Created a new query and lint rule for gke serial port logging org policy-issue#30

.gitignore

@@ -19,3 +19,4 @@ gcpdiag-config
 gcpdiag/testpsa.py
 .vscode/launch.json
 **/.DS_STORE
+venv/

gcpdiag/lint/gke/err_2025_001_serial_port_logging.py

@@ -0,0 +1,78 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Lint as: python3
+""" GKE cluster complies with the serial port logging organization policy.
+
+When the constraints/compute.disableSerialPortLogging policy is enabled,
+GKE clusters must be created with logging disabled (serial-port-logging-enable: 'false'),
+otherwise the creation of new nodes in Nodepool will fail.
+"""
+
+from typing import List
+
+from gcpdiag import lint, models
+from gcpdiag.queries import gke, orgpolicy
+
+
+def get_non_compliant_pools(cluster: gke.Cluster) -> List[str]:
+  """
+        Checks if org serial port logging policy is enforced and if cluster complies with it.
+
+        Args:
+            cluster: The GKE cluster to check.
+
+        Returns:
+            List[str]: List of non-compliant nodepool names
+        """
+  # Get the policy constraint status
+  constraint = orgpolicy.get_effective_org_policy(
+      cluster.project_id, 'constraints/compute.disableSerialPortLogging')
+
+  # If policy is not enforced, return None (no compliance check needed) and empty list
+  if not isinstance(
+      constraint,
+      orgpolicy.BooleanPolicyConstraint) or not constraint.is_enforced():
+    return []
+
+  # Get cluster node pools
+  return [
+      nodepool.name
+      for nodepool in cluster.nodepools
+      if nodepool.config.has_serial_port_logging_enabled
+  ]
+
+
+def run_rule(context: models.Context, report: lint.LintReportRuleInterface):
+  clusters = gke.get_clusters(context)
+  if not clusters:
+    report.add_skipped(None, 'No clusters found')
+    return
+
+  for cluster in clusters.values():
+    # Skip Autopilot clusters as they are managed by Google
+    if cluster.is_autopilot:
+      report.add_skipped(
+          cluster,
+          'Skipping Autopilot cluster - serial port logging managed by Google')
+      continue
+
+    # find list of non compliant node pools.
+    non_compliant_pools = get_non_compliant_pools(cluster)
+    if not non_compliant_pools:
+      report.add_ok(cluster)
+    else:
+      report.add_failed(cluster, (
+          f'The following nodepools do not comply with the serial port logging org policy: {', \
+          '.join(non_compliant_pools)}'))

gcpdiag/lint/gke/snapshots/ERR_2025_001.txt

@@ -0,0 +1,2 @@
+*  gke/ERR/2025_001: When the constraints/compute.disableSerialPortLogging policy is enabled,
+GKE clusters must be created with logging disabled (serial-port-logging-enable: 'false')

gcpdiag/queries/gke.py

@@ -61,6 +61,17 @@ def image_type(self) -> str:
   def oauth_scopes(self) -> list:
     return self._resource_data['oauthScopes']
 
+  @property
+  def has_serial_port_logging_enabled(self) -> bool:
+    """ Check if serial port logging is enabled in the node config.
+
+    Returns:
+      bool: True if serial port logging is enabled or not explicitly disabled.
+            False if explicitly disabled.
+    """
+    metadata = self._resource_data.get('metadata', {})
+    return metadata.get('serial-port-logging-enable', 'true').lower() == 'true'
+
 
 class NodePool(models.Resource):
   """Represents a GKE node pool."""

website/content/en/rules/gke/ERR/2025_001.md

@@ -0,0 +1,33 @@
+---
+title: "gke/ERR/2025_001"
+linkTitle: "ERR/2025_001"
+weight: 1
+type: docs
+description: >
+  GKE cluster complies with the serial port logging organization policy.
+---
+
+**Product**: [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine)\
+**Rule class**: ERR - Something that is very likely to be wrong
+
+### Description
+
+When the constraints/compute.disableSerialPortLogging organization policy is enabled,
+GKE clusters must be created with logging disabled (serial-port-logging-enable: 'false'),
+otherwise the creation will fail.
+If cluster was initially created with "serial-port-logging-enable: 'true'" and the organization policy was enabled after that, all new node pools have to be created with explicit "serial-port-logging-enable: 'false'"
+
+
+### Remediation
+Cluster metadata and nodepool metadata can be defined only during the creation and they cannot be modified afterwards. To remediate you need to take either of the following steps:
+1) Disable the organization policy ex.  gcloud resource-manager org-policies disable-enforce "compute.disableSerialPortAccess" --organization=112233xx4455
+2) Recreate all non-compliant clusters ex. gcloud container clusters create example-cluster \
+--metadata serial-port-logging-enable=false
+3) Recreate all non-compliant node pools ex. gcloud container node-pools create node-pool-1 \
+--cluster=example-cluster --metadata serial-port-logging-enable=false
+### Further information
+
+1. https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-policies
+https://cloud.google.com/sdk/gcloud/reference/resource-manager/org-policies/disable-enforce
+2. https://cloud.google.com/sdk/gcloud/reference/container/clusters/create#--metadata
+3. https://cloud.google.com/sdk/gcloud/reference/container/node-pools/create#--metadata