQXBXZ0F3SUJBZ0lSQUpIeTI1V...",
+           "client_certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMVENDQXBXZ0F3SUJBZ0lSQUpIeTI1V...",
+           "client_key": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMVENDQXBXZ0F3SUJBZ0lSQUpIeTI1V..."
+        }
+    }}}
+}
diff --git a/gke-policies-v2/policy/control_plane_disable_legacy_authorization.rego b/gke-policies-v2/policy/control_plane_disable_legacy_authorization.rego
@@ -25,7 +25,7 @@
 #   externalURI: https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication#legacy-auth
 #   sccCategory: RBAC_DISABLED
 #   cis:
-#     version: "1.2"
+#     version: "1.4"
 #     id: "5.8.4"
 #   dataSource: gke
 

diff --git a/gke-policies-v2/policy/control_plane_disable_password_authentication.rego b/gke-policies-v2/policy/control_plane_disable_password_authentication.rego
@@ -0,0 +1,50 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# METADATA
+# title: Control plane user basic authentication
+# description: >-
+#   Disable Basic Authentication (basic auth) for API server authentication as it uses static
+#   passwords which need to be rotated.
+# custom:
+#   group: Security
+#   severity: Critical
+#   recommendation: >
+#     Navigate to the GKE page in Google Cloud Console and select the name of the cluster. Under Security, 
+#     in the row for "Basic authentication", click the edit icon. Unselect the "Enable basic authentication"
+#     checkbox and click "Save changes".
+#   externalURI: https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication#disabling_authentication_with_a_static_password
+#   sccCategory: CONTROL_PLANE_BASIC_AUTH
+#   cis:
+#     version: "1.4"
+#     id: "5.8.1"
+#   dataSource: gke
+
+package gke.policy.control_plane_basic_auth
+
+default valid := false
+
+valid {
+	count(violation) == 0
+}
+
+violation[msg] {
+	input.data.gke.master_auth.password
+	msg := "The GKE cluster authentication should not be configured with a client password"
+}
+
+violation[msg] {
+	input.data.gke.master_auth.username
+	msg := "The GKE cluster authentication should not be configured with a client username"
+}