Update default FAST org policies (#3207)

2025-07-02 15:53:58 +02:00
parent 44823bc6f1
commit 7e20abc19d
9 changed files with 159 additions and 9 deletions
--- a/fast/stages/0-bootstrap/data/org-policies-managed/gke.yaml
+++ b/fast/stages/0-bootstrap/data/org-policies-managed/gke.yaml
@@ -21,3 +21,11 @@
 # custom.disableKubeletReadOnlyPort:
 #   rules:
 #     - enforce: true
+
+container.managed.enablePrivateNodes:
+  rules:
+    - enforce: true
+
+# container.managed.enableControlPlaneDNSOnlyAccess:
+#   rules:
+#     - enforce: true
--- a/fast/stages/0-bootstrap/data/org-policies-managed/iam.yaml
+++ b/fast/stages/0-bootstrap/data/org-policies-managed/iam.yaml
@@ -50,6 +50,10 @@ iam.managed.disableServiceAccountKeyUpload:
  rules:
    - enforce: true

+iam.managed.disableServiceAccountApiKeyCreation:
+  rules:
+    - enforce: true
+
 iam.serviceAccountKeyExposureResponse:
  rules:
    - allow:
--- a/fast/stages/0-bootstrap/data/org-policies/gke.yaml
+++ b/fast/stages/0-bootstrap/data/org-policies/gke.yaml
@@ -21,3 +21,11 @@
 # custom.disableKubeletReadOnlyPort:
 #   rules:
 #     - enforce: true
+
+container.managed.enablePrivateNodes:
+  rules:
+    - enforce: true
+
+# container.managed.enableControlPlaneDNSOnlyAccess:
+#   rules:
+#     - enforce: true
--- a/fast/stages/0-bootstrap/data/org-policies/iam.yaml
+++ b/fast/stages/0-bootstrap/data/org-policies/iam.yaml
@@ -34,11 +34,11 @@ iam.allowedPolicyMemberDomains:
        expression: |
          resource.matchTag('${tags.org_policies_tag_name}', 'allowed-policy-member-domains-all')

-iam.automaticIamGrantsForDefaultServiceAccounts:
+iam.disableAuditLoggingExemption:
  rules:
    - enforce: true

-iam.disableAuditLoggingExemption:
+iam.automaticIamGrantsForDefaultServiceAccounts:
  rules:
    - enforce: true

@@ -50,6 +50,10 @@ iam.disableServiceAccountKeyUpload:
  rules:
    - enforce: true

+iam.managed.disableServiceAccountApiKeyCreation:
+  rules:
+    - enforce: true
+
 iam.serviceAccountKeyExposureResponse:
  rules:
    - allow: