Updated policy-library to use ancestries / excludedAncestries

b/241296218
GoogleCloudPlatform · Aug 3, 2022 · d651f47 · d651f47
1 parent 5538c63
commit d651f47
Show file tree

Hide file tree

Showing 171 changed files with 257 additions and 257 deletions.
diff --git a/bundler/test-data/common/sink/bundle.yaml b/bundler/test-data/common/sink/bundle.yaml
@@ -12,8 +12,8 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
-      exclude: [] # optional, default is no exclusions
+      ancestries: ["organization/*"]
+      excludedAncestries: [] # optional, default is no exclusions
     parameters: {}
 - apiVersion: constraints.gatekeeper.sh/v1alpha1
   kind: GCPRestrictedFirewallRulesConstraintV1
@@ -25,7 +25,7 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
+      ancestries: ["organization/*"]
     parameters:
       rules:
         - direction: "INGRESS"

diff --git a/bundler/test-data/common/source/bundle.yaml b/bundler/test-data/common/source/bundle.yaml
@@ -12,8 +12,8 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
-      exclude: [] # optional, default is no exclusions
+      ancestries: ["organization/*"]
+      excludedAncestries: [] # optional, default is no exclusions
     parameters: {}
 - apiVersion: constraints.gatekeeper.sh/v1alpha1
   kind: GCPRestrictedFirewallRulesConstraintV1
@@ -25,7 +25,7 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
+      ancestries: ["organization/*"]
     parameters:
       rules:
         - direction: "INGRESS"

diff --git a/bundler/test-data/common/source/invalid.yaml b/bundler/test-data/common/source/invalid.yaml
@@ -12,8 +12,8 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
-      exclude: [] # optional, default is no exclusions
+      ancestries: ["organization/*"]
+      excludedAncestries: [] # optional, default is no exclusions
     parameters: {}
 - kind: GCPRestrictedFirewallRulesConstraintV1
   metadata:
@@ -24,7 +24,7 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
+      ancestries: ["organization/*"]
     parameters:
       rules:
         - direction: "INGRESS"
@@ -41,8 +41,8 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
-      exclude: []
+      ancestries: ["organization/*"]
+      excludedAncestries: []
     parameters:
       mode: denylist
       assetType: bigquery.googleapis.com/Dataset

diff --git a/bundler/test-data/generate-docs/source/samples_templates.yaml b/bundler/test-data/generate-docs/source/samples_templates.yaml
@@ -23,7 +23,7 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
+      ancestries: ["organization/*"]
     parameters: {}
 # Templates
 - apiVersion: templates.gatekeeper.sh/v1alpha1
@@ -39,7 +39,7 @@ items:
           openAPIV3Schema:
             properties: {}
     targets:
-    validation.gcp.forsetisecurity.org:
+      - target: "validation.gcp.forsetisecurity.org"
         rego: | #INLINE("validator/always_violates.rego")
             #
             # Copyright 2018 Google LLC

diff --git a/bundler/test-data/policy-bundle-flat-export/sink/samples.yaml b/bundler/test-data/policy-bundle-flat-export/sink/samples.yaml
@@ -13,8 +13,8 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
-      exclude: [] # optional, default is no exclusions
+      ancestries: ["organization/*"]
+      excludedAncestries: [] # optional, default is no exclusions
     parameters: {}
 - apiVersion: constraints.gatekeeper.sh/v1alpha1
   kind: GCPRestrictedFirewallRulesConstraintV1
@@ -27,7 +27,7 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
+      ancestries: ["organization/*"]
     parameters:
       rules:
         - direction: "INGRESS"
@@ -46,8 +46,8 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
-      exclude: []
+      ancestries: ["organization/*"]
+      excludedAncestries: []
     parameters:
       mode: denylist
       assetType: bigquery.googleapis.com/Dataset

diff --git a/bundler/test-data/policy-bundle-flat-export/source/samples.yaml b/bundler/test-data/policy-bundle-flat-export/source/samples.yaml
@@ -13,8 +13,8 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
-      exclude: [] # optional, default is no exclusions
+      ancestries: ["organization/*"]
+      excludedAncestries: [] # optional, default is no exclusions
     parameters: {}
 - apiVersion: constraints.gatekeeper.sh/v1alpha1
   kind: GCPRestrictedFirewallRulesConstraintV1
@@ -27,7 +27,7 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
+      ancestries: ["organization/*"]
     parameters:
       rules:
         - direction: "INGRESS"
@@ -46,8 +46,8 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
-      exclude: []
+      ancestries: ["organization/*"]
+      excludedAncestries: []
     parameters:
       mode: denylist
       assetType: bigquery.googleapis.com/Dataset

diff --git a/bundler/test-data/policy-bundle/sink/samples.yaml b/bundler/test-data/policy-bundle/sink/samples.yaml
@@ -12,8 +12,8 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
-      exclude: [] # optional, default is no exclusions
+      ancestries: ["organization/*"]
+      excludedAncestries: [] # optional, default is no exclusions
     parameters: {}
 - apiVersion: constraints.gatekeeper.sh/v1alpha1
   kind: GCPRestrictedFirewallRulesConstraintV1
@@ -25,7 +25,7 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
+      ancestries: ["organization/*"]
     parameters:
       rules:
         - direction: "INGRESS"
@@ -43,8 +43,8 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
-      exclude: []
+      ancestries: ["organization/*"]
+      excludedAncestries: []
     parameters:
       mode: denylist
       assetType: bigquery.googleapis.com/Dataset

diff --git a/bundler/test-data/policy-bundle/source/samples.yaml b/bundler/test-data/policy-bundle/source/samples.yaml
@@ -12,8 +12,8 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
-      exclude: [] # optional, default is no exclusions
+      ancestries: ["organization/*"]
+      excludedAncestries: [] # optional, default is no exclusions
     parameters: {}
 - apiVersion: constraints.gatekeeper.sh/v1alpha1
   kind: GCPRestrictedFirewallRulesConstraintV1
@@ -25,7 +25,7 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
+      ancestries: ["organization/*"]
     parameters:
       rules:
         - direction: "INGRESS"
@@ -43,8 +43,8 @@ items:
   spec:
     severity: high
     match:
-      target: ["organization/*"]
-      exclude: []
+      ancestries: ["organization/*"]
+      excludedAncestries: []
     parameters:
       mode: denylist
       assetType: bigquery.googleapis.com/Dataset

diff --git a/docs/constraint_template_authoring.md b/docs/constraint_template_authoring.md
@@ -201,7 +201,7 @@ metadata:
 spec:
   severity: high
   match:
-    target: ["organizations/**"]
+    ancestries: ["organizations/**"]
   parameters:
     mode: "allowlist"
     instances:

diff --git a/docs/user_guide.md b/docs/user_guide.md
@@ -150,12 +150,12 @@ metadata:
 spec:
   severity: # low, medium, or high
   match:
-    target: [] # put the constraint application target here
-    exclude: [] # optional, default is no exclusions
+    ancestries: [] # put the constraint application ancestries here
+    excludedAncestries: [] # optional, default is no exclusions
   parameters: # put the parameters defined in constraint template here
 ```
 
-The <code><em>target</em></code> field is specified in a path-like format. It
+The <code><em>ancestries</em></code> field is specified in a path-like format. It
 specifies where in the GCP resources hierarchy the constraint is to be applied.
 For example:
 
@@ -198,8 +198,8 @@ For example:
   </tr>
 </table>
 
-The <code><em>exclude</em></code> field follows the same pattern and has
-precedence over the <code><em>target</em></code> field. If a resource is in
+The <code><em>excludedAncestries</em></code> field follows the same pattern and has
+precedence over the <code><em>ancestries</em></code> field. If a resource is in
 both, it will be excluded.
 
 The schema of the <code><em>parameters</em></code> field is defined in the
@@ -245,7 +245,7 @@ metadata:
 spec:
   severity: high
   match:
-    target: ["organizations/**"]
+    ancestries: ["organizations/**"]
   parameters:
     mode: "allowlist"
     instances:
@@ -310,7 +310,7 @@ metadata:
 spec:
   severity: high
   match:
-    target: ["organizations/**"]
+    ancestries: ["organizations/**"]
   parameters:
     domains:
       - gserviceaccount.com
@@ -376,7 +376,7 @@ metadata:
 spec:
   severity: high
   match:
-    target: ["organizations/**"]
+    ancestries: ["organizations/**"]
   parameters:
     domains:
       - gserviceaccount.com

diff --git a/samples/allowed_resource_types.yaml b/samples/allowed_resource_types.yaml
@@ -7,7 +7,7 @@ metadata:
 spec:
   severity: high
   match:
-    target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"}
+    ancestries:
     - "organizations/**"
   parameters:
     mode: "denylist"

diff --git a/samples/always_violates.yaml b/samples/always_violates.yaml
@@ -22,6 +22,6 @@ spec:
   constraintVersion: 0.1.0
   severity: high
   match:
-    target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"}
+    ancestries:
     - "organizations/**"
   parameters: {}
diff --git a/samples/appengine_location.yaml b/samples/appengine_location.yaml
@@ -8,7 +8,7 @@ metadata:
 spec:
   severity: high
   match:
-    target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"}
+    ancestries:
     - "organizations/**"
   parameters:
     locations:

diff --git a/samples/appengine_versions.yaml b/samples/appengine_versions.yaml
@@ -22,6 +22,6 @@ metadata:
       installed.
 spec:
   match:
-    target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"}
+    ancestries:
     - "organizations/**"
   parameters: {}
diff --git a/samples/bigquery_cmek.yaml b/samples/bigquery_cmek.yaml
@@ -7,6 +7,6 @@ metadata:
 spec:
   severity: high
   match:
-    target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"}
+    ancestries:
     - "organizations/**"
   parameters: {}
diff --git a/samples/bigquery_table_retention.yaml b/samples/bigquery_table_retention.yaml
@@ -21,7 +21,7 @@ metadata:
 spec:
   severity: high
   match:
-    target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"}
+    ancestries:
     - "organizations/**"
   parameters:
     minimum_retention_days: 100

diff --git a/samples/cmek_rotation.yaml b/samples/cmek_rotation.yaml
@@ -24,7 +24,7 @@ metadata:
 spec:
   severity: high
   match:
-    target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"}
+    ancestries:
     - "organizations/**"
   parameters:
     # Optionally specify the required key rotation period.  Default is 365 days

diff --git a/samples/cmek_rotation_100_days.yaml b/samples/cmek_rotation_100_days.yaml
@@ -23,7 +23,7 @@ metadata:
 spec:
   severity: high
   match:
-    target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"}
+    ancestries:
     - "organizations/**"
   parameters:
     # Optionally specify the required key rotation period.  Default is 365 days

diff --git a/samples/cmek_settings.yaml b/samples/cmek_settings.yaml
@@ -22,7 +22,7 @@ metadata:
 spec:
   severity: high
   match:
-    target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"}
+    ancestries:
     - "organizations/**"
   parameters:
     # Optionally specify the required key rotation period.  Default is 365 days

diff --git a/samples/compute_allowed_networks.yaml b/samples/compute_allowed_networks.yaml
@@ -21,8 +21,8 @@ metadata:
 spec:
   severity: high
   match:
-    target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"}
-    - "organizations/**"
+    ancestries:
+      - "organizations/**"
   parameters:
     allowed:
     - https://www.googleapis.com/compute/v1/projects/vpc-sc-pub-sub-billing-alerts/global/networks/default1
diff --git a/samples/compute_block_ssh_keys.yaml b/samples/compute_block_ssh_keys.yaml
@@ -22,5 +22,5 @@ metadata:
 spec:
   severity: high
   match:
-    target: ["organization/*"]
+    ancestries: ["organization/*"]
   parameters: {}
diff --git a/samples/compute_enable_oslogin_project.yaml b/samples/compute_enable_oslogin_project.yaml
@@ -22,5 +22,5 @@ metadata:
 spec:
   severity: high
   match:
-    target: ["organization/*"]
+      ancestries: ["organization/*"]
   parameters: {}
diff --git a/samples/dataproc_location.yaml b/samples/dataproc_location.yaml
@@ -23,7 +23,7 @@ metadata:
 spec:
   severity: high
   match:
-    target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"}
+    ancestries:
     - "organizations/**"
   parameters:
     locations:

diff --git a/samples/enforce_label.yaml b/samples/enforce_label.yaml
@@ -22,7 +22,7 @@ metadata:
 spec:
   severity: high
   match:
-    target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"}
+    ancestries:
     - "organizations/**"
   parameters:
     # required parameter: list of label objects that resources should have.