-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathpolicy.yaml
56 lines (56 loc) · 3.27 KB
/
policy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#########
# The following rules are automatically created when policy is created to delegate traffic to/from VPC resources to shared VPC network within host project:
# 2147483644 default egress rule ipv6 Egress IPv6 ranges: ::/0 all Goto next
# 2147483645 default ingress rule ipv6 Ingress IPv6 ranges: ::/0 all Goto next
# 2147483646 default egress rule Egress IPv4 ranges: 0.0.0.0/0 all Goto next
# 2147483647 default ingress rule Ingress IPv4 ranges: 0.0.0.0/0 all Goto next
#########
# Client Compute Firewall Policy to folder client-folder
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicy
metadata:
name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol
namespace: client-name-networking # kpt-set: ${client-name}-networking
spec:
# shortName required, immutable, 1-63 characters, unique within organization
shortName: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol
# to acquire an existing firewall policy:
# - uncomment 'resourceID' below
# - replace 1234567890 with the policy ID number (it can be found in the cloud console)
# resourceID: firewallPolicies/1234567890
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
folderRef:
name: clients.client-name # kpt-set: clients.${client-name}
namespace: hierarchy
description: "Firewall policy for client-name" # kpt-set: Firewall policy for ${client-name}
---
# Firewall policy association to client-folder folder
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicyAssociation
metadata:
name: client-name-client-folder-fwpol-association # kpt-set: ${client-name}-client-folder-fwpol-association
namespace: client-name-networking # kpt-set: ${client-name}-networking
annotations:
config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol
spec:
attachmentTargetRef:
kind: Folder
name: clients.client-name # kpt-set: clients.${client-name}
namespace: hierarchy
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
firewallPolicyRef:
name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol