feat: release policy bundles

GitOrigin-RevId: 60acdfac3a288e2c596b282bbff569439465b837

Policy_Bundles.md

@@ -19,15 +19,16 @@ This repository contains **sample** `Constraint`s which make use of Policy Contr
 | Policy Bundle | Anthos [1] | Current Version |
 | --- | --- | --- |
 | [ASM Policy v0.0.1](./bundles/asm-policy-v0.0.1) | No | 202311.0 |
-| [Cost and Reliability v2023](./anthos-bundles/cost-reliability-v2023)| No | 202311.0 |
-| [CIS Kubernetes v1.5.1](./bundles/cis-k8s-v1.5.1) | No | 202312.0 |
-| [CIS Kubernetes v1.7.1](./anthos-bundles/cis-k8s-v1.7.1) (Preview)| No | 202312.0-preview |
-| [CIS Google Kubernetes Engine (GKE) v1.4.0](./anthos-bundles/cis-gke-v1.4.0) (Preview)| Yes | 202312.0-preview |
-| [National Institute of Standards and Technology SP 800-53 Rev. 5](./anthos-bundles/nist-sp-800-53-r5) | Yes | 202312.0 |
-| [National Institute of Standards and Technology SP 800-190](./anthos-bundles/nist-sp-800-190) | Yes | 202312.0 |
-| [NSA CISA Kubernetes Hardening Guide v1.2](./anthos-bundles/nsa-cisa-k8s-v1.2) | Yes | 202312.0 |
-| [Payment Card Industry Data Security Standard (PCI DSS) v3.2.1](./anthos-bundles/pci-dss-v3.2.1) and [PCI DSS v3.2.1 Extended](./anthos-bundles/pci-dss-v3.2.1-extended) | Yes | 202312.0 |
-| [Pod Security Policy v2022](./bundles/psp-v2022) | No | 202311.0 |
+| [Cost and Reliability v2023](./anthos-bundles/cost-reliability-v2023)| No | 202312.0 |
+| [CIS Kubernetes v1.5.1](./bundles/cis-k8s-v1.5.1) | No | 202312.1 |
+| [CIS Kubernetes v1.7.1](./anthos-bundles/cis-k8s-v1.7.1) (Preview)| No | 202312.1-preview |
+| [CIS Google Kubernetes Engine (GKE) v1.4.0](./anthos-bundles/cis-gke-v1.4.0) (Preview)| Yes | 202312.1-preview |
+| [National Institute of Standards and Technology SP 800-53 Rev. 5](./anthos-bundles/nist-sp-800-53-r5) | Yes | 202312.1 |
+| [National Institute of Standards and Technology SP 800-190](./anthos-bundles/nist-sp-800-190) | Yes | 202312.1 |
+| [NSA CISA Kubernetes Hardening Guide v1.2](./anthos-bundles/nsa-cisa-k8s-v1.2) | Yes | 202312.1 |
+| [Payment Card Industry Data Security Standard (PCI DSS) v3.2.1](./anthos-bundles/pci-dss-v3.2.1) and [PCI DSS v3.2.1 Extended](./anthos-bundles/pci-dss-v3.2.1-extended) | Yes | 202312.1 |
+| [Payment Card Industry Data Security Standard (PCI DSS) v4.0](./anthos-bundles/pci-dss-v4.0)| Yes | 202312.0-preview |
+| [Pod Security Policy v2022](./bundles/psp-v2022) | No | 202312.0 |
 | [Pod Security Standards Baseline v2022](./bundles/pss-baseline-v2022) | No | 202311.0 |
 | [Pod Security Standards Restricted v2022](./anthos-bundles/pss-restricted-v2022) | Yes | 202311.0 |
 | [Policy Essentials v2022](./bundles/policy-essentials-v2022) | No | 202311.0 |

anthos-bundles/cis-gke-v1.4.0/kustomization.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # This is “Software” that is licensed under the “General Software” section of
 # the Service Specific Terms (https://cloud.google.com/terms/service-terms) for

anthos-bundles/cis-gke-v1.4.0/require-binauthz.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # This is “Software” that is licensed under the “General Software” section of
 # the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
@@ -13,13 +13,13 @@ metadata:
   labels:
     policycontroller.gke.io/bundleName: cis-gke-v1.4.0
   annotations:
-    policycontroller.gke.io/bundleVersion: 202312.0-preview
+    policycontroller.gke.io/bundleVersion: 202312.1-preview
     policycontroller.gke.io/constraintData: |-
       "{
         bundleName: 'cis-gke-v1.4.0',
         bundleDisplayName: 'CIS GKE Benchmark v1.4.0',
         bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-gke-v1.4',
-        bundleVersion: '202312.0-preview',
+        bundleVersion: '202312.1-preview',
         bundleDescription: 'Use the CIS GKE Benchmark 1.4.0 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS GKE Benchmark v1.4.0, which is a set of recommendations for configuring GKE to support a robust security posture.',
         controlNumbers: '[4.5.1,5.1.1,5.1.4,5.10.5]',
         severity: 'UNSPECIFIED',

anthos-bundles/cis-gke-v1.4.0/require-cos-node-image.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # This is “Software” that is licensed under the “General Software” section of
 # the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
@@ -13,13 +13,13 @@ metadata:
   labels:
     policycontroller.gke.io/bundleName: cis-gke-v1.4.0
   annotations:
-    policycontroller.gke.io/bundleVersion: 202312.0-preview
+    policycontroller.gke.io/bundleVersion: 202312.1-preview
     policycontroller.gke.io/constraintData: |-
       "{
         bundleName: 'cis-gke-v1.4.0',
         bundleDisplayName: 'CIS GKE Benchmark v1.4.0',
         bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-gke-v1.4',
-        bundleVersion: '202312.0-preview',
+        bundleVersion: '202312.1-preview',
         bundleDescription: 'Use the CIS GKE Benchmark 1.4.0 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS GKE Benchmark v1.4.0, which is a set of recommendations for configuring GKE to support a robust security posture.',
         controlNumbers: '[5.5.1]',
         severity: 'UNSPECIFIED',

anthos-bundles/cis-gke-v1.4.0/require-gke-metadata-server-enabled.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # This is “Software” that is licensed under the “General Software” section of
 # the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
@@ -13,13 +13,13 @@ metadata:
   labels:
     policycontroller.gke.io/bundleName: cis-gke-v1.4.0
   annotations:
-    policycontroller.gke.io/bundleVersion: 202312.0-preview
+    policycontroller.gke.io/bundleVersion: 202312.1-preview
     policycontroller.gke.io/constraintData: |-
       "{
         bundleName: 'cis-gke-v1.4.0',
         bundleDisplayName: 'CIS GKE Benchmark v1.4.0',
         bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-gke-v1.4',
-        bundleVersion: '202312.0-preview',
+        bundleVersion: '202312.1-preview',
         bundleDescription: 'Use the CIS GKE Benchmark 1.4.0 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS GKE Benchmark v1.4.0, which is a set of recommendations for configuring GKE to support a robust security posture.',
         controlNumbers: '[5.4.2]',
         severity: 'UNSPECIFIED',

anthos-bundles/cis-gke-v1.4.0/require-ingress.class-gce.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # This is “Software” that is licensed under the “General Software” section of
 # the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
@@ -13,13 +13,13 @@ metadata:
   labels:
     policycontroller.gke.io/bundleName: cis-gke-v1.4.0
   annotations:
-    policycontroller.gke.io/bundleVersion: 202312.0-preview
+    policycontroller.gke.io/bundleVersion: 202312.1-preview
     policycontroller.gke.io/constraintData: |-
       "{
         bundleName: 'cis-gke-v1.4.0',
         bundleDisplayName: 'CIS GKE Benchmark v1.4.0',
         bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-gke-v1.4',
-        bundleVersion: '202312.0-preview',
+        bundleVersion: '202312.1-preview',
         bundleDescription: 'Use the CIS GKE Benchmark 1.4.0 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS GKE Benchmark v1.4.0, which is a set of recommendations for configuring GKE to support a robust security posture.',
         controlNumbers: '[5.6.8]',
         severity: 'UNSPECIFIED',

anthos-bundles/cis-gke-v1.4.0/require-managed-certificates.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # This is “Software” that is licensed under the “General Software” section of
 # the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
@@ -13,13 +13,13 @@ metadata:
   labels:
     policycontroller.gke.io/bundleName: cis-gke-v1.4.0
   annotations:
-    policycontroller.gke.io/bundleVersion: 202312.0-preview
+    policycontroller.gke.io/bundleVersion: 202312.1-preview
     policycontroller.gke.io/constraintData: |-
       "{
         bundleName: 'cis-gke-v1.4.0',
         bundleDisplayName: 'CIS GKE Benchmark v1.4.0',
         bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-gke-v1.4',
-        bundleVersion: '202312.0-preview',
+        bundleVersion: '202312.1-preview',
         bundleDescription: 'Use the CIS GKE Benchmark 1.4.0 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS GKE Benchmark v1.4.0, which is a set of recommendations for configuring GKE to support a robust security posture.',
         controlNumbers: '[5.6.8]',
         severity: 'UNSPECIFIED',

anthos-bundles/cis-gke-v1.4.0/require-namespace-networkpolicy.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # This is “Software” that is licensed under the “General Software” section of
 # the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
@@ -13,20 +13,20 @@ metadata:
   labels:
     policycontroller.gke.io/bundleName: cis-gke-v1.4.0
   annotations:
-    policycontroller.gke.io/bundleVersion: 202312.0-preview
+    policycontroller.gke.io/bundleVersion: 202312.1-preview
     policycontroller.gke.io/constraintData: |-
       "{
         bundleName: 'cis-gke-v1.4.0',
         bundleDisplayName: 'CIS GKE Benchmark v1.4.0',
         bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-gke-v1.4',
-        bundleVersion: '202312.0-preview',
+        bundleVersion: '202312.1-preview',
         bundleDescription: 'Use the CIS GKE Benchmark 1.4.0 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS GKE Benchmark v1.4.0, which is a set of recommendations for configuring GKE to support a robust security posture.',
         controlNumbers: '[4.3.2]',
         severity: 'UNSPECIFIED',
         description: 'Requires that every namespace defined in the cluster has a NetworkPolicy.',
         remediation: 'Cannot have a namespace in the cluster without a NetworkPolicy. Add a NetworkPolicy to your namespace. See "Network Policies" for more information: https://kubernetes.io/docs/concepts/services-networking/network-policies',
         minimumTemplateLibraryVersion: '1.10.1',
-        constraintHash: '46e0deca3b3b0728a2046ac948908e2ffb29c693993d7c7bf3144d160cfb56cd'
+        constraintHash: '00c87f4b3e9fa7767959d337b4352d41c3691c501af2a94abf43c3b3eb505652'
       }"
 spec:
   enforcementAction: dryrun
@@ -57,6 +57,7 @@ spec:
       - apigee
       - apigee-system
       - gke-managed-system
+      - gke-managed-cim
     kinds:
       - apiGroups:
           - ""

anthos-bundles/cis-gke-v1.4.0/require-seccomp-default.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # This is “Software” that is licensed under the “General Software” section of
 # the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
@@ -13,13 +13,13 @@ metadata:
   labels:
     policycontroller.gke.io/bundleName: cis-gke-v1.4.0
   annotations:
-    policycontroller.gke.io/bundleVersion: 202312.0-preview
+    policycontroller.gke.io/bundleVersion: 202312.1-preview
     policycontroller.gke.io/constraintData: |-
       "{
         bundleName: 'cis-gke-v1.4.0',
         bundleDisplayName: 'CIS GKE Benchmark v1.4.0',
         bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-gke-v1.4',
-        bundleVersion: '202312.0-preview',
+        bundleVersion: '202312.1-preview',
         bundleDescription: 'Use the CIS GKE Benchmark 1.4.0 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS GKE Benchmark v1.4.0, which is a set of recommendations for configuring GKE to support a robust security posture.',
         controlNumbers: '[4.6.2]',
         severity: 'UNSPECIFIED',

anthos-bundles/cis-gke-v1.4.0/require-securitycontext.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # This is “Software” that is licensed under the “General Software” section of
 # the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
@@ -13,13 +13,13 @@ metadata:
   labels:
     policycontroller.gke.io/bundleName: cis-gke-v1.4.0
   annotations:
-    policycontroller.gke.io/bundleVersion: 202312.0-preview
+    policycontroller.gke.io/bundleVersion: 202312.1-preview
     policycontroller.gke.io/constraintData: |-
       "{
         bundleName: 'cis-gke-v1.4.0',
         bundleDisplayName: 'CIS GKE Benchmark v1.4.0',
         bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-gke-v1.4',
-        bundleVersion: '202312.0-preview',
+        bundleVersion: '202312.1-preview',
         bundleDescription: 'Use the CIS GKE Benchmark 1.4.0 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS GKE Benchmark v1.4.0, which is a set of recommendations for configuring GKE to support a robust security posture.',
         controlNumbers: '[4.6.3]',
         severity: 'UNSPECIFIED',

anthos-bundles/cis-gke-v1.4.0/restrict-apparmor.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # This is “Software” that is licensed under the “General Software” section of
 # the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
@@ -13,13 +13,13 @@ metadata:
   labels:
     policycontroller.gke.io/bundleName: cis-gke-v1.4.0
   annotations:
-    policycontroller.gke.io/bundleVersion: 202312.0-preview
+    policycontroller.gke.io/bundleVersion: 202312.1-preview
     policycontroller.gke.io/constraintData: |-
       "{
         bundleName: 'cis-gke-v1.4.0',
         bundleDisplayName: 'CIS GKE Benchmark v1.4.0',
         bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-gke-v1.4',
-        bundleVersion: '202312.0-preview',
+        bundleVersion: '202312.1-preview',
         bundleDescription: 'Use the CIS GKE Benchmark 1.4.0 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS GKE Benchmark v1.4.0, which is a set of recommendations for configuring GKE to support a robust security posture.',
         controlNumbers: '[4.6.3]',
         severity: 'UNSPECIFIED',

anthos-bundles/cis-gke-v1.4.0/restrict-automountserviceaccounttoken.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # This is “Software” that is licensed under the “General Software” section of
 # the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
@@ -13,13 +13,13 @@ metadata:
   labels:
     policycontroller.gke.io/bundleName: cis-gke-v1.4.0
   annotations:
-    policycontroller.gke.io/bundleVersion: 202312.0-preview
+    policycontroller.gke.io/bundleVersion: 202312.1-preview
     policycontroller.gke.io/constraintData: |-
       "{
         bundleName: 'cis-gke-v1.4.0',
         bundleDisplayName: 'CIS GKE Benchmark v1.4.0',
         bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-gke-v1.4',
-        bundleVersion: '202312.0-preview',
+        bundleVersion: '202312.1-preview',
         bundleDescription: 'Use the CIS GKE Benchmark 1.4.0 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS GKE Benchmark v1.4.0, which is a set of recommendations for configuring GKE to support a robust security posture.',
         controlNumbers: '[4.1.5,4.1.6]',
         severity: 'UNSPECIFIED',

anthos-bundles/cis-gke-v1.4.0/restrict-capabilities.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # This is “Software” that is licensed under the “General Software” section of
 # the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
@@ -13,13 +13,13 @@ metadata:
   labels:
     policycontroller.gke.io/bundleName: cis-gke-v1.4.0
   annotations:
-    policycontroller.gke.io/bundleVersion: 202312.0-preview
+    policycontroller.gke.io/bundleVersion: 202312.1-preview
     policycontroller.gke.io/constraintData: |-
       "{
         bundleName: 'cis-gke-v1.4.0',
         bundleDisplayName: 'CIS GKE Benchmark v1.4.0',
         bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-gke-v1.4',
-        bundleVersion: '202312.0-preview',
+        bundleVersion: '202312.1-preview',
         bundleDescription: 'Use the CIS GKE Benchmark 1.4.0 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS GKE Benchmark v1.4.0, which is a set of recommendations for configuring GKE to support a robust security posture.',
         controlNumbers: '[4.2.7,4.2.8,4.6.3,5.10.3]',
         severity: 'UNSPECIFIED',

anthos-bundles/cis-gke-v1.4.0/restrict-cluster-admin-role.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # This is “Software” that is licensed under the “General Software” section of
 # the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
@@ -13,13 +13,13 @@ metadata:
   labels:
     policycontroller.gke.io/bundleName: cis-gke-v1.4.0
   annotations:
-    policycontroller.gke.io/bundleVersion: 202312.0-preview
+    policycontroller.gke.io/bundleVersion: 202312.1-preview
     policycontroller.gke.io/constraintData: |-
       "{
         bundleName: 'cis-gke-v1.4.0',
         bundleDisplayName: 'CIS GKE Benchmark v1.4.0',
         bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-gke-v1.4',
-        bundleVersion: '202312.0-preview',
+        bundleVersion: '202312.1-preview',
         bundleDescription: 'Use the CIS GKE Benchmark 1.4.0 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS GKE Benchmark v1.4.0, which is a set of recommendations for configuring GKE to support a robust security posture.',
         controlNumbers: '[4.1.1]',
         severity: 'UNSPECIFIED',

anthos-bundles/cis-gke-v1.4.0/restrict-creation-with-default-serviceaccount.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # This is “Software” that is licensed under the “General Software” section of
 # the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
@@ -13,13 +13,13 @@ metadata:
   labels:
     policycontroller.gke.io/bundleName: cis-gke-v1.4.0
   annotations:
-    policycontroller.gke.io/bundleVersion: 202312.0-preview
+    policycontroller.gke.io/bundleVersion: 202312.1-preview
     policycontroller.gke.io/constraintData: |-
       "{
         bundleName: 'cis-gke-v1.4.0',
         bundleDisplayName: 'CIS GKE Benchmark v1.4.0',
         bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-gke-v1.4',
-        bundleVersion: '202312.0-preview',
+        bundleVersion: '202312.1-preview',
         bundleDescription: 'Use the CIS GKE Benchmark 1.4.0 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS GKE Benchmark v1.4.0, which is a set of recommendations for configuring GKE to support a robust security posture.',
         controlNumbers: '[4.1.5]',
         severity: 'UNSPECIFIED',

anthos-bundles/cis-gke-v1.4.0/restrict-default-namespace.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # This is “Software” that is licensed under the “General Software” section of
 # the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
@@ -13,13 +13,13 @@ metadata:
   labels:
     policycontroller.gke.io/bundleName: cis-gke-v1.4.0
   annotations:
-    policycontroller.gke.io/bundleVersion: 202312.0-preview
+    policycontroller.gke.io/bundleVersion: 202312.1-preview
     policycontroller.gke.io/constraintData: |-
       "{
         bundleName: 'cis-gke-v1.4.0',
         bundleDisplayName: 'CIS GKE Benchmark v1.4.0',
         bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-gke-v1.4',
-        bundleVersion: '202312.0-preview',
+        bundleVersion: '202312.1-preview',
         bundleDescription: 'Use the CIS GKE Benchmark 1.4.0 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS GKE Benchmark v1.4.0, which is a set of recommendations for configuring GKE to support a robust security posture.',
         controlNumbers: '[4.6.1,4.6.4]',
         severity: 'UNSPECIFIED',