From f7b250b7d1b9c8d6676a1d6d6de4fe69aeb6e760 Mon Sep 17 00:00:00 2001
From: Alex Bulankou <alexbu@google.com>
Date: Fri, 8 Nov 2019 09:33:19 -0800
Subject: [PATCH] update samples for version 0.3.2

---
 .../policy-binding.yaml                       | 48 -------------------
 ...object-viewer.yaml => policy-logging.yaml} | 17 +++++--
 .../policy-metrics-writer.yaml                | 25 ++++++++++
 .../policy-monitoring.yaml                    | 25 ++++++++++
 ...nt-user.yaml => policy-object-viewer.yaml} | 17 +++++--
 .../policy-service-account-user.yaml          | 25 ++++++++++
 .../workload-identity/policy-binding.yaml     |  4 +-
 .../workload-identity/service-account.yaml    |  4 +-
 8 files changed, 103 insertions(+), 62 deletions(-)
 delete mode 100644 tutorials/hardening-your-cluster/policy-binding.yaml
 rename tutorials/hardening-your-cluster/{policy-binding-object-viewer.yaml => policy-logging.yaml} (60%)
 create mode 100644 tutorials/hardening-your-cluster/policy-metrics-writer.yaml
 create mode 100644 tutorials/hardening-your-cluster/policy-monitoring.yaml
 rename tutorials/hardening-your-cluster/{policy-binding-service-account-user.yaml => policy-object-viewer.yaml} (59%)
 create mode 100644 tutorials/hardening-your-cluster/policy-service-account-user.yaml

diff --git a/tutorials/hardening-your-cluster/policy-binding.yaml b/tutorials/hardening-your-cluster/policy-binding.yaml
deleted file mode 100644
index 1abf2e2d52..0000000000
--- a/tutorials/hardening-your-cluster/policy-binding.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-# Copyright 2019 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# [START config_connector_hardening_your_cluster_policy]
-apiVersion: iam.cnrm.cloud.google.com/v1alpha1
-kind: IAMPolicy
-metadata:
-  name: policy-binding
-spec:
-  resourceRef:
-    kind: Project
-    name: [PROJECT_ID]
-  bindings:
-    - members:
-        - serviceAccount:service-[PROJECT_NUMBER]@compute-system.iam.gserviceaccount.com
-      role: roles/compute.serviceAgent
-    - members:
-        - serviceAccount:service-[PROJECT_NUMBER]@container-engine-robot.iam.gserviceaccount.com
-      role: roles/container.serviceAgent
-    - members:
-        - serviceAccount:[PROJECT_NUMBER]-compute@developer.gserviceaccount.com
-        - serviceAccount:[PROJECT_NUMBER]@cloudservices.gserviceaccount.com
-        - serviceAccount:service-[PROJECT_NUMBER]@containerregistry.iam.gserviceaccount.com
-      role: roles/editor
-    - members:
-        - serviceAccount:cnrm-system@[PROJECT_ID].iam.gserviceaccount.com
-        - user:[ACCOUNT]
-      role: roles/owner
-    - role: roles/logging.logWriter
-      members:
-        - serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
-    - role: roles/monitoring.metricWriter
-      members:
-        - serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
-    - role: roles/monitoring.viewer
-      members:
-        - serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
-# [END config_connector_hardening_your_cluster_policy]
diff --git a/tutorials/hardening-your-cluster/policy-binding-object-viewer.yaml b/tutorials/hardening-your-cluster/policy-logging.yaml
similarity index 60%
rename from tutorials/hardening-your-cluster/policy-binding-object-viewer.yaml
rename to tutorials/hardening-your-cluster/policy-logging.yaml
index b60145b0f4..51a66f6c81 100644
--- a/tutorials/hardening-your-cluster/policy-binding-object-viewer.yaml
+++ b/tutorials/hardening-your-cluster/policy-logging.yaml
@@ -11,8 +11,15 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-# [START config_connector_hardening_your_cluster_policy_binding_object_viewer]
-    - role: roles/storage.objectViewer
-      members:
-        - serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
-# [END config_connector_hardening_your_cluster_policy_binding_object_viewer]
+# [START config_connector_hardening_your_cluster_policy_logging]
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMPolicyMember
+metadata:
+  name: policy-logging
+spec:
+  member: serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
+  role: roles/logging.logWriter
+  resourceRef:
+    kind: Project
+    name: [PROJECT_ID]
+# [END config_connector_hardening_your_cluster_policy_logging]
\ No newline at end of file
diff --git a/tutorials/hardening-your-cluster/policy-metrics-writer.yaml b/tutorials/hardening-your-cluster/policy-metrics-writer.yaml
new file mode 100644
index 0000000000..bdce01123e
--- /dev/null
+++ b/tutorials/hardening-your-cluster/policy-metrics-writer.yaml
@@ -0,0 +1,25 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# [START config_connector_hardening_your_cluster_policy_metrics_writer]
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMPolicyMember
+metadata:
+  name: policy-metrics-writer
+spec:
+  member: serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
+  role: roles/monitoring.metricWriter
+  resourceRef:
+    kind: Project
+    name: [PROJECT_ID]
+# [END config_connector_hardening_your_cluster_policy_metrics_writer]
\ No newline at end of file
diff --git a/tutorials/hardening-your-cluster/policy-monitoring.yaml b/tutorials/hardening-your-cluster/policy-monitoring.yaml
new file mode 100644
index 0000000000..79269e63ce
--- /dev/null
+++ b/tutorials/hardening-your-cluster/policy-monitoring.yaml
@@ -0,0 +1,25 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# [START config_connector_hardening_your_cluster_policy_monitoring]
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMPolicyMember
+metadata:
+  name: policy-monitoring
+spec:
+  member: serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
+  role: roles/monitoring.viewer
+  resourceRef:
+    kind: Project
+    name: [PROJECT_ID]
+# [END config_connector_hardening_your_cluster_policy_monitoring]
\ No newline at end of file
diff --git a/tutorials/hardening-your-cluster/policy-binding-service-account-user.yaml b/tutorials/hardening-your-cluster/policy-object-viewer.yaml
similarity index 59%
rename from tutorials/hardening-your-cluster/policy-binding-service-account-user.yaml
rename to tutorials/hardening-your-cluster/policy-object-viewer.yaml
index bdb881534a..c94688deaa 100644
--- a/tutorials/hardening-your-cluster/policy-binding-service-account-user.yaml
+++ b/tutorials/hardening-your-cluster/policy-object-viewer.yaml
@@ -11,8 +11,15 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-# [START config_connector_hardening_your_cluster_policy_binding_service_account_user]
-    - role: roles/iam.serviceAccountUser
-      members:
-        - serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
-# [END config_connector_hardening_your_cluster_policy_binding_service_account_user]
+# [START config_connector_hardening_your_cluster_object_viewer]
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMPolicyMember
+metadata:
+  name: policy-object-viewer
+spec:
+  member: serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
+  role: roles/storage.objectViewer
+  resourceRef:
+    kind: Project
+    name: [PROJECT_ID]
+# [END config_connector_hardening_your_cluster_object_viewer]
\ No newline at end of file
diff --git a/tutorials/hardening-your-cluster/policy-service-account-user.yaml b/tutorials/hardening-your-cluster/policy-service-account-user.yaml
new file mode 100644
index 0000000000..53d69a001e
--- /dev/null
+++ b/tutorials/hardening-your-cluster/policy-service-account-user.yaml
@@ -0,0 +1,25 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# [START config_connector_hardening_your_cluster_service_account_user]
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMPolicyMember
+metadata:
+  name: policy-service-account-user
+spec:
+  member: serviceAccount:[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
+  role: roles/iam.serviceAccountUser
+  resourceRef:
+    kind: Project
+    name: [PROJECT_ID]
+# [END config_connector_hardening_your_cluster_service_account_user]
\ No newline at end of file
diff --git a/tutorials/workload-identity/policy-binding.yaml b/tutorials/workload-identity/policy-binding.yaml
index 324a1b7283..35b0f12bdc 100644
--- a/tutorials/workload-identity/policy-binding.yaml
+++ b/tutorials/workload-identity/policy-binding.yaml
@@ -20,9 +20,9 @@ spec:
   resourceRef:
     apiVersion: iam.cnrm.cloud.google.com/v1alpha1
     kind: IAMServiceAccount
-    name: ${GSA_NAME}
+    name: [GSA_NAME]
   bindings:
     - role: roles/iam.workloadIdentityUser
       members:
-        - serviceAccount:${PROJECT_ID}.svc.id.goog[${K8S_NAMESPACE}/${KSA_NAME}]
+        - serviceAccount:[PROJECT_ID].svc.id.goog[[K8S_NAMESPACE]/[KSA_NAME]]
 # [END config_connector_workload_identity_policy_binding]
\ No newline at end of file
diff --git a/tutorials/workload-identity/service-account.yaml b/tutorials/workload-identity/service-account.yaml
index a0f19849a2..ce12eab3da 100644
--- a/tutorials/workload-identity/service-account.yaml
+++ b/tutorials/workload-identity/service-account.yaml
@@ -15,7 +15,7 @@
 apiVersion: iam.cnrm.cloud.google.com/v1alpha1
 kind: IAMServiceAccount
 metadata:
-  name: ${GSA_NAME}
+  name: [GSA_NAME]
 spec:
-  displayName: ${GSA_NAME}
+  displayName: [GSA_NAME]
 # [END config_connector_workload_identity_service_account]
\ No newline at end of file