Property | Value |
---|---|
Google Cloud Service Name | Compute Engine |
Google Cloud Service Documentation | /compute/docs/ |
Google Cloud REST Resource Name | v1.securityPolicies |
Google Cloud REST Resource Documentation | /compute/docs/reference/rest/v1/securityPolicies |
Config Connector Resource Short Names | gcpcomputesecuritypolicy gcpcomputesecuritypolicies computesecuritypolicy |
Config Connector Service Name | compute.googleapis.com |
Config Connector Resource Fully Qualified Name | computesecuritypolicies.compute.cnrm.cloud.google.com |
Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
Custom Resource Definition Properties
Annotations
Fields | |
---|---|
cnrm.cloud.google.com/project-id |
Spec
Schema
description: string
rule:
- action: string
description: string
match:
config:
srcIpRanges:
- string
expr:
expression: string
versionedExpr: string
preview: boolean
priority: integer
Fields | |
---|---|
Optional |
An optional description of this security policy. Max size is 2048. |
Optional |
The set of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. |
Optional |
|
Required* |
Action to take when match matches the request. Valid values: "allow" : allow access to target, "deny(status)" : deny access to target, returns the HTTP response code specified (valid values are 403, 404 and 502) |
Optional |
An optional description of this rule. Max size is 64. |
Required* |
A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding action is enforced. |
Optional |
The configuration options available when specifying versioned_expr. This field must be specified if versioned_expr is specified and cannot be specified if versioned_expr is not specified. |
Required* |
Set of IP addresses or ranges (IPV4 or IPV6) in CIDR notation to match against inbound traffic. There is a limit of 10 IP ranges per rule. A value of '*' matches all IPs (can be used to override the default behavior). |
Required* |
|
Optional |
User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. |
Required* |
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported. |
Optional |
Predefined rule expression. If this field is specified, config must also be specified. Available options: SRC_IPS_V1: Must specify the corresponding src_ip_ranges field in config. |
Optional |
When set to true, the action specified above is not enforced. Stackdriver logs for requests that trigger a preview action are annotated as such. |
Required* |
An unique positive integer indicating the priority of evaluation for a rule. Rules are evaluated from highest priority (lowest numerically) to lowest priority (highest numerically) in order. |
* Field is required when parent field is specified
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
fingerprint: string
selfLink: string
Fields | |
---|---|
conditions |
Conditions represents the latest available observation of the resource's current state. |
conditions.[] |
|
conditions.[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions.[].message |
Human-readable message indicating details about last transition. |
conditions.[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions.[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions.[].type |
Type is the type of the condition. |
fingerprint |
Fingerprint of this resource. |
selfLink |
The URI of the created resource. |
Sample YAML(s)
Lockdown Security Policy With Test
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSecurityPolicy
metadata:
name: computesecuritypolicy-sample-lockdownwithtest
spec:
description: A policy designed to completely lock down network access while testing the effect of opening ports over a few select ranges.
rule:
- action: deny(403)
priority: 2147483647
match:
versionedExpr: SRC_IPS_V1
config:
srcIpRanges:
- "*"
description: Rule matching all IPs with priority 2147483647, set to deny.
- action: allow
preview: true
priority: 1000000000
match:
versionedExpr: SRC_IPS_V1
config:
srcIpRanges:
- 16.0.0.0/4
- 115.128.0.0/9
- 62.48.212.0/24
description: Tests opening listed IP ranges. Logs sent to Stackdriver.
Multirule Security Policy
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSecurityPolicy
metadata:
name: computesecuritypolicy-sample-multirule
spec:
description: A generally permissive policy that locks out a large block of untrusted IPs, except for some allowed trusted IP ranges within them, and never allows IPs from a blacklist.
rule:
- action: allow
priority: 2147483647
match:
versionedExpr: SRC_IPS_V1
config:
srcIpRanges:
- "*"
description: This rule must be included in any rule array. Action can change.
- action: deny(502)
priority: 111111111
match:
versionedExpr: SRC_IPS_V1
config:
srcIpRanges:
- 60.0.0.0/6
description: Untrusted range. Block IPs and return 502.
- action: allow
priority: 555
match:
versionedExpr: SRC_IPS_V1
config:
srcIpRanges:
- 63.0.0.0/8
- 61.128.0.0/10
description: Even though they're in an untrusted block, these ranges are OK.
- action: deny(403)
priority: 0
match:
versionedExpr: SRC_IPS_V1
config:
srcIpRanges:
- 145.4.56.4/30
- 63.63.63.63/32
- 4.5.4.0/24
description: Never allow these blacklisted IP ranges.