# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ###### # Logs Bucket writer IAM permissions for security log sink # Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket # AC-1 - Implementation of access control # AC-3, AU-9 - IAM Policies that assign the dynamically created service account with the LoggingLogSink to the logging bucket writer role and storage admin role on the storage bucket apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: name: security-log-bucket-writer-permissions namespace: projects annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} spec: resourceRef: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects # AC-1, AC-3, AU-9 bindings: - role: roles/logging.bucketWriter members: - memberFrom: logSinkRef: name: org-log-sink-security-logging-project-id # kpt-set: org-log-sink-security-${logging-project-id} namespace: logging --- # Logs Bucket writer IAM permissions for the platform and component log sinks # Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: name: platform-and-component-services-log-bucket-writer-permissions namespace: projects annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} spec: resourceRef: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects # AC-1, AC-3, AU-9 bindings: - role: roles/logging.bucketWriter members: - memberFrom: logSinkRef: name: platform-and-component-services-log-sink namespace: logging --- # Logs Bucket writer IAM permissions for the platform and component services log sinks # Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: name: platform-and-component-services-infra-log-bucket-writer-permissions namespace: projects annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} spec: resourceRef: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects # AC-1, AC-3, AU-9 bindings: - role: roles/logging.bucketWriter members: - memberFrom: logSinkRef: name: platform-and-component-services-infra-log-sink namespace: logging --- # Logs Bucket writer IAM permissions for the platform and component log sink # Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: name: mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions namespace: projects annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} spec: resourceRef: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects # AC-1, AC-3, AU-9 bindings: - role: roles/logging.bucketWriter members: - memberFrom: logSinkRef: name: mgmt-project-cluster-platform-and-component-log-sink namespace: logging --- # Enable data access log configuration on the logging project apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMAuditConfig metadata: name: logging-project-data-access-log-config namespace: projects annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} spec: service: allServices # AU-9, AC-3 auditLogConfigs: - logType: DATA_READ resourceRef: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects