fix: handle Autopilot clusters in gke checks

Signed-off-by: Nikita Pivkin <[email protected]>

Author: nikpivkin

checks/cloud/google/gke/enable_auto_repair.rego

@@ -25,14 +25,39 @@ package builtin.google.gke.google0063
 import rego.v1
 
 import data.lib.cloud.metadata
+import data.lib.cloud.value
 
 deny contains res if {
 	some cluster in input.google.gke.clusters
 	isManaged(cluster)
+	autopilot_disabled(cluster)
 	some pool in cluster.nodepools
-	not pool.management.enableautorepair.value
+	autorepair_is_disabled_for_pool(pool)
 	res := result.new(
 		"Node pool does not have auto-repair enabled.",
 		metadata.obj_by_path(pool, ["management", "enableautorepair"]),
 	)
 }
+
+autorepair_is_disabled_for_pool(pool) if value.is_false(pool.management.enableautorepair)
+
+autorepair_is_disabled_for_pool(pool) if not pool.management.enableautorepair
+
+autopilot_disabled(cluster) if value.is_false(cluster.enableautpilot)
+
+autopilot_disabled(cluster) if not cluster.enableautpilot
+
+deny contains res if {
+	some cluster in input.google.gke.clusters
+	isManaged(cluster)
+	cluster.enableautpilot.value
+	autorepair_is_disabled(cluster)
+	res := result.new(
+		"Node pool does not have auto-repair enabled.",
+		metadata.obj_by_path(cluster, ["autoscaling", "autoprovisioningdefaults", "management", "enableautorepair"]),
+	)
+}
+
+autorepair_is_disabled(cluster) if value.is_false(cluster.autoscaling.autoprovisioningdefaults.management.enableautorepair)
+
+autorepair_is_disabled(cluster) if not cluster.autoscaling.autoprovisioningdefaults.management.enableautorepair

checks/cloud/google/gke/enable_auto_repair_test.rego

@@ -11,9 +11,46 @@ test_deny_auto_repair_disabled if {
 	count(res) == 1
 }
 
+test_deny_auto_repair_disabled_for_autopilot if {
+	inp := {"google": {"gke": {"clusters": [{
+		"enableautpilot": {"value": true},
+		"autoscaling": {"autoprovisioningdefaults": {"management": {"enableautorepair": {"value": false}}}},
+	}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_deny_auto_repair_missing_for_autopilot if {
+	inp := {"google": {"gke": {"clusters": [{"enableautpilot": {"value": true}}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
 test_allow_auto_repair_enabled if {
 	inp := {"google": {"gke": {"clusters": [{"nodepools": [{"management": {"enableautorepair": {"value": true}}}]}]}}}
 
 	res := check.deny with input as inp
 	res == set()
 }
+
+test_allow_auto_repair_enabled_for_autopilot if {
+	inp := {"google": {"gke": {"clusters": [{
+		"enableautpilot": {"value": true},
+		"autoscaling": {"autoprovisioningdefaults": {"management": {"enableautorepair": {"value": true}}}},
+	}]}}}
+
+	res := check.deny with input as inp
+	res == set()
+}
+
+test_allow_auto_repair_unresolvable_for_autopilot if {
+	inp := {"google": {"gke": {"clusters": [{
+		"enableautpilot": {"value": true},
+		"autoscaling": {"autoprovisioningdefaults": {"management": {"enableautorepair": {"value": false, "unresolvable": true}}}},
+	}]}}}
+
+	res := check.deny with input as inp
+	res == set()
+}

checks/cloud/google/gke/enable_auto_upgrade.rego

@@ -25,14 +25,39 @@ package builtin.google.gke.google0058
 import rego.v1
 
 import data.lib.cloud.metadata
+import data.lib.cloud.value
 
 deny contains res if {
 	some cluster in input.google.gke.clusters
 	isManaged(cluster)
+	autopilot_disabled(cluster)
 	some pool in cluster.nodepools
-	not pool.management.enableautoupgrade.value
+	autoupgrade_is_disabled_for_pool(pool)
 	res := result.new(
-		"Node pool does not have auto-upgraade enabled.",
+		"Node pool does not have auto-repair enabled.",
 		metadata.obj_by_path(pool, ["management", "enableautoupgrade"]),
 	)
 }
+
+autoupgrade_is_disabled_for_pool(pool) if value.is_false(pool.management.enableautoupgrade)
+
+autoupgrade_is_disabled_for_pool(pool) if not pool.management.enableautoupgrade
+
+autopilot_disabled(cluster) if value.is_false(cluster.enableautpilot)
+
+autopilot_disabled(cluster) if not cluster.enableautpilot
+
+deny contains res if {
+	some cluster in input.google.gke.clusters
+	isManaged(cluster)
+	cluster.enableautpilot.value
+	autoupgrade_is_disabled(cluster)
+	res := result.new(
+		"Node pool does not have auto-repair enabled.",
+		metadata.obj_by_path(cluster, ["autoscaling", "autoprovisioningdefaults", "management", "enableautoupgrade"]),
+	)
+}
+
+autoupgrade_is_disabled(cluster) if value.is_false(cluster.autoscaling.autoprovisioningdefaults.management.enableautoupgrade)
+
+autoupgrade_is_disabled(cluster) if not cluster.autoscaling.autoprovisioningdefaults.management.enableautoupgrade

checks/cloud/google/gke/enable_auto_upgrade_test.rego

@@ -11,9 +11,46 @@ test_deny_auto_upgrade_disabled if {
 	count(res) == 1
 }
 
+test_deny_auto_repair_disabled_for_autopilot if {
+	inp := {"google": {"gke": {"clusters": [{
+		"enableautpilot": {"value": true},
+		"autoscaling": {"autoprovisioningdefaults": {"management": {"enableautoupgrade": {"value": false}}}},
+	}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_deny_auto_repair_missing_for_autopilot if {
+	inp := {"google": {"gke": {"clusters": [{"enableautpilot": {"value": true}}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
 test_allow_auto_upgrade_enabled if {
 	inp := {"google": {"gke": {"clusters": [{"nodepools": [{"management": {"enableautoupgrade": {"value": true}}}]}]}}}
 
 	res := check.deny with input as inp
 	res == set()
 }
+
+test_allow_auto_repair_enabled_for_autopilot if {
+	inp := {"google": {"gke": {"clusters": [{
+		"enableautpilot": {"value": true},
+		"autoscaling": {"autoprovisioningdefaults": {"management": {"enableautoupgrade": {"value": true}}}},
+	}]}}}
+
+	res := check.deny with input as inp
+	res == set()
+}
+
+test_allow_auto_repair_unresolvable_for_autopilot if {
+	inp := {"google": {"gke": {"clusters": [{
+		"enableautpilot": {"value": true},
+		"autoscaling": {"autoprovisioningdefaults": {"management": {"enableautoupgrade": {"value": false, "unresolvable": true}}}},
+	}]}}}
+
+	res := check.deny with input as inp
+	res == set()
+}

checks/cloud/google/gke/node_pool_uses_cos.rego

@@ -22,13 +22,15 @@
 #   examples: checks/cloud/google/gke/node_pool_uses_cos.yaml
 package builtin.google.gke.google0054
 
+import data.lib.cloud.value
 import rego.v1
 
 deny contains res if {
 	some cluster in input.google.gke.clusters
 	isManaged(cluster)
+	autopilot_disabled(cluster)
 	image_type := cluster.nodeconfig.imagetype
-	not lower(image_type.value) in {"cos", "cos_containerd", ""}
+	image_type_is_not_cos(image_type, {"cos", "cos_containerd", ""})
 	res := result.new(
 		"Cluster is not configuring node pools to use the COS containerd image type by default.",
 		image_type,
@@ -38,11 +40,35 @@ deny contains res if {
 deny contains res if {
 	some cluster in input.google.gke.clusters
 	isManaged(cluster)
+	autopilot_disabled(cluster)
 	some pool in cluster.nodepools
 	image_type := pool.nodeconfig.imagetype
-	not lower(image_type.value) in {"cos", "cos_containerd"}
+	image_type_is_not_cos(image_type, {"cos", "cos_containerd"})
 	res := result.new(
 		"Node pool is not using the COS containerd image type.",
 		image_type,
 	)
 }
+
+autopilot_disabled(cluster) if value.is_false(cluster.enableautpilot)
+
+autopilot_disabled(cluster) if not cluster.enableautpilot
+
+deny contains res if {
+	some cluster in input.google.gke.clusters
+	isManaged(cluster)
+	cluster.enableautpilot.value
+	image_type := cluster.autoscaling.autoprovisioningdefaults.imagetype
+	image_type_is_not_cos(image_type, {"cos", "cos_containerd"})
+	res := result.new(
+		"Node pool is not using the COS containerd image type.",
+		image_type,
+	)
+}
+
+image_type_is_not_cos(image_type, _) if value.is_empty(image_type)
+
+image_type_is_not_cos(image_type, allowed) if {
+	value.is_not_empty(image_type)
+	not lower(image_type.value) in allowed
+}

checks/cloud/google/gke/node_pool_uses_cos_test.rego

@@ -18,6 +18,16 @@ test_deny_node_pool_image_type_is_ubuntu if {
 	count(res) == 1
 }
 
+test_deny_autopilot_image_type_is_ubuntu if {
+	inp := {"google": {"gke": {"clusters": [{
+		"enableautpilot": {"value": true},
+		"autoscaling": {"autoprovisioningdefaults": {"imagetype": {"value": "UBUNTU"}}},
+	}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
 test_allow_node_config_image_type_is_cos if {
 	inp := {"google": {"gke": {"clusters": [{"nodeconfig": {"imagetype": {"value": "COS"}}}]}}}
 
@@ -31,3 +41,23 @@ test_allow_node_pool_image_type_is_cos if {
 	res := check.deny with input as inp
 	res == set()
 }
+
+test_allow_autopilot_image_type_is_cos if {
+	inp := {"google": {"gke": {"clusters": [{
+		"enableautpilot": {"value": true},
+		"autoscaling": {"autoprovisioningdefaults": {"imagetype": {"value": "COS"}}},
+	}]}}}
+
+	res := check.deny with input as inp
+	res == set()
+}
+
+test_allow_autopilot_image_type_is_unresolvable if {
+	inp := {"google": {"gke": {"clusters": [{
+		"enableautpilot": {"value": true},
+		"autoscaling": {"autoprovisioningdefaults": {"imagetype": {"value": "", "unresolvable": true}}},
+	}]}}}
+
+	res := check.deny with input as inp
+	res == set()
+}

checks/cloud/google/gke/use_service_account.rego

@@ -32,6 +32,7 @@ import data.lib.cloud.value
 deny contains res if {
 	some cluster in input.google.gke.clusters
 	isManaged(cluster)
+	autopilot_disabled(cluster)
 	value.is_false(cluster.removedefaultnodepool)
 	default_account_is_not_overrided(cluster.nodeconfig)
 	res := result.new(
@@ -43,6 +44,7 @@ deny contains res if {
 deny contains res if {
 	some cluster in input.google.gke.clusters
 	isManaged(cluster)
+	autopilot_disabled(cluster)
 	some pool in cluster.nodepools
 	default_account_is_not_overrided(pool.nodeconfig)
 	res := result.new(
@@ -51,6 +53,21 @@ deny contains res if {
 	)
 }
 
+deny contains res if {
+	some cluster in input.google.gke.clusters
+	isManaged(cluster)
+	cluster.enableautpilot.value
+	default_account_is_not_overrided(cluster.autoscaling.autoprovisioningdefaults)
+	res := result.new(
+		"Cluster does not override the default service account.",
+		metadata.obj_by_path(cluster, ["nodeconfig", "serviceaccount"]),
+	)
+}
+
+autopilot_disabled(cluster) if value.is_false(cluster.enableautpilot)
+
+autopilot_disabled(cluster) if not cluster.enableautpilot
+
 default_account_is_not_overrided(nodeconfig) if value.is_empty(nodeconfig.serviceaccount)
 
 default_account_is_not_overrided(nodeconfig) if not nodeconfig.serviceaccount

examples/serverless/python2.rego

@@ -8,8 +8,6 @@
 #   Ensure that you use a supported runtime version, such as Python 3.x,
 #   to maintain the security and reliability of your serverless application.
 # scope: package
-# schemas:
-#   - input: schema["yaml"]
 # related_resources:
 #   - https://www.python.org/doc/sunset-python-2/
 # custom:

examples/terraform-plan/asg_capacity.rego

@@ -6,8 +6,6 @@
 #
 #   Ensure that the desired capacity for Auto Scaling Groups is set to a reasonable value, typically within limits defined by your organization.
 # scope: package
-# schemas:
-#   - input: schema["json"]
 # related_resources:
 #   - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group
 # custom: