-
Notifications
You must be signed in to change notification settings - Fork 52
/
1.1.4_resources-have-required-labels.yaml
69 lines (69 loc) · 2.66 KB
/
1.1.4_resources-have-required-labels.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# Copyright 2024 Google LLC
#
# This is “Software” that is licensed under the “General Software” section of
# the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
# usage in accordance with the following “Scope of Use”: This file may only be
# used on an Anthos cluster, including any associated ci/cd use. “Anthos
# cluster” is defined as “A Cluster (of any kind) registered to a fleet project
# where the Anthos API is enabled”.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: pci-dss-v3.2.1-resources-have-required-labels
labels:
policycontroller.gke.io/bundleName: pci-dss-v3.2.1
annotations:
policycontroller.gke.io/bundleVersion: "202403.0"
policycontroller.gke.io/constraintData: |-
"{
bundleName: 'pci-dss-v3.2.1',
bundleDisplayName: 'PCI DSS v3.2.1',
bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-pci-dss-v3',
bundleVersion: '202403.0',
bundleDescription: 'Use the PCI DSS v3.2.1 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against some aspects of the Payment Card Industry (PCI) Data Security Standard (DSS) v3.2.1.',
controlNumbers: '[1.1.4]',
severity: 'UNSPECIFIED',
description: 'Requires all apps to contain a specified label to meet firewall requirements.',
remediation: 'All apps must have a valid firewall audit label. Check the app's firewall and add a label with the format `pci-dss-firewall-audit: "pci-dss-2022q1"` where the suffix is {Year}q{Quarter}.',
minimumTemplateLibraryVersion: '1.11.1',
constraintHash: '2f1b6f015edd442332825fc53b0e452d03eaa9fed58daad001110f3a4af8e634'
}"
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- apps
kinds:
- ReplicaSet
- Deployment
- StatefulSet
- DaemonSet
excludedNamespaces:
- kube-system
- kube-node-lease
- kube-public
- gatekeeper-system
- config-management-system
- config-management-monitoring
- resource-group-system
- gke-connect
- istio-system
- asm-system
- cert-manager
- gke-system
- capi-system
- anthos-identity-service
- vm-system
- gke-managed-metrics-server
- capi-kubeadm-bootstrap-system
- gmp-system
- gke-gmp-system
- apigee
- apigee-system
- gke-managed-cim
parameters:
message: All apps must have a valid pci-dss-firewall-audit label.
labels:
- key: pci-dss-firewall-audit
allowedRegex: ^pci-dss-[0-9]{4}q[1-4]$