gke-policy-automation icon indicating copy to clipboard operation
gke-policy-automation copied to clipboard

Published 20 hours ago verified publisher icon google

Metadata

Tool and policy library for reviewing Google Kubernetes Engine clusters against best practices

GKE Policy Automation

This repository contains the tool and the policy library for validating GKE clusters against configuration best practices.

Build Policy tests Version Go Report Card GoDoc GitHub

GKE Policy Automation Demo

Note: this is not an officially supported Google product.

Table of Contents

  • Installation
  • Usage
  • Contributing
  • License

Installation

Container image

The container images with GKE Policy Automation tool are hosted on ghcr.io. Check the packages page for a list of all tags and versions.

docker pull ghcr.io/google/gke-policy-automation:latest
docker run --rm ghcr.io/google/gke-policy-automation check \
-project my-project -location europe-west2 -name my-cluster

Binary

Binaries for Linux, Windows and Mac are available as tarballs in the release page.

Source code

Go v1.18 or newer is required. Check the development guide for more details.

git clone https://github.com/google/gke-policy-automation.git
cd gke-policy-automation
make build
./gke-policy check \
--project my-project --location europe-west2 --name my-cluster

Usage

Full user guide: GKE Policy Automation User Guide.

Checking the cluster

Check the GKE cluster against the default set of best practices with command line flags.

./gke-policy check \
--project my-project --location europe-west2 --name my-cluster

Checking multiple clusters

Check multiple GKE clusters against the default set of best practices with a config file.

./gke-policy check -c config.yaml

The config.yaml file:

clusters:
  - name: prod-central
    project: my-project-one
    location: europe-central2
  - id: projects/my-project-two/locations/europe-west2/clusters/prod-west

Discovering and checking multiple clusters

Discover clusters in a selected GCP projects, folders or in the entire organization using Cloud Asset Inventory and check them against the default set of best practices.

./gke-policy check -c config.yaml

The config.yaml file:

clusterDiscovery:
  enabled: true
  organization: "123456789012"

It is possible to use cluster discovery on a given project using command line flags only:

./gke-policy check --discovery -p my-project-id

Defining outputs

The cluster validation results can be published to multiple outputs, including JSON file, Pub/Sub topic, Cloud Storage bucket or Security Command Center. Check Outputs user guide for more details.

Examples:

  • JSON file output with command line flags

    ./gke-policy check \
--project my-project --location europe-west2 --name my-cluster \
--out-file output.json

  • All outputs enabled in a configuration file

    clusters:
  - name: my-cluster
    project: my-project
    location: europe-west2
outputs:
  - file: output.json
  - pubsub:
      topic: Test
      project: my-pubsub-project
  - cloudStorage:
      bucket: bucket-name
      path: path/to/write
  - securityCommandCenter:
      organization: "153963171798"

Custom Policy repository

Specify custom repository with the GKE cluster best practices and check the cluster against them.

  • Custom policies source with command line flags

    ./gke-policy check \
--project my-project --location europe-west2 --name my-cluster \
--git-policy-repo "https://github.com/google/gke-policy-automation" \
--git-policy-branch "main" \
--git-policy-dir "gke-policies"

  • Custom policies source with configuration file

    ./gke-policy check -c config.yaml

    The config.yaml file:

    clusters:
  - name: my-cluster
    project: my-project
    location: europe-west2
policies:
  - repository: https://domain.com/your/custom/repository
    branch: main
    directory: gke-policies

Authentication

The tool is fetching GKE cluster details using GCP APIs. The application default credentials are used by default.

  • When running the tool in GCP environment, the tool will use the attached service account by default
  • When running locally, use gcloud auth application-default login command to get application default credentials
  • To use credentials from service account key file pass --creds parameter with a path to the file.

The minimum required IAM role is roles/container.clusterViewer on a cluster projects. Additional roles may be needed, depending on configured outputs - check authentication section in the user guide.

Serverless execution

The GKE Policy Automation tool can be executed in a serverless way to perform automatic evaluations of a clusters running in your organization. Please check our reference Terraform Solution that leverages GCP serverless solutions including Cloud Scheduler and Cloud Run.

Contributing

Please check out Contributing and Code of Conduct docs before contributing.

Development

Please check GKE Policy Automation development for guides on building and developing the application.

Policy authoring

Please check GKE Policy authoring guide for guides on authoring REGO rules for GKE Policy Automation.

License

Apache License 2.0

Metadata

511
Stars
26
Forks
Watchers

Owner

verified publisher icon google

Metadata

Tool and policy library for reviewing Google Kubernetes Engine clusters against best practices

Back