google · mikouaj · Oct 18, 2023 · Oct 15, 2023
diff --git a/.github/workflows/policy-test.yml b/.github/workflows/policy-test.yml
@@ -31,12 +31,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup OPA
         uses: open-policy-agent/setup-opa@v2
         with:
           version: 0.55
       - name: Run Policy tests - v1 policies
         run: opa test ${{ env.GKE_POLICY_DIRECTORY_V1 }} -v
       - name: Run Policy tests - v2 policies
-        run: opa test ${{ env.GKE_POLICY_DIRECTORY_V2 }} -v
+        run: opa test ${{ env.GKE_POLICY_DIRECTORY_V2 }} -v
+      - name: Setup Regal
+        uses: StyraInc/[email protected]
+        with:
+          version: v0.10.1
+      - run: regal lint --format github ${{ env.GKE_POLICY_DIRECTORY_V2 }}
diff --git a/.regal/config.yaml b/.regal/config.yaml
@@ -0,0 +1,32 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+rules:
+  idiomatic:
+    no-defined-entrypoint:
+      # not applicable to this project
+      level: ignore
+  style:
+    detached-metadata:
+      # style preference only
+      level: ignore
+    line-length:
+      level: ignore
+    opa-fmt:
+      level: ignore
+    prefer-some-in-iteration:
+      level: ignore
+  testing:
+    test-outside-test-package:
+      level: ignore
diff --git a/gke-policies-v2/AUTHORING.md b/gke-policies-v2/AUTHORING.md
@@ -76,7 +76,7 @@ Below is an example of a valid GKE Policy file.
 #   group: Security
 package gke.policy.control_plane_access
 
-default valid = false
+default valid := false
 
 valid {
   count(violation) == 0

diff --git a/gke-policies-v2/policy/autopilot_cluster.rego b/gke-policies-v2/policy/autopilot_cluster.rego
@@ -19,15 +19,15 @@
 #   group: Management
 #   severity: Medium
 #   recommendation: >
-#     Autopilot mode (recommended): GKE manages the underlying infrastructure such as node configuration, 
+#     Autopilot mode (recommended): GKE manages the underlying infrastructure such as node configuration,
 #     autoscaling, auto-upgrades, baseline security configurations, and baseline networking configuration.
 #   externalURI: https://cloud.google.com/kubernetes-engine/docs/concepts/choose-cluster-mode
 #   sccCategory: AUTOPILOT_DISABLED
 #   dataSource: gke
 
 package gke.policy.autopilot
 
-default valid = false
+default valid := false
 
 valid {
 	count(violation) == 0

diff --git a/gke-policies-v2/policy/cluster_binary_authorization.rego b/gke-policies-v2/policy/cluster_binary_authorization.rego
@@ -31,7 +31,7 @@
 
 package gke.policy.cluster_binary_authorization
 
-default valid = false
+default valid := false
 
 valid {
   count(violation) == 0

diff --git a/gke-policies-v2/policy/cluster_gce_csi_driver.rego b/gke-policies-v2/policy/cluster_gce_csi_driver.rego
@@ -28,7 +28,7 @@
 
 package gke.policy.cluster_gce_csi_driver
 
-default valid = false
+default valid := false
 
 valid {
   count(violation) == 0

diff --git a/gke-policies-v2/policy/cluster_gce_csi_driver_test.rego b/gke-policies-v2/policy/cluster_gce_csi_driver_test.rego
@@ -18,7 +18,7 @@ test_gce_csi_driver_addon_empty {
     not valid with input as {"data": {"gke": {"name":"cluster-demo","addons_config":{"gce_persistent_disk_csi_driver_config":{}}}}}
 }
 
-test_gce_csi_driver_addon_empty {
+test_gce_csi_driver_addon_disabled {
     not valid with input as {"data": {"gke": {"name":"cluster-demo","addons_config":{"gce_persistent_disk_csi_driver_config":{"enabled":false}}}}}
 }
 

diff --git a/gke-policies-v2/policy/cluster_maintenance_window.rego b/gke-policies-v2/policy/cluster_maintenance_window.rego
@@ -30,7 +30,7 @@
 
 package gke.policy.cluster_maintenance_window
 
-default valid = false
+default valid := false
 
 valid {
   count(violation) == 0

diff --git a/gke-policies-v2/policy/cluster_receive_updates.rego b/gke-policies-v2/policy/cluster_receive_updates.rego
@@ -30,16 +30,18 @@
 
 package gke.policy.cluster_receive_updates
 
-default valid = false
+default valid := false
 
 valid {
   count(violation) == 0
 }
 
 violation[msg] {
-  not input.data.gke.notification_config.pubsub.enabled 
+  not input.data.gke.notification_config.pubsub.enabled
   msg := "Pub/Sub notifications are not enabled"
-} {
-  not input.data.gke.notification_config.pubsub.topic 
+}
+
+violation[msg] {
+  not input.data.gke.notification_config.pubsub.topic
   msg := "Pub/Sub topic is not configured"
 }
diff --git a/gke-policies-v2/policy/cluster_release_channels.rego b/gke-policies-v2/policy/cluster_release_channels.rego
@@ -32,13 +32,13 @@
 
 package gke.policy.cluster_release_channels
 
-default valid = false
+default valid := false
 
 valid {
   count(violation) == 0
 }
 
 violation[msg] {
-  not input.data.gke.release_channel.channel  
+  not input.data.gke.release_channel.channel
   msg := "GKE cluster is not enrolled in release channel"
 }
diff --git a/gke-policies-v2/policy/control_plane_access.rego b/gke-policies-v2/policy/control_plane_access.rego
@@ -33,23 +33,23 @@
 
 package gke.policy.control_plane_access
 
-default valid = false
+default valid := false
 
 valid {
   count(violation) == 0
 }
 
 violation[msg] {
   not input.data.gke.master_authorized_networks_config.enabled
-  msg := "GKE cluster has not enabled master authorized networks configuration" 
+  msg := "GKE cluster has not enabled master authorized networks configuration"
 }
 
 violation[msg] {
   not input.data.gke.master_authorized_networks_config.cidr_blocks
-  msg := "GKE cluster's master authorized networks has no CIDR blocks element" 
+  msg := "GKE cluster's master authorized networks has no CIDR blocks element"
 }
 
 violation[msg] {
   count(input.data.gke.master_authorized_networks_config.cidr_blocks) < 1
-  msg := "GKE cluster's master authorized networks has no CIDR blocks defined" 
+  msg := "GKE cluster's master authorized networks has no CIDR blocks defined"
 }
diff --git a/gke-policies-v2/policy/control_plane_disable_legacy_authorization.rego b/gke-policies-v2/policy/control_plane_disable_legacy_authorization.rego
@@ -31,7 +31,7 @@
 
 package gke.policy.disable_legacy_authorization
 
-default valid = false
+default valid := false
 
 valid {
 	count(violation) == 0

diff --git a/gke-policies-v2/policy/control_plane_endpoint.rego b/gke-policies-v2/policy/control_plane_endpoint.rego
@@ -31,13 +31,13 @@
 
 package gke.policy.control_plane_endpoint
 
-default valid = false
+default valid := false
 
 valid {
   count(violation) == 0
 }
 
 violation[msg] {
   not input.data.gke.private_cluster_config.enable_private_endpoint
-  msg := "GKE cluster has not enabled private endpoint" 
+  msg := "GKE cluster has not enabled private endpoint"
 }
diff --git a/gke-policies-v2/policy/control_plane_redundancy.rego b/gke-policies-v2/policy/control_plane_redundancy.rego
@@ -27,9 +27,9 @@
 
 package gke.policy.control_plane_redundancy
 
-import data.gke.rule.cluster.location.regional
+import data.gke.rule.cluster.location
 
-default valid = false
+default valid := false
 
 valid {
   count(violation) == 0
@@ -41,6 +41,6 @@ violation[msg] {
 }
 
 violation[msg] {
-  not regional(input.data.gke.location)
+  not location.regional(input.data.gke.location)
   msg := sprintf("Invalid GKE Control plane location %q (not regional)", [input.data.gke.location])
 }
diff --git a/gke-policies-v2/policy/ilb_subsetting.rego b/gke-policies-v2/policy/ilb_subsetting.rego
@@ -28,7 +28,7 @@
 
 package gke.policy.enable_ilb_subsetting
 
-default valid = false
+default valid := false
 
 valid {
 	count(violation) == 0

diff --git a/gke-policies-v2/policy/monitoring_and_logging.rego b/gke-policies-v2/policy/monitoring_and_logging.rego
@@ -35,7 +35,7 @@
 
 package gke.policy.logging_and_monitoring
 
-default valid = false
+default valid := false
 
 valid {
 	count(violation) == 0

diff --git a/gke-policies-v2/policy/nap_forbid_default_sa.rego b/gke-policies-v2/policy/nap_forbid_default_sa.rego
@@ -32,7 +32,7 @@
 
 package gke.policy.nap_forbid_default_sa
 
-default valid = false
+default valid := false
 
 valid {
 	count(violation) == 0

diff --git a/gke-policies-v2/policy/nap_forbid_single_zone.rego b/gke-policies-v2/policy/nap_forbid_single_zone.rego
@@ -31,7 +31,7 @@
 
 package gke.policy.nap_forbid_single_zone
 
-default valid = false
+default valid := false
 
 valid {
 	count(violation) == 0

diff --git a/gke-policies-v2/policy/nap_integrity_monitoring.rego b/gke-policies-v2/policy/nap_integrity_monitoring.rego
@@ -36,7 +36,7 @@
 
 package gke.policy.nap_integrity_monitoring
 
-default valid = false
+default valid := false
 
 valid {
 	count(violation) == 0
@@ -45,6 +45,6 @@ valid {
 violation[msg] {
 	input.data.gke.autoscaling.enable_node_autoprovisioning == true
 	input.data.gke.autoscaling.autoprovisioning_node_pool_defaults.shielded_instance_config.enable_integrity_monitoring == false
-	
+
 	msg := "GKE cluster Node Auto-Provisioning configuration use integrity monitoring"
 }
diff --git a/gke-policies-v2/policy/nap_use_cos.rego b/gke-policies-v2/policy/nap_use_cos.rego
@@ -33,7 +33,7 @@ package gke.policy.nap_use_cos
 
 import future.keywords.in
 
-default valid = false
+default valid := false
 
 valid {
 	count(violation) == 0
@@ -42,6 +42,6 @@ valid {
 violation[msg] {
 	input.data.gke.autoscaling.enable_node_autoprovisioning == true
 	not lower(input.data.gke.autoscaling.autoprovisioning_node_pool_defaults.image_type) in { "cos", "cos_containerd"}
-	
+
 	msg := "GKE cluster Node Auto-Provisioning configuration use Container-Optimized OS"
 }
diff --git a/gke-policies-v2/policy/network_policies.rego b/gke-policies-v2/policy/network_policies.rego
@@ -31,7 +31,7 @@
 
 package gke.policy.network_policies_engine
 
-default valid = false
+default valid := false
 
 valid {
 	count(violation) == 0

diff --git a/gke-policies-v2/policy/node_local_dns_cache.rego b/gke-policies-v2/policy/node_local_dns_cache.rego
@@ -28,7 +28,7 @@
 
 package gke.policy.node_local_dns_cache
 
-default valid = false
+default valid := false
 
 valid {
 	count(violation) == 0

diff --git a/gke-policies-v2/policy/node_pool_autorepair.rego b/gke-policies-v2/policy/node_pool_autorepair.rego
@@ -32,15 +32,14 @@
 
 package gke.policy.node_pool_autorepair
 
-default valid = false
+default valid := false
 
 valid {
   count(violation) == 0
 }
 
-violation[msg] {  
+violation[msg] {
+  some pool
   not input.data.gke.node_pools[pool].management.auto_repair
   msg := sprintf("autorepair not set for GKE node pool %q", [input.data.gke.node_pools[pool].name])
-} 
-
-
+}
diff --git a/gke-policies-v2/policy/node_pool_autoscaling.rego b/gke-policies-v2/policy/node_pool_autoscaling.rego
@@ -30,13 +30,14 @@
 
 package gke.policy.node_pool_autoscaling
 
-default valid = false
+default valid := false
 
 valid {
   count(violation) == 0
 }
 
 violation[msg] {
+  some pool
   not input.data.gke.node_pools[pool].autoscaling.enabled
   msg := sprintf("Node pool %q does not have autoscaling configured.", [input.data.gke.node_pools[pool].name])
-}
+}
diff --git a/gke-policies-v2/policy/node_pool_autoupgrade.rego b/gke-policies-v2/policy/node_pool_autoupgrade.rego
@@ -32,14 +32,14 @@
 
 package gke.policy.node_pool_autoupgrade
 
-default valid = false
+default valid := false
 
 valid {
   count(violation) == 0
 }
 
 violation[msg] {
+  some pool
   not input.data.gke.node_pools[pool].management.auto_upgrade
   msg := sprintf("autoupgrade not set for GKE node pool %q", [input.data.gke.node_pools[pool].name])
-} 
-
+}
diff --git a/gke-policies-v2/policy/node_pool_forbid_default_sa.rego b/gke-policies-v2/policy/node_pool_forbid_default_sa.rego
@@ -32,14 +32,15 @@
 
 package gke.policy.node_pool_forbid_default_sa
 
-default valid = false
+default valid := false
 
 valid {
 	count(violation) == 0
 }
 
 violation[msg] {
 	not input.data.gke.autopilot.enabled
+	some pool
 	input.data.gke.node_pools[pool].config.service_account == "default"
 	msg := sprintf("GKE cluster node_pool %q should have a dedicated SA", [input.data.gke.node_pools[pool].name])
 }