google.cloud.forseti.scanner.audit.ke_version_rules_engine module

Rules engine for verifying KE Versions are allowed.

class KeVersionRuleBook(rule_defs=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRuleBook

The RuleBook for KE Version rules.

_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 214
_abc_registry = <_weakrefset.WeakSet object>
add_rule(rule_def, rule_index)[source]

Add a rule to the rule book.

Parameters:
  • rule_def (dict) – A dictionary containing rule definition properties.
  • rule_index (int) – The index of the rule from the rule definitions. Assigned automatically when the rule book is built.
add_rules(rule_defs)[source]

Add rules to the rule book.

Parameters:rule_defs (dict) – rule definitions dictionary
find_violations(ke_cluster)[source]

Find violations in the rule book.

Parameters:ke_cluster (KeCluster) – KE Cluster and ServerConfig data.
Returns:RuleViolation
Return type:list
get_resource_rules(resource)[source]

Get all the resource rules for resource.

Parameters:resource (Resource) – The gcp_type Resource find in the map.
Returns:A ResourceRules object.
Return type:ResourceRules
class KeVersionRulesEngine(rules_file_path, snapshot_timestamp=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRulesEngine

Rules engine for KE Version scanner.

build_rule_book(global_configs=None)[source]

Build KeVersionRuleBook from the rules definition file.

Parameters:global_configs (dict) – Global configurations.
find_violations(ke_cluster, force_rebuild=False)[source]

Determine whether Kubernetes Engine cluster version violates rules.

Parameters:
  • ke_cluster (KeCluster) – A KE Cluster object to check.
  • force_rebuild (bool) – If True, rebuilds the rule book. This will reload the rules definition file and add the rules to the book.
Returns:

A generator of rule violations.

Return type:

generator

class ResourceRules(resource=None, rules=None)[source]

Bases: object

An association of a resource to rules.

__eq__(other)[source]

Compare == with another object.

Parameters:other (ResourceRules) – object to compare with
Returns:comparison result
Return type:int
__ne__(other)[source]

Compare != with another object.

Parameters:other (object) – object to compare with
Returns:comparison result
Return type:int
__repr__()[source]

String representation of this node.

Returns:debug string
Return type:str
find_violations(ke_cluster)[source]

Determine if the policy binding matches this rule’s criteria.

Parameters:ke_cluster (KeCluster) – KE Cluster and ServerConfig data.
Returns:RuleViolation
Return type:list
class Rule(rule_name, rule_index, check_serverconfig_valid_node_versions, check_serverconfig_valid_master_versions, allowed_nodepool_versions)[source]

Bases: object

Rule properties from the rule definition file, also finds violations.

__eq__(other)[source]

Test whether Rule equals other Rule.

Parameters:other (Rule) – object to compare to
Returns:comparison result
Return type:int
__hash__()[source]

Make a hash of the rule index.

For now, this will suffice since the rule index is assigned automatically when the rules map is built, and the scanner only handles one rule file at a time. Later on, we’ll need to revisit this hash method when we process multiple rule files.

Returns:The hash of the rule index.
Return type:int
__ne__(other)[source]

Test whether Rule is not equal to another Rule.

Parameters:other (object) – object to compare to
Returns:comparison result
Return type:int
_make_violation(ke_cluster, nodepool, violation_reason)[source]

Build a RuleViolation for the cluster.

Parameters:
  • ke_cluster (KeCluster) – KE Cluster and ServerConfig data.
  • nodepool (dict) – A node pool in the KE cluster.
  • violation_reason (str) – The violation details.
Returns:

A new RuleViolation namedtuple.

Return type:

RuleViolation

_master_version_valid(ke_cluster)[source]

Check the master version against the supported version list.

Parameters:ke_cluster (KeCluster) – KE Cluster and ServerConfig data.
Returns:
A RuleViolation if the version is not supported,
else None.
Return type:RuleViolation
_node_versions_allowed(ke_cluster)[source]

Check the node pool versions against the allowed versions list.

Parameters:ke_cluster (KeCluster) – KE Cluster and ServerConfig data.
Returns:
A RuleViolation if the version is not allowed,
else None.
Return type:RuleViolation
_node_versions_valid(ke_cluster)[source]

Check the node pool versions against the supported version list.

Parameters:ke_cluster (KeCluster) – KE Cluster and ServerConfig data.
Returns:
A RuleViolation if the version is not supported,
else None.
Return type:RuleViolation
find_violations(ke_cluster)[source]

Find KE Version violations in based on the rule.

Parameters:ke_cluster (KeCluster) – KE Cluster and ServerConfig data.
Returns:Returns a list of RuleViolation named tuples
Return type:list
class RuleViolation(resource_type, resource_id, full_name, rule_name, rule_index, violation_type, violation_reason, project_id, cluster_name, node_pool_name, resource_data, resource_name)

Bases: tuple

__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

static __new__(_cls, resource_type, resource_id, full_name, rule_name, rule_index, violation_type, violation_reason, project_id, cluster_name, node_pool_name, resource_data, resource_name)

Create new instance of RuleViolation(resource_type, resource_id, full_name, rule_name, rule_index, violation_type, violation_reason, project_id, cluster_name, node_pool_name, resource_data, resource_name)

__repr__()

Return a nicely formatted representation string

_asdict()

Return a new OrderedDict which maps field names to their values.

_fields = ('resource_type', 'resource_id', 'full_name', 'rule_name', 'rule_index', 'violation_type', 'violation_reason', 'project_id', 'cluster_name', 'node_pool_name', 'resource_data', 'resource_name')
classmethod _make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)

Make a new RuleViolation object from a sequence or iterable

_replace(**kwds)

Return a new RuleViolation object replacing specified fields with new values

_source = "from builtins import property as _property, tuple as _tuple\nfrom operator import itemgetter as _itemgetter\nfrom collections import OrderedDict\n\nclass RuleViolation(tuple):\n 'RuleViolation(resource_type, resource_id, full_name, rule_name, rule_index, violation_type, violation_reason, project_id, cluster_name, node_pool_name, resource_data, resource_name)'\n\n __slots__ = ()\n\n _fields = ('resource_type', 'resource_id', 'full_name', 'rule_name', 'rule_index', 'violation_type', 'violation_reason', 'project_id', 'cluster_name', 'node_pool_name', 'resource_data', 'resource_name')\n\n def __new__(_cls, resource_type, resource_id, full_name, rule_name, rule_index, violation_type, violation_reason, project_id, cluster_name, node_pool_name, resource_data, resource_name):\n 'Create new instance of RuleViolation(resource_type, resource_id, full_name, rule_name, rule_index, violation_type, violation_reason, project_id, cluster_name, node_pool_name, resource_data, resource_name)'\n return _tuple.__new__(_cls, (resource_type, resource_id, full_name, rule_name, rule_index, violation_type, violation_reason, project_id, cluster_name, node_pool_name, resource_data, resource_name))\n\n @classmethod\n def _make(cls, iterable, new=tuple.__new__, len=len):\n 'Make a new RuleViolation object from a sequence or iterable'\n result = new(cls, iterable)\n if len(result) != 12:\n raise TypeError('Expected 12 arguments, got %d' % len(result))\n return result\n\n def _replace(_self, **kwds):\n 'Return a new RuleViolation object replacing specified fields with new values'\n result = _self._make(map(kwds.pop, ('resource_type', 'resource_id', 'full_name', 'rule_name', 'rule_index', 'violation_type', 'violation_reason', 'project_id', 'cluster_name', 'node_pool_name', 'resource_data', 'resource_name'), _self))\n if kwds:\n raise ValueError('Got unexpected field names: %r' % list(kwds))\n return result\n\n def __repr__(self):\n 'Return a nicely formatted representation string'\n return self.__class__.__name__ + '(resource_type=%r, resource_id=%r, full_name=%r, rule_name=%r, rule_index=%r, violation_type=%r, violation_reason=%r, project_id=%r, cluster_name=%r, node_pool_name=%r, resource_data=%r, resource_name=%r)' % self\n\n def _asdict(self):\n 'Return a new OrderedDict which maps field names to their values.'\n return OrderedDict(zip(self._fields, self))\n\n def __getnewargs__(self):\n 'Return self as a plain tuple. Used by copy and pickle.'\n return tuple(self)\n\n resource_type = _property(_itemgetter(0), doc='Alias for field number 0')\n\n resource_id = _property(_itemgetter(1), doc='Alias for field number 1')\n\n full_name = _property(_itemgetter(2), doc='Alias for field number 2')\n\n rule_name = _property(_itemgetter(3), doc='Alias for field number 3')\n\n rule_index = _property(_itemgetter(4), doc='Alias for field number 4')\n\n violation_type = _property(_itemgetter(5), doc='Alias for field number 5')\n\n violation_reason = _property(_itemgetter(6), doc='Alias for field number 6')\n\n project_id = _property(_itemgetter(7), doc='Alias for field number 7')\n\n cluster_name = _property(_itemgetter(8), doc='Alias for field number 8')\n\n node_pool_name = _property(_itemgetter(9), doc='Alias for field number 9')\n\n resource_data = _property(_itemgetter(10), doc='Alias for field number 10')\n\n resource_name = _property(_itemgetter(11), doc='Alias for field number 11')\n\n"
cluster_name
full_name
node_pool_name
project_id
resource_data
resource_id
resource_name
resource_type
rule_index
rule_name
violation_reason
violation_type
class VersionRule(major, minor=None, operator='=')[source]

Bases: object

Class to match allowed versions rules against running versions.

ALLOWED_OPERATORS = {'<': <built-in function lt>, '<=': <built-in function le>, '=': <built-in function eq>, '>': <built-in function gt>, '>=': <built-in function ge>}
__hash__()[source]

Calculate hash.

Returns:Unique hash.
Return type:int
__repr__()[source]

Return string representation.

Returns:String representation.
Return type:str
is_version_allowed(version)[source]

Check if the version matches the allowed_version configuration.

Parameters:version (str) – A version string. e.g. ‘1.6.11.gke.1’
Returns:True if version is allowed, else False
Return type:bool