Added GKE Benchmark 1.4 Controls (#196)

* Added GKE Benchmark 1.4:5.6.1 for VPC Flow Logs and Intranode Visibility
google · Oct 23, 2023 · 7a5cfb5 · 7a5cfb5
1 parent 98d224b
commit 7a5cfb5
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 0 deletions.
diff --git a/gke-policies-v2/README.md b/gke-policies-v2/README.md
@@ -46,6 +46,7 @@ of our policy files.
 |[GKE RBAC authorization](../gke-policies-v2/policy/control_plane_disable_legacy_authorization.rego)|Security|GKE cluster should use RBAC instead of legacy ABAC authorization|[CIS GKE](https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#accessing-gke-benchmark) 1.2: 5.8.4|
 |[GKE Shielded Nodes](../gke-policies-v2/policy/shielded_nodes.rego)|Security|GKE cluster should use shielded nodes|[CIS GKE](https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#accessing-gke-benchmark) 1.2: 5.5.5|
 |[GKE Workload Identity](../gke-policies-v2/policy/workload_identity.rego)|Security|GKE cluster should have Workload Identity enabled|[CIS GKE](https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#accessing-gke-benchmark) 1.2: 5.2.2|
+|[GKE intranode visibility](../gke-policies-v2/policy/intranode_visibility.rego)|Security|GKE cluster should have intranode visibility enabled|[CIS GKE](https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#accessing-gke-benchmark) 1.4: 5.6.1|
 |[GKE private cluster](../gke-policies-v2/policy/private_cluster.rego)|Security|GKE cluster should be private to ensure network isolation|[CIS GKE](https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#accessing-gke-benchmark) 1.2: 5.6.5|
 |[Integrity monitoring on the nodes](../gke-policies-v2/policy/node_pool_integrity_monitoring.rego)|Security|GKE node pools should have integrity monitoring feature enabled to detect changes in a VM boot measurements|[CIS GKE](https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#accessing-gke-benchmark) 1.2: 5.5.6|
 |[Kubernetes secrets encryption](../gke-policies-v2/policy/secret_encryption.rego)|Security|GKE cluster should use encryption for kubernetes application secrets|[CIS GKE](https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#accessing-gke-benchmark) 1.2: 5.3.1|

diff --git a/gke-policies-v2/policy/intranode_visibility.rego b/gke-policies-v2/policy/intranode_visibility.rego
@@ -0,0 +1,44 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# METADATA
+# title: GKE intranode visibility
+# description: GKE cluster should have intranode visibility enabled
+# custom:
+#   group: Security
+#   severity: High
+#   recommendation: >
+#     Navigate to the GKE page in Google Cloud Console and select the name of the cluster.
+#     Under Cluster, click Networking.
+#     Select the Enable intranode visibility checkbox and click "Create".
+#   externalURI: https://cloud.google.com/kubernetes-engine/docs/how-to/intranode-visibility
+#   sccCategory: INTRANODE_VISIBILITY_DISABLED
+#   cis:
+#     version: "1.4"
+#     id: "5.6.1"
+#   dataSource: gke
+
+package gke.policy.networkConfig
+
+default valid := false
+
+valid {
+	count(violation) == 0
+}
+
+violation[msg] {
+	not input.data.gke.networkConfig.enableIntraNodeVisibility = true
+
+	msg := "The GKE cluster does not Intranode Visibility enabled"
+}
diff --git a/gke-policies-v2/policy/intranode_visibility_test.rego b/gke-policies-v2/policy/intranode_visibility_test.rego
@@ -0,0 +1,24 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+package gke.policy.networkConfig
+
+test_enabled_intranode_visibility {
+	valid with input as {"data": {"gke": {"name": "test-cluster", "networkConfig": { "enableIntraNodeVisibility": true }}}}
+}
+
+test_disabled_intranode_visibility {
+	not valid with input as {"data": {"gke": {"name": "test-cluster", "networkConfig": { "enableIntraNodeVisibility": false }}}}
+}
+