# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ###### # TODO: investigate using client ns, move functionality to client-setup and/or create new client logging project. Will be required if a config-controller is deployed per client OR we need to give permissions to the client service account into the core logging project. # Folder sink for Platform and Component logs of Client Resources # Destination: cloud logging bucket inside logging project # AU-2 - Organization-defined auditable events # AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project # AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket # AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: name: platform-and-component-log-client-name-log-sink # kpt-set: platform-and-component-log-${client-name}-log-sink namespace: logging annotations: config.kubernetes.io/depends-on: logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-client-name-log-bucket # kpt-set: logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-${client-name}-log-bucket spec: # AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2) folderRef: name: clients.client-name # kpt-set: clients.${client-name} namespace: hierarchy includeChildren: true destination: loggingLogBucketRef: # destination.loggingLogBucketRef # Only `external` field is supported to configure the reference. external: platform-and-component-client-name-log-bucket # kpt-set: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/platform-and-component-${client-name}-log-bucket description: Folder sink for client-name Platform and Component logs # kpt-set: Folder sink for ${client-name} Platform and Component logs # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false # AU-2, AU-12, AU-12(1) # Includes the following types of logs: # Cloud DNS, Cloud NAT, Firewall Rules, VPC Flow, HTTP(S) Load Balancer and Intrusion Detection System (IDS) # Logs for such resources must be enabled on the respective resource as they are not enabled by default. filter: |- log_id("dns.googleapis.com/dns_queries") OR (log_id("compute.googleapis.com/nat_flows") AND resource.type="nat_gateway") OR (log_id("compute.googleapis.com/firewall") AND resource.type="gce_subnetwork") OR (log_id("compute.googleapis.com/vpc_flows") AND resource.type="gce_subnetwork") OR (log_id("requests") AND resource.type="http_load_balancer") OR (resource.type="ids.googleapis.com/Endpoint") # Excludes all Security logs from bucket: Cloud Audit, Access Transparency, and Data Access Logs. This is done to avoid duplication of logs that are captured by another log sink exclusions: - description: Exclude Security logs disabled: false filter: |- log_id("cloudaudit.googleapis.com/activity") OR log_id("externalaudit.googleapis.com/activity") OR log_id("cloudaudit.googleapis.com/data_access") OR log_id("externalaudit.googleapis.com/data_access") OR log_id("cloudaudit.googleapis.com/system_event") OR log_id("externalaudit.googleapis.com/system_event") OR log_id("cloudaudit.googleapis.com/policy") OR log_id("externalaudit.googleapis.com/policy") OR log_id("cloudaudit.googleapis.com/access_transparency") OR log_id("externalaudit.googleapis.com/access_transparency") name: exclude-security-logs