gatekeeper-securitycenter
gatekeeper-securitycenter
is
It requires
Security Command Center Standard tier.
Tutorial
See the accompanying tutorial for detailed explanation and
step-by-step instructions on how to create a Security Command Center source and
Google service accounts with the required permissions, and install the
controller resources in a
Google Kubernetes Engine (GKE) cluster.
Prerequisites
To install the gatekeeper-securitycenter
controller, you must have set up the
following prerequisite resources:
- a Kubernetes cluster, such as a Google Kubernetes Engine (GKE) cluster;
- Policy Controller or Gatekeeper installed in the Kubernetes cluster;
- Google service accounts with Cloud IAM policy bindings for Security Command
Center; and
- a Security Command Center source for findings from the Policy Controller or
Gatekeeper audit controller.
To create the prerequisite resources, you have three options:
-
Use the kpt
package in the setup
directory. This package
creates the Google service accounts and Cloud IAM policy bindings using
Config Connector.
-
Use the shell scripts in the scripts
directory. These scripts
create resources using the gcloud
tool from the
Google Cloud SDK.
-
Follow the step-by-step instructions in the tutorial.
For all options, you must have an appropriate Cloud IAM role for Security
Command Center at the organization level, such as
Security Center Admin Editor.
If your user account is not associated with an
organization
on Google Cloud, you can create an organization resource by signing up for
either Cloud Identity or
Google Workspace (formerly G Suite) using a
domain you own. Cloud Identity offers a
free edition.
Install
To install the gatekeeper-securitycenter
controller in your cluster, you
must provide the following inputs:
-
the full name of the Security Command Center source where the controller
should report findings, in the format
organizations/[ORGANIZATION_ID]/sources/[SOURCE_ID]
; and
-
if you use a Google Kubernetes Engine (GKE) cluster with
Workload Identity
(recommended), the Google service account to bind to the Kubernetes service
account of the controller. The Google service account must have the
Security Center Findings Editor
role or equivalent permissions on the Security Command Center source, or at
the organization level.
You can deploy the controller by running the
deploy script, or you can follow the steps in the
manifests kpt
package documentation.
Build binary
Build the command-line tool for your platform:
go get github.com/GoogleCloudPlatform/gatekeeper-securitycenter
Build container image
Build and publish a container image for the controller:
git clone https://github.com/GoogleCloudPlatform/gatekeeper-securitycenter.git
cd gatekeeper-securitycenter
(cd tools ; go get github.com/google/ko/cmd/ko)
export KO_DOCKER_REPO=gcr.io/$(gcloud config get-value core/project)
ko publish . --base-import-paths --tags latest
ko
is a command-line tool for building
container images from Go source code. It does not use a Dockerfile
and it
does not require a local Docker daemon.
If you would like to use a different base image, edit the value of
defaultBaseImage
in the file .ko.yaml
.
Development
-
Install Skaffold.
-
Install kpt
.
-
Create a development GKE cluster with Workload Identity, and install
Policy Controller or Gatekeeper. If you like, you can use the provided
dev-cluster.sh
shell script:
./scripts/dev-cluster.sh
-
Create your Security Command Center source (SOURCE_NAME
) and set up your
findings editor Google service account (FINDINGS_EDITOR_SA
) with the
required permissions:
./scripts/iam-setup.sh
The script prints out values for SOURCE_NAME
and FINDINGS_EDITOR_SA
.
Set these as environment variables for use in later steps.
-
Create a copy of the manifests
directory called .kpt-skaffold
. This
directory stores your manifests for development purposes:
cp -r manifests .kpt-skaffold
-
Set the name of your Security Command Center source:
kpt cfg set .kpt-skaffold source $SOURCE_NAME
-
Set the image name to the Go import path, with the prefix ko://
:
kpt cfg set .kpt-skaffold image ko://github.com/GoogleCloudPlatform/gatekeeper-securitycenter
-
If you use a GKE cluster with Workload Identity, add the Workload Identity
annotation to the Kubernetes service account used by the controller:
kpt cfg annotate .kpt-skaffold \
--kind ServiceAccount \
--name gatekeeper-securitycenter-controller \
--namespace gatekeeper-securitycenter \
--kv iam.gke.io/gcp-service-account=$FINDINGS_EDITOR_SA
-
Deploy the resources and start the Skaffold development mode watch loop:
skaffold dev --default-repo=gcr.io/$(gcloud config get-value core/project)
Skaffold creates a directory called .kpt-hydrated
to store the hydrated
manifests and the inventory-template.yaml
file.
Disclaimer
This is not an officially supported Google product.