# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######## # GKE egress Allow GKE nodes to AzDO # TODO: validate if service account can be used instead of primaryIpv4Range # AU-12 - Enable Logging for firewall # SC-7(9) - Exception to allow access to repositories in Github and AZDO and to allow access to docker registry apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: name: project-id-cluster-name-egress-allow-azdo # kpt-set: ${project-id}-${cluster-name}-egress-allow-azdo namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: cnrm.cloud.google.com/project-id: host-project-id # kpt-set: ${host-project-id} spec: action: "allow" description: "GKE allow access to dev.azure.com" direction: "EGRESS" disabled: false # AU-12 enableLogging: true firewallPolicyRef: name: client-name-network-connectivity-profile-app-infra-classification-fwpol # kpt-set: ${client-name}-${network-connectivity-profile}-app-infra-${classification}-fwpol namespace: client-name-networking # kpt-set: ${client-name}-networking match: srcIPRanges: # kpt-set: ${primaryIpv4Range} - primaryIpv4Range layer4Configs: - ipProtocol: "tcp" ports: - "443" # SC-7(9) destFqdns: - "dev.azure.com" priority: 2000 # kpt-set: ${gke-to-azdo-priority} # targetServiceAccounts: # - name: cluster-name-sa # kpt-set: ${cluster-name}-sa --- # GKE egress Allow GKE nodes to Github apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: name: project-id-cluster-name-egress-allow-github # kpt-set: ${project-id}-${cluster-name}-egress-allow-github namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: cnrm.cloud.google.com/project-id: host-project-id # kpt-set: ${host-project-id} spec: action: "allow" description: "GKE allow access to github.com" direction: "EGRESS" disabled: false # AU-12 enableLogging: true firewallPolicyRef: name: client-name-network-connectivity-profile-app-infra-classification-fwpol # kpt-set: ${client-name}-${network-connectivity-profile}-app-infra-${classification}-fwpol namespace: client-name-networking # kpt-set: ${client-name}-networking match: srcIPRanges: # kpt-set: ${primaryIpv4Range} - primaryIpv4Range layer4Configs: - ipProtocol: "tcp" ports: - "443" # SC-7(9) destFqdns: - "github.com" priority: 2001 # kpt-set: ${gke-to-github-priority} # targetServiceAccounts: # - name: cluster-name-sa # kpt-set: ${cluster-name}-sa --- # GKE egress Allow GKE nodes to docker registry apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: name: project-id-cluster-name-egress-allow-docker # kpt-set: ${project-id}-${cluster-name}-egress-allow-docker namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: cnrm.cloud.google.com/project-id: host-project-id # kpt-set: ${host-project-id} spec: action: "allow" description: "GKE allow access to docker.pkg.dev" direction: "EGRESS" disabled: false # AU-12 enableLogging: true firewallPolicyRef: name: client-name-network-connectivity-profile-app-infra-classification-fwpol # kpt-set: ${client-name}-${network-connectivity-profile}-app-infra-${classification}-fwpol namespace: client-name-networking # kpt-set: ${client-name}-networking match: srcIPRanges: # kpt-set: ${primaryIpv4Range} - primaryIpv4Range layer4Configs: - ipProtocol: "tcp" ports: - "443" # SC-7(9) destFqdns: - "northamerica-northeast1-docker.pkg.dev" - "northamerica-northeast2-docker.pkg.dev" priority: 2002 # kpt-set: ${gke-to-docker-priority} # targetServiceAccounts: # - name: cluster-name-sa # kpt-set: ${cluster-name}-sa