ComputeSecurityPolicy

Property	Value
Google Cloud Service Name	Compute Engine
Google Cloud Service Documentation	/compute/docs/
Google Cloud REST Resource Name	v1.securityPolicies
Google Cloud REST Resource Documentation	/compute/docs/reference/rest/v1/securityPolicies
Config Connector Resource Short Names	gcpcomputesecuritypolicy gcpcomputesecuritypolicies computesecuritypolicy
Config Connector Service Name	compute.googleapis.com
Config Connector Resource Fully Qualified Name	computesecuritypolicies.compute.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember	No

Custom Resource Definition Properties

Annotations

Fields
`cnrm.cloud.google.com/project-id`

Spec

Schema

description: string
rule:
- action: string
  description: string
  match:
    config:
      srcIpRanges:
      - string
    expr:
      expression: string
    versionedExpr: string
  preview: boolean
  priority: integer

Fields

Fields
`description` Optional	`string`
`rule` Optional	`list (object)`
`rule.[]` Optional	`object`
`rule.[].action` Required*	`string`
`rule.[].description` Optional	`string`
`rule.[].match` Required*	`object`
`rule.[].match.config` Optional	`object`
`rule.[].match.config.srcIpRanges` Required*	`list (string)`
`rule.[].match.config.srcIpRanges.[]` Required*	`string`
`rule.[].match.expr` Optional	`object`
`rule.[].match.expr.expression` Required*	`string`
`rule.[].match.versionedExpr` Optional	`string`
`rule.[].preview` Optional	`boolean`
`rule.[].priority` Required*	`integer`

description

Optional

string

rule

Optional

list (object)

rule.[]

Optional

object

rule.[].action

Required*

string

rule.[].description

Optional

string

rule.[].match

Required*

object

rule.[].match.config

Optional

object

rule.[].match.config.srcIpRanges

Required*

list (string)

rule.[].match.config.srcIpRanges.[]

Required*

string

rule.[].match.expr

Optional

object

rule.[].match.expr.expression

Required*

string

rule.[].match.versionedExpr

Optional

string

rule.[].preview

Optional

boolean

rule.[].priority

Required*

integer

* Field is required when parent field is specified

Status

Schema

conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
fingerprint: string
selfLink: string

Fields
`conditions`	`list (object)`
`conditions.[]`	`object`
`conditions.[].lastTransitionTime`	`string` Last time the condition transitioned from one status to another.
`conditions.[].message`	`string` Human-readable message indicating details about last transition.
`conditions.[].reason`	`string` Unique, one-word, CamelCase reason for the condition's last transition.
`conditions.[].status`	`string` Status is the status of the condition. Can be True, False, Unknown.
`conditions.[].type`	`string` Type is the type of the condition.
`fingerprint`	`string`
`selfLink`	`string`

Sample YAML(s)

Lockdown Security Policy With Test

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSecurityPolicy
metadata:
  name: computesecuritypolicy-sample-lockdownwithtest
spec:
  description: A policy designed to completely lock down network access while testing the effect of opening ports over a few select ranges.
  rule:
  - action: deny(403)
    priority: 2147483647
    match:
      versionedExpr: SRC_IPS_V1
      config:
        srcIpRanges:
        - "*"
    description: Rule matching all IPs with priority 2147483647, set to deny.
  - action: allow
    preview: true
    priority: 1000000000
    match:
      versionedExpr: SRC_IPS_V1
      config:
        srcIpRanges:
        - 16.0.0.0/4
        - 115.128.0.0/9
        - 62.48.212.0/24
    description: Tests opening listed IP ranges. Logs sent to Stackdriver.

Multirule Security Policy

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSecurityPolicy
metadata:
  name: computesecuritypolicy-sample-multirule
spec:
  description: A generally permissive policy that locks out a large block of untrusted IPs, except for some allowed trusted IP ranges within them, and never allows IPs from a blacklist.
  rule:
  - action: allow
    priority: 2147483647
    match:
      versionedExpr: SRC_IPS_V1
      config:
        srcIpRanges:
        - "*"
    description: This rule must be included in any rule array. Action can change.
  - action: deny(502)
    priority: 111111111
    match:
      versionedExpr: SRC_IPS_V1
      config:
        srcIpRanges:
        - 60.0.0.0/6
    description: Untrusted range. Block IPs and return 502.
  - action: allow
    priority: 555
    match:
      versionedExpr: SRC_IPS_V1
      config:
        srcIpRanges:
        - 63.0.0.0/8
        - 61.128.0.0/10
    description: Even though they're in an untrusted block, these ranges are OK.
  - action: deny(403)
    priority: 0
    match:
      versionedExpr: SRC_IPS_V1
      config:
        srcIpRanges:
        - 145.4.56.4/30
        - 63.63.63.63/32
        - 4.5.4.0/24
    description: Never allow these blacklisted IP ranges.