gatekeeper-securitycenter

command module
v0.1.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 19, 2021 License: Apache-2.0 Imports: 7 Imported by: 0

README

gatekeeper-securitycenter

gatekeeper-securitycenter is

It requires Security Command Center Standard tier.

Tutorial

See the accompanying tutorial for detailed explanation and step-by-step instructions on how to create a Security Command Center source and Google service accounts with the required permissions, and install the controller resources in a Google Kubernetes Engine (GKE) cluster.

Prerequisites

To install the gatekeeper-securitycenter controller, you must have set up the following prerequisite resources:

  • a Kubernetes cluster, such as a Google Kubernetes Engine (GKE) cluster;
  • Policy Controller or Gatekeeper installed in the Kubernetes cluster;
  • Google service accounts with Cloud IAM policy bindings for Security Command Center; and
  • a Security Command Center source for findings from the Policy Controller or Gatekeeper audit controller.

To create the prerequisite resources, you have three options:

  1. Use the kpt package in the setup directory. This package creates the Google service accounts and Cloud IAM policy bindings using Config Connector.

  2. Use the shell scripts in the scripts directory. These scripts create resources using the gcloud tool from the Google Cloud SDK.

  3. Follow the step-by-step instructions in the tutorial.

For all options, you must have an appropriate Cloud IAM role for Security Command Center at the organization level, such as Security Center Admin Editor.

If your user account is not associated with an organization on Google Cloud, you can create an organization resource by signing up for either Cloud Identity or Google Workspace (formerly G Suite) using a domain you own. Cloud Identity offers a free edition.

Install

To install the gatekeeper-securitycenter controller in your cluster, you must provide the following inputs:

  • the full name of the Security Command Center source where the controller should report findings, in the format organizations/[ORGANIZATION_ID]/sources/[SOURCE_ID]; and

  • if you use a Google Kubernetes Engine (GKE) cluster with Workload Identity (recommended), the Google service account to bind to the Kubernetes service account of the controller. The Google service account must have the Security Center Findings Editor role or equivalent permissions on the Security Command Center source, or at the organization level.

You can deploy the controller by running the deploy script, or you can follow the steps in the manifests kpt package documentation.

Build binary

Build the command-line tool for your platform:

go get github.com/GoogleCloudPlatform/gatekeeper-securitycenter

Build container image

Build and publish a container image for the controller:

git clone https://github.com/GoogleCloudPlatform/gatekeeper-securitycenter.git
cd gatekeeper-securitycenter
(cd tools ; go get github.com/google/ko/cmd/ko)
export KO_DOCKER_REPO=gcr.io/$(gcloud config get-value core/project)
ko publish . --base-import-paths --tags latest

ko is a command-line tool for building container images from Go source code. It does not use a Dockerfile and it does not require a local Docker daemon.

If you would like to use a different base image, edit the value of defaultBaseImage in the file .ko.yaml.

Development

  1. Install Skaffold.

  2. Install kpt.

  3. Create a development GKE cluster with Workload Identity, and install Policy Controller or Gatekeeper. If you like, you can use the provided dev-cluster.sh shell script:

    ./scripts/dev-cluster.sh

  4. Create your Security Command Center source (SOURCE_NAME) and set up your findings editor Google service account (FINDINGS_EDITOR_SA) with the required permissions:

    ./scripts/iam-setup.sh

    The script prints out values for SOURCE_NAME and FINDINGS_EDITOR_SA. Set these as environment variables for use in later steps.

  5. Create a copy of the manifests directory called .kpt-skaffold. This directory stores your manifests for development purposes:

    cp -r manifests .kpt-skaffold

  6. Set the name of your Security Command Center source:

    kpt cfg set .kpt-skaffold source $SOURCE_NAME

  7. Set the image name to the Go import path, with the prefix ko://:

    kpt cfg set .kpt-skaffold image ko://github.com/GoogleCloudPlatform/gatekeeper-securitycenter

  8. If you use a GKE cluster with Workload Identity, add the Workload Identity annotation to the Kubernetes service account used by the controller:

    kpt cfg annotate .kpt-skaffold \
    --kind ServiceAccount \
    --name gatekeeper-securitycenter-controller \
    --namespace gatekeeper-securitycenter \
    --kv iam.gke.io/gcp-service-account=$FINDINGS_EDITOR_SA

  9. Deploy the resources and start the Skaffold development mode watch loop:

    skaffold dev --default-repo=gcr.io/$(gcloud config get-value core/project)

    Skaffold creates a directory called .kpt-hydrated to store the hydrated manifests and the inventory-template.yaml file.

Disclaimer

This is not an officially supported Google product.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
cmd
findings
flag
sources
version
pkg
discovery
dynamic
logging
print
securitycenter
signals
sync
third_party
sigs.k8s.io/controller-runtime/pkg/manager/signals

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.