Skip to content

cluster

Sample rules

A few rules that use objects from this package:

non_car_gke_manage_rbac_users_with_google_groups 
from typing import List, Dict

from cloudrail.knowledge.context.gcp.gcp_environment_context import GcpEnvironmentContext
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.gcp.gcp_base_rule import GcpBaseRule
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class ContainerClusterUseRbacUsersRule(GcpBaseRule):
    def get_id(self) -> str:
        return 'non_car_gke_manage_rbac_users_with_google_groups'

    def execute(self, env_context: GcpEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for container_cluster in env_context.container_clusters:
            if not container_cluster.authenticator_groups_config:
                issues.append(
                    Issue(
                        f"The {container_cluster.get_type()} `{container_cluster.get_friendly_name()}` "
                        f"does not have Kubernetes RBAC users configured with google security groups",
                        container_cluster,
                        container_cluster))
        return issues

    def should_run_rule(self, environment_context: GcpEnvironmentContext) -> bool:
        return bool(environment_context.container_clusters)
non_car_gke_control_plane_ensure_not_public 
from typing import List, Dict

from cloudrail.knowledge.context.gcp.gcp_environment_context import GcpEnvironmentContext
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.gcp.gcp_base_rule import GcpBaseRule
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class ContainerClusterIsNotPublictRule(GcpBaseRule):
    def get_id(self) -> str:
        return 'non_car_gke_control_plane_ensure_not_public'

    def execute(self, env_context: GcpEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for container_cluster in env_context.container_clusters:
            if not container_cluster.master_authorized_networks_config or\
                    any(not cidr_obj.cidr_block for cidr_obj in container_cluster.master_authorized_networks_config.cidr_blocks):
                issues.append(
                    Issue(
                        f"The {container_cluster.get_type()} `{container_cluster.get_friendly_name()}` control plane is publicly accessible",
                        container_cluster,
                        container_cluster))
        return issues

    def should_run_rule(self, environment_context: GcpEnvironmentContext) -> bool:
        return bool(environment_context.container_clusters)

GcpContainerCluster (GcpResource)

Attributes:

Name Type Description
name str

The name of the cluster, unique within the project and location.
location str

(Optional) The location (region or zone) in which the cluster master will be created, as well as the default node location.
cluster_ipv4_cidr str

(Optional) The IP address range of the Kubernetes pods in this cluster in CIDR notation.
enable_shielded_nodes bool

(Optional) Enable Shielded Nodes features on all nodes in this cluster. Defaults to false.
master_authorized_networks_config Optional[GcpContainerMasterAuthNetConfig]

(Optional) The desired configuration options for master authorized networks.
authenticator_groups_config Optional[GcpContainerClusterAuthGrpConfig]

(Optional) Configuration for the Google Groups for GKE feature.
private_cluster_config Optional[GcpContainerClusterPrivateClusterConfig]

(Optional) Configuration for cluster with private nodes.
release_channel GcpContainerClusterReleaseChannel

(Optional) Configuration options for the Release channel feature, which provide more control over automatic upgrades of your GKE clusters.
issue_client_certificate bool

(Optional) Whether client certificate authorization is enabled for this cluster.
pod_security_policy_enabled bool

(Optional) Whether pods must be valid under a PodSecurityPolicy in ortder to be created.
network_policy GcpContainerClusterNetworkPolicy

(Optional) Configuration for the Network Policy of the GKE.
networking_mode GcpContainerClusterNetworkingMode

(Optional) Whether alias IPs or routes will be used for pod IPs in the cluster.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

GcpContainerClusterAuthGrpConfig dataclass

Attributes:

Name Type Description
security_group str

(Optional) The name of the RBAC security group for use with Google security groups in Kubernetes RBAC.

GcpContainerClusterNetworkConfigProvider (str, Enum)

An enumeration.

GcpContainerClusterNetworkPolicy dataclass

Attributes:

Name Type Description
provider GcpContainerClusterNetworkConfigProvider

(Optional) The selected network policy provider.
enabled bool

Whether network policy is enabled on the cluster nodes.

GcpContainerClusterNetworkingMode (str, Enum)

An enumeration.

GcpContainerClusterNodeConfig dataclass

Attributes:

Name Type Description
metadata dict

(Optional) A metadata Key/Value pairs assigned to an instance in the cluster.
shielded_instance_config GcpContainerClusterShielededInstanceConfig

(Optional) Shielded Instance configurations.
workload_metadata_config_mode GcpContainerClusterWorkloadMetadataConfigMode

(Optional) How to expose the node metadata to the workload running on the node.
service_account str

(Optional) The service account to be used by the Node VMs.

GcpContainerClusterPrivateClusterConfig dataclass

Attributes:

Name Type Description
enable_private_nodes bool

(Optional) Indication whether nodes have internal IP addresses only.
enable_private_endpoint bool

(Optional) Indication whether the master's internal IP address is used as the cluster endpoint.
master_global_access_config bool

(Optional) Indication whether the master is accessible globally or not.

GcpContainerClusterReleaseChannel (str, Enum)

An enumeration.

GcpContainerClusterShielededInstanceConfig dataclass

Attributes:

Name Type Description
enable_secure_boot bool

(Optional) Indication whether the instance has Secure Boot enabled.
enable_integrity_monitoring bool

(Optional) Indication whether the instance has integrity monitoring enabled.

GcpContainerClusterWorkloadMetadataConfigMode (str, Enum)

An enumeration.

GcpContainerMasterAuthNetConfig dataclass

Attributes:

Name Type Description
cidr_blocks List[cloudrail.knowledge.context.gcp.resources.cluster.gcp_container_cluster.GcpContainerMasterAuthNetConfigCidrBlk]

(Optional) External networks that can access the Kubernetes cluster master through HTTPS.

GcpContainerMasterAuthNetConfigCidrBlk dataclass

Attributes:

Name Type Description
cidr_block str

(Optional) External network that can access Kubernetes master through HTTPS. Must be specified in CIDR notation.
display_name str

(Optional) Field for users to identify CIDR blocks.