| Property | Value |
|---|---|
| Google Cloud Service Name | Compute Engine |
| Google Cloud Service Documentation | /compute/docs/ |
| Google Cloud REST Resource Name | v1.securityPolicies |
| Google Cloud REST Resource Documentation | /compute/docs/reference/rest/v1/securityPolicies |
| Config Connector Resource Short Names | gcpcomputesecuritypolicy gcpcomputesecuritypolicies computesecuritypolicy |
| Config Connector Service Name | compute.googleapis.com |
| Config Connector Resource Fully Qualified Name | computesecuritypolicies.compute.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
Custom Resource Definition Properties
Annotations
| Fields | |
|---|---|
cnrm.cloud.google.com/project-id |
|
Spec
Schema
description: string
resourceID: string
rule:
- action: string
description: string
match:
config:
srcIpRanges:
- string
expr:
expression: string
versionedExpr: string
preview: boolean
priority: integer
| Fields | |
|---|---|
|
Optional |
An optional description of this security policy. Max size is 2048. |
|
Optional |
Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default. |
|
Optional |
The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. |
|
Optional |
|
|
Required* |
Action to take when match matches the request. Valid values: "allow" : allow access to target, "deny(status)" : deny access to target, returns the HTTP response code specified (valid values are 403, 404 and 502) |
|
Optional |
An optional description of this rule. Max size is 64. |
|
Required* |
A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding action is enforced. |
|
Optional |
The configuration options available when specifying versioned_expr. This field must be specified if versioned_expr is specified and cannot be specified if versioned_expr is not specified. |
|
Required* |
Set of IP addresses or ranges (IPV4 or IPV6) in CIDR notation to match against inbound traffic. There is a limit of 10 IP ranges per rule. A value of '*' matches all IPs (can be used to override the default behavior). |
|
Required* |
|
|
Optional |
User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. |
|
Required* |
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported. |
|
Optional |
Predefined rule expression. If this field is specified, config must also be specified. Available options: SRC_IPS_V1: Must specify the corresponding src_ip_ranges field in config. |
|
Optional |
When set to true, the action specified above is not enforced. Stackdriver logs for requests that trigger a preview action are annotated as such. |
|
Required* |
An unique positive integer indicating the priority of evaluation for a rule. Rules are evaluated from highest priority (lowest numerically) to lowest priority (highest numerically) in order. |
* Field is required when parent field is specified
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
fingerprint: string
observedGeneration: integer
selfLink: string
| Fields | |
|---|---|
conditions |
Conditions represent the latest available observation of the resource's current state. |
conditions.[] |
|
conditions.[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions.[].message |
Human-readable message indicating details about last transition. |
conditions.[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions.[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions.[].type |
Type is the type of the condition. |
fingerprint |
Fingerprint of this resource. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
selfLink |
The URI of the created resource. |
Sample YAML(s)
Lockdown Security Policy With Test
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSecurityPolicy
metadata:
name: computesecuritypolicy-sample-lockdownwithtest
spec:
description: A policy designed to completely lock down network access while testing the effect of opening ports over a few select ranges.
rule:
- action: deny(403)
priority: 2147483647
match:
versionedExpr: SRC_IPS_V1
config:
srcIpRanges:
- "*"
description: Rule matching all IPs with priority 2147483647, set to deny.
- action: allow
preview: true
priority: 1000000000
match:
versionedExpr: SRC_IPS_V1
config:
srcIpRanges:
- 16.0.0.0/4
- 115.128.0.0/9
- 62.48.212.0/24
description: Tests opening listed IP ranges. Logs sent to Stackdriver.
Multirule Security Policy
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSecurityPolicy
metadata:
name: computesecuritypolicy-sample-multirule
spec:
description: A generally permissive policy that locks out a large block of untrusted IPs, except for some allowed trusted IP ranges within them, and never allows IPs from a denylist.
rule:
- action: allow
priority: 2147483647
match:
versionedExpr: SRC_IPS_V1
config:
srcIpRanges:
- "*"
description: This rule must be included in any rule array. Action can change.
- action: deny(502)
priority: 111111111
match:
versionedExpr: SRC_IPS_V1
config:
srcIpRanges:
- 60.0.0.0/6
description: Untrusted range. Block IPs and return 502.
- action: allow
priority: 555
match:
versionedExpr: SRC_IPS_V1
config:
srcIpRanges:
- 63.0.0.0/8
- 61.128.0.0/10
description: Even though they're in an untrusted block, these ranges are OK.
- action: deny(403)
priority: 0
match:
versionedExpr: SRC_IPS_V1
config:
srcIpRanges:
- 145.4.56.4/30
- 63.63.63.63/32
- 4.5.4.0/24
description: Never allow these denylisted IP ranges.