# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######### # Rules 2147483541 to 2147483546 are the suggested defaults by Google ######### # Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. # AU-12 - Enable Logging for firewall policies # SI-4 - Logging denied traffic apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: name: client-name-standard-app-infra-pbmm-fwpol-exclude-private-ip-ranges-egress-fwr # kpt-set: ${client-name}-standard-app-infra-pbmm-fwpol-exclude-private-ip-ranges-egress-fwr namespace: client-name-networking # kpt-set: ${client-name}-networking annotations: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-standard-app-infra-pbmm-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-standard-app-infra-pbmm-fwpol spec: action: "goto_next" description: "Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network" direction: "EGRESS" disabled: false # logging not supported for goto_next rules enableLogging: false # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-standard-app-infra-pbmm-fwpol # kpt-set: ${client-name}-standard-app-infra-pbmm-fwpol match: layer4Configs: - ipProtocol: "all" destIPRanges: # kpt-set: ${firewall-internal-ip-ranges} - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" priority: 2147483541 --- # Delegate to host project, ingress traffic(firewall) from private IP ranges to VPC resources in shared VPC network apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: name: client-name-standard-app-infra-pbmm-fwpol-exclude-private-ip-ranges-ingress-fwr # kpt-set: ${client-name}-standard-app-infra-pbmm-fwpol-exclude-private-ip-ranges-ingress-fwr namespace: client-name-networking # kpt-set: ${client-name}-networking annotations: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-standard-app-infra-pbmm-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-standard-app-infra-pbmm-fwpol spec: action: "goto_next" description: "Delegate to host project, ingress traffic(firewall) from private IP ranges to VPC resources in shared VPC network" direction: "INGRESS" disabled: false # logging not supported for goto_next rules enableLogging: false # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-standard-app-infra-pbmm-fwpol # kpt-set: ${client-name}-standard-app-infra-pbmm-fwpol match: layer4Configs: - ipProtocol: "all" srcIPRanges: # kpt-set: ${firewall-internal-ip-ranges} - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" priority: 2147483542 --- # Deny known malicious IPs ingress traffic # https://cloud.google.com/armor/docs/threat-intelligence#configure-nti apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: name: client-name-standard-app-infra-pbmm-fwpol-deny-known-malicious-ip-ingress-fwr # kpt-set: ${client-name}-standard-app-infra-pbmm-fwpol-deny-known-malicious-ip-ingress-fwr namespace: client-name-networking # kpt-set: ${client-name}-networking annotations: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-standard-app-infra-pbmm-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-standard-app-infra-pbmm-fwpol spec: action: "deny" description: "Deny known malicious IPs ingress traffic" direction: "INGRESS" disabled: false # AU-12, SI-4 enableLogging: true # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-standard-app-infra-pbmm-fwpol # kpt-set: ${client-name}-standard-app-infra-pbmm-fwpol match: layer4Configs: - ipProtocol: "all" srcIPRanges: - "0.0.0.0/0" srcThreatIntelligences: - "iplist-known-malicious-ips" priority: 2147483544 --- # Deny known malicious IPs egress traffic # https://cloud.google.com/armor/docs/threat-intelligence#configure-nti apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: name: client-name-standard-app-infra-pbmm-fwpol-deny-known-malicious-ip-egress-fwr # kpt-set: ${client-name}-standard-app-infra-pbmm-fwpol-deny-known-malicious-ip-egress-fwr namespace: client-name-networking # kpt-set: ${client-name}-networking annotations: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-standard-app-infra-pbmm-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-standard-app-infra-pbmm-fwpol spec: action: "deny" description: "Deny known malicious IPs egress traffic" direction: "EGRESS" disabled: false # AU-12, SI-4 enableLogging: true # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-standard-app-infra-pbmm-fwpol # kpt-set: ${client-name}-standard-app-infra-pbmm-fwpol match: layer4Configs: - ipProtocol: "all" destIPRanges: - "0.0.0.0/0" destThreatIntelligences: - "iplist-known-malicious-ips" priority: 2147483545