diff --git a/.rubocop.yml b/.rubocop.yml index a1e1dda79..880ff84a2 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -44,6 +44,8 @@ Style/PercentLiteralDelimiters: '%x': () Layout/AlignHash: Enabled: false +Layout/EmptyLineAfterGuardClause: + Enabled: false Naming/PredicateName: Enabled: false Style/ClassAndModuleChildren: diff --git a/docs/resources/google_container_clusters.md b/docs/resources/google_container_clusters.md index 2d3ef6c86..4250a93bd 100644 --- a/docs/resources/google_container_clusters.md +++ b/docs/resources/google_container_clusters.md @@ -20,7 +20,7 @@ A `google_container_clusters` resource block collects GCP clusters by project an Use this InSpec resource to enumerate IDs then test in-depth using `google_container_cluster`. google_container_clusters(project: 'chef-inspec-gcp', zone: 'europe-west2-a').cluster_names.each do |cluster_name| - describe google_container_cluster(project: 'chef-inspec-gcp', cluster: cluster_name) do + describe google_container_cluster(project: 'chef-inspec-gcp', zone: 'europe-west2-a', name: cluster_name) do it { should exist } end end @@ -62,11 +62,12 @@ The following examples show how to use this InSpec audit resource. ## Filter Criteria -This resource supports the following filter criteria: `cluster_name` and `cluster_status`. Any of these may be used with `where`, as a block or as a method. +This resource supports the following filter criteria: `cluster_name`, `cluster_subnetwork`, and `cluster_status`. Any of these may be used with `where`, as a block or as a method. ## Properties * `cluster_names` - an array of google_container_cluster name strings +* `cluster_subnetworks` - an array of google_compute_subnetwork name strings * `cluster_statuses`- an array of google_container_cluster status strings
diff --git a/libraries/google_container_cluster.rb b/libraries/google_container_cluster.rb index 8b5e8174a..11a688535 100644 --- a/libraries/google_container_cluster.rb +++ b/libraries/google_container_cluster.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true require 'gcp_backend' -require 'google/apis/container_v1' +require 'google/apis/container_v1beta1' module Inspec::Resources class GoogleContainerCluster < GcpResourceBase @@ -21,11 +21,81 @@ def initialize(opts = {}) super(opts) @display_name = opts[:name] catch_gcp_errors do - @cluster = @gcp.gcp_client(Google::Apis::ContainerV1::ContainerService).get_zone_cluster(opts[:project], opts[:zone], opts[:name]) + @cluster = @gcp.gcp_client(Google::Apis::ContainerV1beta1::ContainerService).get_zone_cluster(opts[:project], opts[:zone], opts[:name]) create_resource_methods(@cluster) end end + def has_logging_enabled? + return false if !defined?(@cluster.logging_service) + return false if @cluster.logging_service.nil? + return true if @cluster.logging_service == 'logging.googleapis.com' + false + end + + def has_monitoring_enabled? + return false if !defined?(@cluster.monitoring_service) + return false if @cluster.monitoring_service.nil? + return true if @cluster.monitoring_service == 'monitoring.googleapis.com' + false + end + + def has_legacy_abac_disabled? + return nil if !defined?(@cluster.legacy_abac) + return true if @cluster.legacy_abac.to_h.empty? + false + end + + def has_master_authorized_networks_enabled? + return false if !defined?(@cluster.master_authorized_networks_config) + return false if @cluster.master_authorized_networks_config.to_h.empty? + return true if @cluster.master_authorized_networks_config.to_h=={ 'enabled': true } + false + end + + def has_resource_labels? + return false if !defined?(@cluster.resource_labels) + return false if @cluster.resource_labels.to_h.empty? + true + end + + def has_kubernetes_dashboard_disabled? + return false if !defined?(@cluster.addons_config.kubernetes_dashboard) + return false if @cluster.addons_config.kubernetes_dashboard.to_h.empty? + return true if @cluster.addons_config.kubernetes_dashboard.to_h=={ 'disabled': true } + false + end + + def has_basic_authorization? + return false if @cluster.master_auth.username.nil? and @cluster.master_auth.password.nil? + true + end + + def has_network_policy_enabled? + return false if !defined?(@cluster.network_policy.enabled) + return true if @cluster.network_policy.enabled==true + false + end + + def has_master_auth_client_key? + return false if !defined?(@cluster.master_auth.client_key) + return false if @cluster.master_auth.client_key.nil? + return false if @cluster.master_auth.client_key=='' + true + end + + def has_ip_alias_enabled? + return false if !defined?(@cluster.ip_allocation_policy.use_ip_aliases) + return true if @cluster.ip_allocation_policy.use_ip_aliases==true + false + end + + def has_pod_security_policy_config? + return false if !defined?(@cluster.pod_security_policy_config.enabled) + return true if @cluster.pod_security_policy_config.enabled==true + false + end + def exists? !@cluster.nil? end diff --git a/libraries/google_container_clusters.rb b/libraries/google_container_clusters.rb index 593bf661a..0d410fc3c 100644 --- a/libraries/google_container_clusters.rb +++ b/libraries/google_container_clusters.rb @@ -25,6 +25,7 @@ def initialize(opts = {}) filter_table_config = FilterTable.create filter_table_config.add(:cluster_names, field: :cluster_name) filter_table_config.add(:cluster_statuses, field: :cluster_status) + filter_table_config.add(:cluster_subnetworks, field: :cluster_subnetwork) filter_table_config.connect(self, :fetch_data) def fetch_data @@ -36,7 +37,8 @@ def fetch_data return [] if !@clusters || !@clusters.clusters @clusters.clusters.map do |cluster| cluster_rows+=[{ cluster_name: cluster.name, - cluster_status: cluster.status }] + cluster_status: cluster.status, + cluster_subnetwork: cluster.subnetwork }] end @table = cluster_rows end diff --git a/libraries/google_container_node_pool.rb b/libraries/google_container_node_pool.rb index 3b849fa4e..a8aa982eb 100644 --- a/libraries/google_container_node_pool.rb +++ b/libraries/google_container_node_pool.rb @@ -18,13 +18,40 @@ class GoogleContainerNodePool < GcpResourceBase def initialize(opts = {}) # Call the parent class constructor super(opts) - @display_name = opts[:name] + @display_name = opts[:nodepool_name] catch_gcp_errors do @nodepool = @gcp.gcp_client(Google::Apis::ContainerV1::ContainerService).get_project_zone_cluster_node_pool(opts[:project], opts[:zone], opts[:cluster_name], opts[:nodepool_name]) create_resource_methods(@nodepool) end end + def has_automatic_node_repair? + return false if !defined?(@nodepool.management.auto_repair) + return false if @nodepool.management.auto_repair.nil? + @nodepool.management.auto_repair + end + + def has_automatic_node_upgrade? + return false if !defined?(@nodepool.management.auto_upgrade) + return false if @nodepool.management.auto_upgrade.nil? + @nodepool.management.auto_upgrade + end + + def config_image_type + return false if !defined?(@nodepool.config.image_type) + @nodepool.config.image_type + end + + def config_service_account + return false if !defined?(@nodepool.config.service_account) + @nodepool.config.service_account + end + + def config_oauth_scopes + return false if !defined?(@nodepool.config.oauth_scopes) + @nodepool.config.oauth_scopes + end + def exists? !@nodepool.nil? end