Manifests for the gatekeeper-securitycenter
Kubernetes controller.
These instructions assume that you have already created the prerequisite resources.
- kpt v1.0.0-beta.7 or later
VERSION=v0.4.0
kpt pkg get https://github.com/GoogleCloudPlatform/gatekeeper-securitycenter.git/manifests@$VERSION manifests
-
Set the Security Command Center source name:
kpt fn eval manifests \ --image gcr.io/kpt-fn/apply-setters:v0.2 -- \ "source=$SOURCE_NAME"
Where
$SOURCE_NAME
is your Security Command Center source in the formatorganizations/$ORGANIZATION_ID/sources/$SOURCE_ID
. -
(Optional) Set the cluster name. You can use any name you like, or you can leave it blank. If you provide a cluster name, it will be visible in Security Command Center. As an example, you can use your current kubectl context name:
kpt fn eval manifests \ --image gcr.io/kpt-fn/apply-setters:v0.2 -- \ "cluster=$(kubectl config current-context)"
If your Google Kubernetes Engine (GKE) cluster uses
Workload Identity,
add an annotation to bind the gatekeeper-securitycenter-controller
Kubernetes service account to the Google service account
FINDINGS_EDITOR_SA
:
kpt fn eval manifests \
--image gcr.io/kpt-fn/set-annotations:v0.1.4 \
--match-kind ServiceAccount \
--match-name gatekeeper-securitycenter-controller \
--match-namespace gatekeeper-securitycenter -- \
"iam.gke.io/gcp-service-account=$FINDINGS_EDITOR_SA"
The Google service account must have the Security Center Findings Editor Cloud IAM role on the source or at the organization level.
If you don't use GKE Workload Identity, see the documentation on
Authenticating to Google Cloud with service accounts
for alternative instructions on how to provide Google service account
credentials to the gatekeeper-securitycenter
controller pods.
kpt live init manifests
kpt live apply manifests --reconcile-timeout=3m