Inspec Portefaix
Instructions for check Portefaix infrastructure on GCP
inspec is used to check infrastructure:
❯ make -f hack/build/gcp.mk inspec-debug
Test infrastructure
────────────────────────────── Platform Details ──────────────────────────────
Name: gcp
Families: cloud, api
Release: google-api-client-v0.34.1
Execute tests:
❯ make -f hack/build/gcp.mk inspec-test SERVICE=iac/gcp/<SERVICE> ENV=dev
You could upload JSON results file to Heimdall Lite to display ressults
CIS Kubernetes Benchmark
❯ make -f hack/build/gcp.mk inspec-gcp-kubernetes ENV=dev
GCP CIS
You could perform tests accoring the GCP CIS:
❯ make -f hack/build/gcp.mk inspec-cis ENV=dev
VPC
❯ make -f hack/build/gcp.mk inspec-test SERVICE=iac/gcp/vpc ENV=dev
| Code | Description |
|---|---|
vpc-1 |
Ensure default network is deleted |
vpc-2 |
Ensure network is correctly configure |
GKE
❯ make -f hack/build/gcp.mk gcp-inspec-test SERVICE=iac/gcp/gke ENV=dev
| Code | Description |
|---|---|
gke-1 |
Stackdriver Logging and Monitoring is configured |
gke-2 |
Basic Authentication is disabled |
gke-3 |
Ensure GKE Nodes are not public |
gke-4 |
Ensure the GKE Control Plane is not public |
gke-5 |
Ensure the Network Policy managed addon is enabled |
gke-6 |
Ensure OAuth Access Scopes and dedicated Service Accounts for node pools |
gke-7 |
Ensure GKE Node Pools should use the COS or COS_CONTAINERD Operating System |
gke-8 |
GKE Workload Identity should be enabled on all node pools |
gke-9 |
GKE Shielded Nodes should be enabled on all NodePools |
gke-10 |
Ensure instances have labels |
gke-11 |
Ensure instances have tags |
Sops
❯ make -f hack/build/gcp.mk gcp-inspec-test SERVICE=iac/gcp/sops ENV=dev
| Code | Description |
|---|---|
sops-1 |
Ensure service account and IAM binding exists |
sops-2 |
Ensure that Kms key exist |
Observability
❯ make -f hack/build/gcp.mk gcp-inspec-test SERVICE=iac/gcp/observability ENV=dev
| Code | Description |
|---|---|
grafana-1 |
Ensure service account and IAM binding exists |
prometheus-1 |
Ensure service account and IAM binding exists |
thanos-1 |
Ensure service account and IAM binding exists |
thanos-2 |
Ensure that bucket exists and labels correcly set |
thanos-3 |
Ensure that Kms key exist |
loki-1 |
Ensure service account and IAM binding exists |
loki-2 |
Ensure that bucket exists and labels correcly set |
loki-3 |
Ensure that Kms key exist |
tempo-1 |
Ensure service account and IAM binding exists |
tempo-2 |
Ensure that bucket exists and labels correcly set |
tempo-3 |
Ensure that Kms key exist |
Velero
❯ make -f hack/build/gcp.mk gcp-inspec-test SERVICE=iac/gcp/velero ENV=dev
| Code | Description |
|---|---|
velero-1 |
Ensure service account and IAM binding exists |
velero-2 |
Ensure that bucket exists and labels correcly set |
velero-3 |
Ensure that Kms key exist |
Vector
❯ make -f hack/build/gcp.mk gcp-inspec-test SERVICE=iac/gcp/vector ENV=dev
| Code | Description |
|---|---|
vector-1 |
Ensure service account and IAM binding exists |
vector-2 |
Ensure that bucket exists and labels correcly set |
vector-3 |
Ensure that Kms key exist |
External-DNS
❯ make -f hack/build/gcp.mk gcp-inspec-test SERVICE=iac/gcp/external-dns ENV=dev
| Code | Description |
|---|---|
external_dns-1 |
Ensure service account and IAM binding exists |
Last modified 05.01.2022: Add: GCP architecture diagram (e35cb12)