Skip to content

Latest commit

 

History

History
45 lines (40 loc) · 7.05 KB

scorecard-v1.md

File metadata and controls

45 lines (40 loc) · 7.05 KB

scorecard-v1

This bundle can be installed via kpt:

export BUNDLE=scorecard-v1
kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library
kpt fn source policy-library/samples/ | \
  kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
  kpt fn sink policy-library/policies/constraints/

Constraints

Constraint Control Description
allow_only_private_cluster security Verifies all GKE clusters are Private Clusters.
deny_allusers security Prevent public users from having access to resources via IAM
denylist_public_users security Prevent public users from having access to resources via IAM
disable_gke_dashboard security Ensure Kubernetes web UI / Dashboard is disabled
disable_gke_default_service_account security Ensure default Service account is not used for Project access in Kubernetes Clusters
disable_gke_legacy_abac security Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
disable_gke_legacy_endpoints security Checks that legacy metadata endpoints are disabled (disabled by default since GKE 1.12+).
dnssec_prevent_rsasha1_ksk security Ensure that RSASHA1 is not used for key-signing key in Cloud DNS
dnssec_prevent_rsasha1_zsk security Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS
enable_alias_ip_ranges security Ensure Kubernetes Cluster is created with Alias IP ranges enabled
enable_auto_repair security Ensure automatic node repair is enabled on all node pools in a GKE cluster
enable_auto_upgrade security Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes
enable_gke_master_authorized_networks security Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
enable_network_flow_logs security Ensure VPC Flow logs is enabled for every subnet in VPC Network
enable_network_private_google_access security Ensure Private Google Access is enabled for all subnetworks in VPC
gke_allowed_node_service_account_scope_default security Checks that certain service account scopes are not assigned to nodes.
gke_container_optimized_os security Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters
gke_restrict_client_auth_methods security Checks that client certificate and password authentication methods are disabled for GKE clusters.
gke_restrict_pod_traffic security Checks that GKE clusters have a Network Policy installed.
gke_restrict_pod_traffic security Checks that GKE clusters have a Network Policy installed.
prevent-public-ip-cloudsql security Prevents a public IP from being assigned to a Cloud SQL instance.
require_bq_table_iam security Checks if BigQuery datasets are publicly readable or allAuthenticatedUsers.
require_bucket_policy_only security Checks if Cloud Storage buckets have Bucket Only Policy turned on.
require_sql_ssl security Checks if Cloud SQL instances have SSL turned on.
restrict-firewall-rule-rdp-world-open security Checks for open firewall rules allowing RDP from the internet.
restrict-firewall-rule-ssh-world-open security Checks for open firewall rules allowing SSH from the internet.
restrict-firewall-rule-world-open security Checks for open firewall rules allowing ingress from the internet.
service_versions operational-efficiency Limit the number App Engine application versions simultaneously running. installed.