使用 Rego 編寫自訂規則

本文說明如何使用 Rego 政策語言編寫自訂規則。您可以在 Workload Manager 中使用這些規則,根據貴機構定義的最佳做法評估工作負載。

詳情請參閱「關於 Workload Manager 中的自訂規則」。

事前準備

使用 Rego 編寫自訂規則

Google 提供範例 GitHub 存放區,內含一組預先定義的規則,可用於評估工作負載。這些範例涵蓋多種用途。從存放區選取規則,或建立規則 (.rego) 檔案,說明評估需求。

自訂規則包含下列各節:

  • 中繼資料。下列欄位會定義規則中繼資料:

    • DETAILS:規則的簡短說明。
    • SEVERITY:使用者定義的值,可定義違反規則的嚴重程度。例如 HIGHCRITICALMEDIUMLOW
    • ASSET_TYPE:支援的資產之一。請參閱「支援的資料來源」一文。
    • TAGS:規則的一或多個標記。這些標記有助於篩選規則。

  • 套件聲明。例如:templates.google.compute.instance.label

  • 匯入對帳單。例如:data.validator.google.lib as lib

  • 規則定義:定義規則的一組指令。

規則範例

您可以在 GoogleCloudPlatform/workload-manager GitHub 存放區中找到下列範例規則。您可以將這些規則上傳至 Cloud Storage bucket,並用於執行評估。或者,您可以根據貴機構的政策修改規則,然後將檔案上傳至 Cloud Storage bucket

  • 範例 1:確保 VM 至少有一個標籤。
  • 範例 2:確保工作負載不會使用 Compute Engine 預設服務帳戶。
  • 範例 3:確保工作負載中的 VM 不會使用外部 IP 位址。

如需可在 Workload Manager 中使用的範例規則完整清單,請參閱 GoogleCloudPlatform/workload-manager GitHub 存放區。

範例 1

確保 Compute Engine 資源至少有一個標記。

# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

########################################################################
# DETAILS:  MUST have atleast one tag
# SEVERITY: Medium
# ASSET_TYPE: compute.googleapis.com/Instance
# TAGS: Tags, Cost, Management, Compute Engine
########################################################################

package google.compute.instance.tags

import data.validator.google.lib as lib
import data.validator.google.lib.parameters as gparam
import future.keywords

asset := input.asset

params:= lib.get_default(gparam.global_parameters,"compute",{})

deny [{"msg": message, "details": metadata}] {

	# Check if resource is in exempt list
	exempt_list := lib.get_default(params, "exemptions", [])
	exempt := {asset.name} & {ex | ex := exempt_list[_]}
	not count(exempt) != 0

	tags := lib.get_default(asset.resource.data, "tags", {"items": []})
	count(tags.items) == 0

	message:="Compute resource is missing tags. Ensure appropriate tags are applied."

	metadata:={"name": asset.name}
}

範例 2

確保工作負載未使用 Compute Engine 預設服務帳戶

# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

########################################################################
# DETAILS:  MUST NOT use default service account
# SEVERITY: Medium
# ASSET_TYPE: compute.googleapis.com/Instance
# TAGS: Defaults, Management, Compute Engine
########################################################################

package google.compute.defaultserviceAccount

import data.validator.google.lib as lib
import data.validator.google.lib.parameters as gparam
import future.keywords

asset := input.asset

input_enriched := object.union({"resource": {"data": {"serviceAccounts": []}}}, asset)

params := lib.get_default(gparam.global_parameters, "compute", {})

deny[{
	"msg": "Disallowed default service account",
	"details": {"name": asset.name},
}] {

	account = input_enriched.resource.data.serviceAccounts[_]
	endswith(account.email, params.default_sa)
}

範例 3

確保工作負載中的 VM 不會使用外部 IP 位址。

# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

########################################################################
# DETAILS:  Ensure VMs dont have External IP
# SEVERITY: High
# ASSET_TYPE: compute.googleapis.com/Instance
# TAGS: Security, Network, Compute Engine, External IP, VM, Virtual Machine
########################################################################

package google.compute.instance.approved.external.ip

import data.validator.google.lib as lib
import data.validator.google.lib.parameters as gparam
import future.keywords

asset := input.asset

params := lib.get_default(gparam.global_parameters, "compute", {})

deny [{"msg": message, "details": metadata}] {

	# Check if resource is in exempt list
	exempt_list := lib.get_default(params, "exemptions", [])
	exempt := {asset.name} & {ex | ex := exempt_list[_]}
	not count(exempt) != 0

	# Find network access config block w/ external IP
	instance := asset.resource.data
	access_config := instance.networkInterfaces[_].accessConfigs
	count(access_config) > 0

	message := sprintf("%v : VM Instance has external IP. current config: %v",[asset.name, access_config])
	metadata := {"name": asset.name}
}

將規則上傳至 Cloud Storage 值區

建立 .rego 檔案後,請將檔案上傳至 Cloud Storage bucket。Cloud Storage 值區的頂層必須包含 /lib/rules 資料夾:

  • lib
    • parameters.rego
    • utils.rego
  • /rules
    • rule_name1.rego
    • rule_name2.rego

後續步驟