ComputeSecurityPolicy

Property Value
Google Cloud Service Name Compute Engine
Google Cloud Service Documentation /compute/docs/
Google Cloud REST Resource Name v1.securityPolicies
Google Cloud REST Resource Documentation /compute/docs/reference/rest/v1/securityPolicies
Config Connector Resource Short Names gcpcomputesecuritypolicy
gcpcomputesecuritypolicies
computesecuritypolicy
Config Connector Service Name compute.googleapis.com
Config Connector Resource Fully Qualified Name computesecuritypolicies.compute.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Custom Resource Definition Properties

Annotations

Fields
cnrm.cloud.google.com/project-id

Spec

Schema

  description: string
  resourceID: string
  rule:
  - action: string
    description: string
    match:
      config:
        srcIpRanges:
        - string
      expr:
        expression: string
      versionedExpr: string
    preview: boolean
    priority: integer
Fields

description

Optional

string

An optional description of this security policy. Max size is 2048.

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

rule

Optional

list (object)

The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added.

rule.[]

Optional

object

rule.[].action

Required*

string

Action to take when match matches the request. Valid values: "allow" : allow access to target, "deny(status)" : deny access to target, returns the HTTP response code specified (valid values are 403, 404 and 502)

rule.[].description

Optional

string

An optional description of this rule. Max size is 64.

rule.[].match

Required*

object

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding action is enforced.

rule.[].match.config

Optional

object

The configuration options available when specifying versioned_expr. This field must be specified if versioned_expr is specified and cannot be specified if versioned_expr is not specified.

rule.[].match.config.srcIpRanges

Required*

list (string)

Set of IP addresses or ranges (IPV4 or IPV6) in CIDR notation to match against inbound traffic. There is a limit of 10 IP ranges per rule. A value of '*' matches all IPs (can be used to override the default behavior).

rule.[].match.config.srcIpRanges.[]

Required*

string

rule.[].match.expr

Optional

object

User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header.

rule.[].match.expr.expression

Required*

string

Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

rule.[].match.versionedExpr

Optional

string

Predefined rule expression. If this field is specified, config must also be specified. Available options: SRC_IPS_V1: Must specify the corresponding src_ip_ranges field in config.

rule.[].preview

Optional

boolean

When set to true, the action specified above is not enforced. Stackdriver logs for requests that trigger a preview action are annotated as such.

rule.[].priority

Required*

integer

An unique positive integer indicating the priority of evaluation for a rule. Rules are evaluated from highest priority (lowest numerically) to lowest priority (highest numerically) in order.

* Field is required when parent field is specified

Status

Schema

  conditions:
  - lastTransitionTime: string
    message: string
    reason: string
    status: string
    type: string
  fingerprint: string
  selfLink: string
Fields
conditions

list (object)

Conditions represent the latest available observation of the resource's current state.
conditions.[]

object
conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.
conditions.[].message

string

Human-readable message indicating details about last transition.
conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.
conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.
conditions.[].type

string

Type is the type of the condition.
fingerprint

string

Fingerprint of this resource.
selfLink

string

The URI of the created resource.

Sample YAML(s)

Lockdown Security Policy With Test

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: compute.cnrm.cloud.google.com/v1beta1
  kind: ComputeSecurityPolicy
  metadata:
    name: computesecuritypolicy-sample-lockdownwithtest
  spec:
    description: A policy designed to completely lock down network access while testing the effect of opening ports over a few select ranges.
    rule:
    - action: deny(403)
      priority: 2147483647
      match:
        versionedExpr: SRC_IPS_V1
        config:
          srcIpRanges:
          - "*"
      description: Rule matching all IPs with priority 2147483647, set to deny.
    - action: allow
      preview: true
      priority: 1000000000
      match:
        versionedExpr: SRC_IPS_V1
        config:
          srcIpRanges:
          - 16.0.0.0/4
          - 115.128.0.0/9
          - 62.48.212.0/24
      description: Tests opening listed IP ranges. Logs sent to Stackdriver.

Multirule Security Policy

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: compute.cnrm.cloud.google.com/v1beta1
  kind: ComputeSecurityPolicy
  metadata:
    name: computesecuritypolicy-sample-multirule
  spec:
    description: A generally permissive policy that locks out a large block of untrusted IPs, except for some allowed trusted IP ranges within them, and never allows IPs from a denylist.
    rule:
    - action: allow
      priority: 2147483647
      match:
        versionedExpr: SRC_IPS_V1
        config:
          srcIpRanges:
          - "*"
      description: This rule must be included in any rule array. Action can change.
    - action: deny(502)
      priority: 111111111
      match:
        versionedExpr: SRC_IPS_V1
        config:
          srcIpRanges:
          - 60.0.0.0/6
      description: Untrusted range. Block IPs and return 502.
    - action: allow
      priority: 555
      match:
        versionedExpr: SRC_IPS_V1
        config:
          srcIpRanges:
          - 63.0.0.0/8
          - 61.128.0.0/10
      description: Even though they're in an untrusted block, these ranges are OK.
    - action: deny(403)
      priority: 0
      match:
        versionedExpr: SRC_IPS_V1
        config:
          srcIpRanges:
          - 145.4.56.4/30
          - 63.63.63.63/32
          - 4.5.4.0/24
      description: Never allow these denylisted IP ranges.