# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######### # Allow os updates # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. # SC-18, SC-18(1), SC-18(2), SC-18(4), SC-18(5) - Access is restricted to the corresponding OS package repository on the Internet. It does not prevent the downloading and execution of mobile code from this source. # AU-12 - Enable Logging for firewall apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: name: client-name-client-folder-fwpol-allow-os-updates-fwr # kpt-set: ${client-name}-client-folder-fwpol-allow-os-updates-fwr namespace: client-name-networking # kpt-set: ${client-name}-networking annotations: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol spec: action: "allow" description: "Allow os updates" direction: "EGRESS" disabled: false # AU-12 enableLogging: true # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol match: layer4Configs: - ipProtocol: "tcp" ports: - "80" - "443" srcIPRanges: # kpt-set: ${allowed-os-update-source-ip-ranges} - "n.n.n.n/n" # SC-18, SC-18(1), SC-18(2), SC-18(4), SC-18(5) destFqdns: # kpt-set: ${allowed-os-update-domains} - "example.com" priority: 5000