@joecheuk joecheuk released this Feb 9, 2018

Assets 2

RELEASE NOTE v1.1.10

Summary

Inventory

  • Kubernetes Engine: Your Kubernetes Engine (KE) Clusters and associated node pools and per zone service configs are now inventoried.

Scanner

  • Kubernetes Engine: Scans kubernetes Engine clusters checking versions. This can be used to detect that cluster nodes are patched against the Meltdown and part of Spectre (Variant 1 and 3) vulnerabilities in clusters with auto-update turned off. See the Upgrade notes below for information on how to enable this.
  • IP Blacklist: Detects if a VMs public IP address is blacklisted by comparing it against known lists.

Fixes

  • Temp files: A fix to prevent full disks by cleaning up temp files after emailing violations.
  • Firewall scanner: Fixed firewall rules not being scanned correctly when being passed in.

Upgrade notes

To enable the KE inventory, add the following to the inventory section in your forseti_confi.yaml file.

inventory:
    pipelines:
        - resource: ke
          enabled: true

To enable the KE scanner or blacklist scanner, add the followings to the scanner section in your forseti_conf.yaml file.

scanner:
   scanners:
        - name: blacklist
          enabled: true

        - name: ke_version_scanner
          enabled: true

To enable the KE notifier or blacklist notifier, add the followings to the notifier section in your forseti_conf.yaml file.

    resources:
        - resource: ke_version_violations
          should_notify: true
          pipelines:
            # Upload violations to GCS.
            - name: gcs_violations_pipeline
              configuration:
                # gcs_path should begin with "gs://"
                gcs_path: gs://{__YOUR_SCANNER_BUCKET__}/scanner_violations

        - resource: blacklist_violations
          should_notify: true
          pipelines:
            # Upload violations to GCS.
            - name: gcs_violations_pipeline
              configuration:
                # gcs_path should begin with "gs://"
                gcs_path: gs://{__YOUR_SCANNER_BUCKET__}/scanner_violations

Thanks to our contributors!

All changes

8223a51 (HEAD -> release-1.1.10, origin/release-1.1.10) addressed PR comments
2418ce0 Merge branch 'dev' of github.com:GoogleCloudPlatform/forseti-security into release-1.1.10
6294a56 (origin/dev, origin/HEAD) [trivial] removed unused variables (#1005)
cdd5dce fixed pylint issue
6170134 fixed pylint issues
eb396a6 rename gke to ke
3abb351 Merge pull request #1006 from GoogleCloudPlatform/release-1.1.10
4ab0721 fixed violation map type, added blacklist notifier to config.in
390968b (tag: v1.1.10, dev) Merge pull request #1004 from GoogleCloudPlatform/increment_version
841d899 (origin/increment_version, increment_version) Incremented version to 1.1.10
01510a6 Improve the Violation Identifier Fix (1.0) (#1002)
215e38c Use the right resource identifier in the violations (#998)
96846ae fixes: group members inventory marked as success when groups failed (#997)
6829f81 Firewall scanner fix for dev (#994)
2772b3f make use of a 'with' clause for named temp file (#990)
cfbe1fe Update the repository README.md to point to the correct branch name (#991)
26087d3 Clean up temp file after emailing violations (#985)
203ae6d Fix the testing link in our contributing.md (#982)
d710d4c Properly wrap pylintrc. (#978)
26b3fbf Update nodepool version unpatched rule wording. (#974)
6250bf8 Clarify GKE scanner rule (#972)
a0abf70 Add GKE version violation to enum. (#971)
7451d04 Updating the readme to add more clarity (#970)
a2c2356 GKE Version scanner. (#967)
3c5c965 tweaks for the blacklist scanner (#965)
d8aa793 Add blacklist_scanner code (#957)
f093ff1 Add gke data to inventory (#962)
fa46c33 Update README.md (#952)
45f9308 Add Google Kubernetes Engine to api library. (#953)
3df3538 Lower case member comparison (#947)
220826b Addressing pylint findings. (#946)
5737eaa Update LICENSE (#928)