The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
30
stars
26
forks
source link
feat: Update cluster defaults package with network policies #866
In order to comply with the nist-sp-800-53-r5-require-namespace-network-policies constraint (of NIST SP 800-53 Rev. 5 Policy Controller bundle), cluster-defaults package required updates to add network policies to the gateway-infra and default namespaces.
gateway-infra namespace Network Policy
Added cluster-defaults/admin-namespaces/networkpolicy.yaml file to implement network policy in the gateway-infra namespace.
Network policies implement following rules:
Allow ingress within namespace
Allow ingress from lb health check
Allow egress within namespace
Allow egress to metadata server
Allow egress for GCP API
Allow egress to private IP ranges (includes K8S cluster)
default namespace Network Policy
Added cluster-defaults/default-namespace/networkpolicy.yaml file to implement network policy in the default namespace
Summary
In order to comply with the
nist-sp-800-53-r5-require-namespace-network-policies
constraint (of NIST SP 800-53 Rev. 5 Policy Controller bundle),cluster-defaults
package required updates to add network policies to thegateway-infra
anddefault
namespaces.gateway-infra
namespace Network PolicyAdded
cluster-defaults/admin-namespaces/networkpolicy.yaml
file to implement network policy in thegateway-infra
namespace.Network policies implement following rules:
default
namespace Network PolicyAdded
cluster-defaults/default-namespace/networkpolicy.yaml
file to implement network policy in thedefault
namespaceNetwork policies implement following rules: