Inspec Portefaix

Instructions for check Portefaix infrastructure on GCP

inspec is used to check infrastructure:

❯ make -f hack/build/gcp.mk inspec-debug
Test infrastructure

 ────────────────────────────── Platform Details ──────────────────────────────

Name:      gcp
Families:  cloud, api
Release:   google-api-client-v0.34.1

Execute tests:

❯ make -f hack/build/gcp.mk inspec-test SERVICE=iac/gcp/<SERVICE> ENV=prod

You could upload JSON results file to Heimdall Lite to display ressults

CIS Kubernetes Benchmark

❯ make -f hack/build/gcp.mk inspec-gcp-kubernetes ENV=prod

GCP CIS

You could perform tests accoring the GCP CIS:

❯ make -f hack/build/gcp.mk inspec-cis ENV=prod

VPC

❯ make -f hack/build/gcp.mk inspec-test SERVICE=iac/gcp/vpc ENV=prod

VPC

Code Description
vpc-1 Ensure default network is deleted
vpc-2 Ensure network is correctly configure

GKE

❯ make -f hack/build/gcp.mk gcp-inspec-test SERVICE=iac/gcp/gke ENV=prod

GKE

Code Description
gke-1 Stackdriver Logging and Monitoring is configured
gke-2 Basic Authentication is disabled
gke-3 Ensure GKE Nodes are not public
gke-4 Ensure the GKE Control Plane is not public
gke-5 Ensure the Network Policy managed addon is enabled
gke-6 Ensure OAuth Access Scopes and dedicated Service Accounts for node pools
gke-7 Ensure GKE Node Pools should use the COS or COS_CONTAINERD Operating System
gke-8 GKE Workload Identity should be enabled on all node pools
gke-9 GKE Shielded Nodes should be enabled on all NodePools
gke-10 Ensure instances have labels
gke-11 Ensure instances have tags

Sops

❯ make -f hack/build/gcp.mk gcp-inspec-test SERVICE=iac/gcp/sops ENV=prod

Sops

Code Description
sops-1 Ensure service account and IAM binding exists
sops-2 Ensure that Kms key exist

Observability

❯ make -f hack/build/gcp.mk gcp-inspec-test SERVICE=iac/gcp/observability ENV=prod

Observability

Code Description
grafana-1 Ensure service account and IAM binding exists
prometheus-1 Ensure service account and IAM binding exists
thanos-1 Ensure service account and IAM binding exists
thanos-2 Ensure that bucket exists and labels correcly set
thanos-3 Ensure that Kms key exist
loki-1 Ensure service account and IAM binding exists
loki-2 Ensure that bucket exists and labels correcly set
loki-3 Ensure that Kms key exist
tempo-1 Ensure service account and IAM binding exists
tempo-2 Ensure that bucket exists and labels correcly set
tempo-3 Ensure that Kms key exist

Velero

❯ make -f hack/build/gcp.mk gcp-inspec-test SERVICE=iac/gcp/velero ENV=prod

Velero

Code Description
velero-1 Ensure service account and IAM binding exists
velero-2 Ensure that bucket exists and labels correcly set
velero-3 Ensure that Kms key exist

Vector

❯ make -f hack/build/gcp.mk gcp-inspec-test SERVICE=iac/gcp/vector ENV=prod

Vector

Code Description
vector-1 Ensure service account and IAM binding exists
vector-2 Ensure that bucket exists and labels correcly set
vector-3 Ensure that Kms key exist

External-DNS

❯ make -f hack/build/gcp.mk gcp-inspec-test SERVICE=iac/gcp/external-dns ENV=prod

External-DNS

Code Description
external_dns-1 Ensure service account and IAM binding exists
Last modified 07.10.2021: Fix: makefiles path (031a3b9)