Kubernetes native security policy enforcement, an upgrade of https://github.com/ministryofjustice/cloud-platform-terraform-opa
See the example/ subdir for invocation syntax
CAVEATS:
- to generate the audit report, it seems advisable to query a cache of filtered K8s objects, rather than hit the API each time (60 sec intervals default); because of that any kind used by a constraint template must also be added to the sync config at the end of constraints.tf
- deleting a ConstraintTemplate that still has Constraints breaks things badly; only deleting the CRDs (which in turn removes all the constraints) unblocks again
- no colons (:) in the description field
Name | Version |
---|---|
terraform | >= 0.14 |
kubectl | 1.10.0 |
Name | Version |
---|---|
helm | n/a |
kubectl | 1.10.0 |
kubernetes | n/a |
No modules.
Name | Type |
---|---|
helm_release.gatekeeper | resource |
kubectl_manifest.config-sync | resource |
kubectl_manifest.unique-ingress-constraint | resource |
kubectl_manifest.unique-ingress-template | resource |
kubernetes_namespace.gatekeeper | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
cluster_domain_name | The cluster domain used for externalDNS annotations and certmanager | any |
n/a | yes |
define_constraints | if false, only the app is deployed, no constraints | bool |
true |
no |
enable_invalid_hostname_policy | Enable wheter to have the OPA policy of invalid hostname enabled | bool |
false |
no |
No outputs.
Some of the inputs are tags. All infrastructure resources need to be tagged according to the MOJ techincal guidance. The tags are stored as variables that you will need to fill out as part of your module.
Name | Description | Type | Default | Required |
---|---|---|---|---|
application | string | - | yes | |
business-unit | Area of the MOJ responsible for the service | string | mojdigital |
yes |
environment-name | string | - | yes | |
infrastructure-support | The team responsible for managing the infrastructure. Should be of the form team-email | string | - | yes |
is-production | string | false |
yes | |
team_name | string | - | yes | |
sqs_name | string | - | yes |