update samples for version 0.3.2

tutorials/hardening-your-cluster/policy-binding-object-viewer.yaml → tutorials/hardening-your-cluster/policy-logging.yaml

@@ -11,8 +11,15 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-# [START config_connector_hardening_your_cluster_policy_binding_object_viewer]
-    - role: roles/storage.objectViewer
-      members:
-        - serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
-# [END config_connector_hardening_your_cluster_policy_binding_object_viewer]
+# [START config_connector_hardening_your_cluster_policy_logging]
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMPolicyMember
+metadata:
+  name: policy-logging
+spec:
+  member: serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
+  role: roles/logging.logWriter
+  resourceRef:
+    kind: Project
+    name: [PROJECT_ID]
+# [END config_connector_hardening_your_cluster_policy_logging]

tutorials/hardening-your-cluster/policy-metrics-writer.yaml

@@ -0,0 +1,25 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# [START config_connector_hardening_your_cluster_policy_metrics_writer]
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMPolicyMember
+metadata:
+  name: policy-metrics-writer
+spec:
+  member: serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
+  role: roles/monitoring.metricWriter
+  resourceRef:
+    kind: Project
+    name: [PROJECT_ID]
+# [END config_connector_hardening_your_cluster_policy_metrics_writer]

tutorials/hardening-your-cluster/policy-monitoring.yaml

@@ -0,0 +1,25 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# [START config_connector_hardening_your_cluster_policy_monitoring]
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMPolicyMember
+metadata:
+  name: policy-monitoring
+spec:
+  member: serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
+  role: roles/monitoring.viewer
+  resourceRef:
+    kind: Project
+    name: [PROJECT_ID]
+# [END config_connector_hardening_your_cluster_policy_monitoring]

tutorials/hardening-your-cluster/policy-binding-service-account-user.yaml → tutorials/hardening-your-cluster/policy-object-viewer.yaml

@@ -11,8 +11,15 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-# [START config_connector_hardening_your_cluster_policy_binding_service_account_user]
-    - role: roles/iam.serviceAccountUser
-      members:
-        - serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
-# [END config_connector_hardening_your_cluster_policy_binding_service_account_user]
+# [START config_connector_hardening_your_cluster_object_viewer]
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMPolicyMember
+metadata:
+  name: policy-object-viewer
+spec:
+  member: serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
+  role: roles/storage.objectViewer
+  resourceRef:
+    kind: Project
+    name: [PROJECT_ID]
+# [END config_connector_hardening_your_cluster_object_viewer]

tutorials/hardening-your-cluster/policy-service-account-user.yaml

@@ -0,0 +1,25 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# [START config_connector_hardening_your_cluster_service_account_user]
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMPolicyMember
+metadata:
+  name: policy-service-account-user
+spec:
+  member: serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
+  role: roles/iam.serviceAccountUser
+  resourceRef:
+    kind: Project
+    name: [PROJECT_ID]
+# [END config_connector_hardening_your_cluster_service_account_user]

tutorials/workload-identity/policy-binding.yaml

@@ -20,9 +20,9 @@ spec:
   resourceRef:
     apiVersion: iam.cnrm.cloud.google.com/v1alpha1
     kind: IAMServiceAccount
-    name: ${GSA_NAME}
+    name: [GSA_NAME]
   bindings:
     - role: roles/iam.workloadIdentityUser
       members:
-        - serviceAccount:${PROJECT_ID}.svc.id.goog[${K8S_NAMESPACE}/${KSA_NAME}]
+        - serviceAccount:[PROJECT_ID].svc.id.goog[[K8S_NAMESPACE]/[KSA_NAME]]
 # [END config_connector_workload_identity_policy_binding]

tutorials/workload-identity/service-account.yaml

@@ -15,7 +15,7 @@
 apiVersion: iam.cnrm.cloud.google.com/v1alpha1
 kind: IAMServiceAccount
 metadata:
-  name: ${GSA_NAME}
+  name: [GSA_NAME]
 spec:
-  displayName: ${GSA_NAME}
+  displayName: [GSA_NAME]
 # [END config_connector_workload_identity_service_account]