ComputeSecurityPolicy

Property Value
Google Cloud Service Name Compute Engine
Google Cloud Service Documentation /compute/docs/
Google Cloud REST Resource Name v1.securityPolicies
Google Cloud REST Resource Documentation /compute/docs/reference/rest/v1/securityPolicies
Config Connector Resource Short Names gcpcomputesecuritypolicy
gcpcomputesecuritypolicies
computesecuritypolicy
Config Connector Service Name compute.googleapis.com
Config Connector Resource Fully Qualified Name computesecuritypolicies.compute.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Custom Resource Definition Properties

Annotations

Fields
cnrm.cloud.google.com/project-id

Spec

Schema

description: string
rule:
- action: string
  description: string
  match:
    config:
      srcIpRanges:
      - string
    expr:
      expression: string
    versionedExpr: string
  preview: boolean
  priority: integer
Fields

description

Optional

string

rule

Optional

list (object)

rule.[]

Optional

object

rule.[].action

Required*

string

rule.[].description

Optional

string

rule.[].match

Required*

object

rule.[].match.config

Optional

object

rule.[].match.config.srcIpRanges

Required*

list (string)

rule.[].match.config.srcIpRanges.[]

Required*

string

rule.[].match.expr

Optional

object

rule.[].match.expr.expression

Required*

string

rule.[].match.versionedExpr

Optional

string

rule.[].preview

Optional

boolean

rule.[].priority

Required*

integer

* Field is required when parent field is specified

Status

Schema

conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
fingerprint: string
selfLink: string
Fields
conditions

list (object)

conditions.[]

object

conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions.[].message

string

Human-readable message indicating details about last transition.

conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions.[].type

string

Type is the type of the condition.

fingerprint

string

selfLink

string

Sample YAML(s)

Lockdown Security Policy With Test

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSecurityPolicy
metadata:
  name: computesecuritypolicy-sample-lockdownwithtest
spec:
  description: A policy designed to completely lock down network access while testing the effect of opening ports over a few select ranges.
  rule:
  - action: deny(403)
    priority: 2147483647
    match:
      versionedExpr: SRC_IPS_V1
      config:
        srcIpRanges:
        - "*"
    description: Rule matching all IPs with priority 2147483647, set to deny.
  - action: allow
    preview: true
    priority: 1000000000
    match:
      versionedExpr: SRC_IPS_V1
      config:
        srcIpRanges:
        - 16.0.0.0/4
        - 115.128.0.0/9
        - 62.48.212.0/24
    description: Tests opening listed IP ranges. Logs sent to Stackdriver.

Multirule Security Policy

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSecurityPolicy
metadata:
  name: computesecuritypolicy-sample-multirule
spec:
  description: A generally permissive policy that locks out a large block of untrusted IPs, except for some allowed trusted IP ranges within them, and never allows IPs from a blacklist.
  rule:
  - action: allow
    priority: 2147483647
    match:
      versionedExpr: SRC_IPS_V1
      config:
        srcIpRanges:
        - "*"
    description: This rule must be included in any rule array. Action can change.
  - action: deny(502)
    priority: 111111111
    match:
      versionedExpr: SRC_IPS_V1
      config:
        srcIpRanges:
        - 60.0.0.0/6
    description: Untrusted range. Block IPs and return 502.
  - action: allow
    priority: 555
    match:
      versionedExpr: SRC_IPS_V1
      config:
        srcIpRanges:
        - 63.0.0.0/8
        - 61.128.0.0/10
    description: Even though they're in an untrusted block, these ranges are OK.
  - action: deny(403)
    priority: 0
    match:
      versionedExpr: SRC_IPS_V1
      config:
        srcIpRanges:
        - 145.4.56.4/30
        - 63.63.63.63/32
        - 4.5.4.0/24
    description: Never allow these blacklisted IP ranges.