# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######### # The following rules are automatically created when policy is created to delegate traffic to/from VPC resources to shared VPC network within host project: # 2147483644 default egress rule ipv6 Egress IPv6 ranges: ::/0 all Goto next # 2147483645 default ingress rule ipv6 Ingress IPv6 ranges: ::/0 all Goto next # 2147483646 default egress rule Egress IPv4 ranges: 0.0.0.0/0 all Goto next # 2147483647 default ingress rule Ingress IPv4 ranges: 0.0.0.0/0 all Goto next ######### # Client Compute Firewall Policy on folder standard.applications-infrastructure.pbmm # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicy metadata: name: client-name-standard-app-infra-pbmm-fwpol # kpt-set: ${client-name}-standard-app-infra-pbmm-fwpol namespace: client-name-networking # kpt-set: ${client-name}-networking annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-hierarchy/Folder/standard.applications-infrastructure.pbmm # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-hierarchy/Folder/standard.applications-infrastructure.pbmm spec: # shortName required, immutable, 1-63 characters, unique within organization shortName: client-name-standard-app-infra-pbmm-fwpol # kpt-set: ${client-name}-standard-app-infra-pbmm-fwpol # to acquire an existing firewall policy: # - uncomment 'resourceID' below # - replace 1234567890 with the policy ID number (it can be found in the cloud console) # resourceID: firewallPolicies/1234567890 # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) folderRef: name: standard.applications-infrastructure.pbmm namespace: client-name-hierarchy # kpt-set: ${client-name}-hierarchy description: "Firewall policy for client-name" # kpt-set: Firewall policy for ${client-name} --- # firewall policy association to client's standard.applications-infrastructure.pbmm folder apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyAssociation metadata: name: client-name-standard-app-infra-pbmm-fwpol-association # kpt-set: ${client-name}-standard-app-infra-pbmm-fwpol-association namespace: client-name-networking # kpt-set: ${client-name}-networking annotations: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-standard-app-infra-pbmm-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-standard-app-infra-pbmm-fwpol spec: attachmentTargetRef: kind: Folder name: standard.applications-infrastructure.pbmm namespace: client-name-hierarchy # kpt-set: ${client-name}-hierarchy # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-standard-app-infra-pbmm-fwpol # kpt-set: ${client-name}-standard-app-infra-pbmm-fwpol