krab-skunk
commented
3 years ago Worth mentioning , in the constraints, i try both naming conventions ["organizations/**"] or ["organizations/XXXXXXXX"]
Open krab-skunk opened 3 years ago
krab-skunk
commented
3 years ago Worth mentioning , in the constraints, i try both naming conventions ["organizations/**"] or ["organizations/XXXXXXXX"]
gkowalski-google
commented
3 years ago @krab-skunk Forseti v2.25.2 and earlier versions use a static binary of Config Validator that is included in the repo. On the current master branch, this has changed to use the docker image. Not all versions of CV are compatible with Forseti. If you want to use CV with Docker, then you'll need to use the master branch of Forseti and the Forseti Terraform module. There is a default version of CV (image tag) used by the module, but it should be safe to try the latest. I don't think there have been many updates to CV that would benefit Forseti though.
Example Terraform config:
module "Forseti" {
source = "git::github.com/forseti-security/terraform-google-forseti"
forseti_version = "master"
org_id = "1234567890"
domain = "example.com"
project_id = "my-project"
...
}@gkowalski-google dzięki for your answer. The thing is that i was desperately trying the master branch, as the one coming with terraform never worked for me and as per issue 156 (https://github.com/forseti-security/config-validator/issues/156 ), i'm not the only one :(
I did all my install of forseti using terraform module provided in the wiki, but none of them ever worked with CV, most likely CV has an issue :/
ps: i'd be more than happy to share my screen via zoom if required ;P
gkowalski-google
commented
3 years ago Can you try starting with a single constraint using master branch and see if that still produces the error?
krab-skunk
commented
3 years ago i do have only one constraint actually that i copied from the samples directory, and its this one
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPRestrictedFirewallRulesConstraintV1
metadata:
name: restrict-firewall-rule-world-open
annotations:
bundles.validator.forsetisecurity.org/forseti-security: v2.26.0
bundles.validator.forsetisecurity.org/scorecard-v1: security
description: Checks for open firewall rules allowing ingress from the internet.
spec:
severity: high
match:
target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"}
- "organizations/xxxxxxxxxxxx" #where x is my org ID
parameters:
rules:
- direction: "INGRESS"
source_ranges:
- "0.0.0.0/0"
enabled: "true"
rule_type: "allowed"Perhaps something is wrong with the policy library being used? I just redeployed the master branch of Forseti, and included the restricted firewall world open constraint. No errors encountered. I am using the git-sync feature to sync the policy library from a private GitHub repo. It is finding violations as well.
krab-skunk
commented
3 years ago @gkowalski-google zajebisty!! All works on master branch :) Config validator on docker also find me perfectly all the issues. Thanks a ton for your help :) The trick was to to use indeed forseti on master branch :)
nkaravias
commented
3 years ago I'm trying to run this on GKE right now. Is there a matrix with the docker image sha to get a working forseti & config validator on Kubernetes?
Continuing on my bugs reports ;)
Runing latest forseti version 2.25.2
took the latest docker images for config validator from here (tag b3da694) https://console.cloud.google.com/gcr/images/forseti-containers/GLOBAL/config-validator?gcrImageListsize=30
Run docker as follow (no doc anywhere, so i assume we should run it this way)
telnet works great on 50052, so i run the scanner
forseti scanner runError in foresti.log:
Thanks