Creating Policies for GCP resources

Creating Policies for GCP resources

Disclaimer: This blog contains opinions about Google technology. While I work at Google, this is my personal blog. Opinions stated here are my own, not those of my company.

In the last several posts we explored building configurations with Config Connector. Config Connector is a Kubernetes extension that enables managing Google Cloud resources. It allows you to use Kubernetes resource model: declarative, idempotent, eventually consistent. In this post we’ll discuss Gatekeeper – open policy agent for Kubernetes. Using Gatekeeper you can create policies for GCP resources to ensure their compliance. To illustrate Gatekeeper integration with Config Connector, we will create a simple policy example.

Gatekeeper, just like Config Connector, is a Kubernetes extension. It registers CRDs that allow creating policies with constraint templates. Then, you can instantiate these policies by creating constraints.

First of all, let us provision a project, create a Kubernetes cluster and enable Config Connector. Below is the same script we used in the other posts. Don’t forget to substitute your [PROJECT_ID] and [BILLING_ACCOUNT]. You can also skip the part that is creating a project, if you already have one.

As the next step, we will install Gatekeeper library. The easiest way is with kubectl apply:

   kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml

Template

Now we will create a constraint template, that we will use in our example. This template restricts the types, that we are instantiating with Config Connector, to the allowed types:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: kccallowedresourcetypes
spec:
  crd:
    spec:
      names:
        kind: KCCAllowedResourceTypes
        listKind: KCCAllowedResourceTypesList
        plural: KCCAllowedResourceTypes
        singular: KCCAllowedResourceTypes
      validation:
        openAPIV3Schema:
          properties:
            types:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package kccallowedresourcetypes
        violation[{"msg": msg}] {
          type := input.review.object.kind
          apiVersion := input.review.object.apiVersion
          isKccType := contains(apiVersion, "cnrm.cloud.google.com")
          typeSatisfied := [good | allowedType = input.parameters.types[_] ; good = type == allowedType]
          isKccType; not any(typeSatisfied)
          msg := sprintf("using type <%v> is not allowed, allowed Config Connector types are %v", [type, input.parameters.types])
        }

By the way, if you are looking for Gatekeeper language docs, this is the link. On the Gatekeeper github there are also simpler and more complex template examples.

Constraint

Now let’s create a constraint based on this template. Let’s say you would like to only allow creation of PubSubTopic and ComputeNetwork resources. This is a policy that enforces it:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: KCCAllowedResourceTypes
metadata:
  name: only-allowed-gcp-types
spec:
  parameters:
    types:
      - "PubSubTopic"
      - "ComputeNetwork"

Just like template above, you can apply this policy using kubectl apply.

To see this example in action, try creating ComputeNetwork or PubSubTopic. These will succeed. However, if you attempt to create another GCP resource, you will get a violation. For instance, referencing service account sample from Config Connector samples repo:

$ kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/k8s-config-
connector/master/resources/iamserviceaccount/iam_v1alpha1_iamserviceaccount.yaml

Error from server ([denied by only-allowed-gcp-types] using type 
<IAMServiceAccount> is not allowed, allowed Config Connector types are 
["PubSubTopic", "ComputeNetwork"]): error when creating 
"https://raw.githubusercontent.com/GoogleCloudPlatform/k8s-config-
connector/master/resources/iamserviceaccount/iam_v1alpha1_iamserviceaccount.
yaml": admission webhook "validation.gatekeeper.sh" denied the request: [denied 
by only-allowed-gcp-types] using type <IAMServiceAccount> is not allowed, 
allowed Config Connector types are ["PubSubTopic", "ComputeNetwork"]

One example use case for this policy, is ensuring that application team within your organization is limited to only creating certain GCP resource types.

To summarize, in this post we looked at how you can create policies for GCP resources to ensure their compliance, using Gatekeeper and Config Connector. This repo contains all the configuration scripts used in this sample. Good luck policy-making!

1 thought on “Creating Policies for GCP resources”

  1. You really make it seem so easy together with your presentation however I find this topic to be actually something that I think I’d by no means understand. It kind of feels too complicated and very broad for me. I’m having a look ahead in your subsequent post, I will attempt to get the grasp of it!

Leave a Comment