Created a new query and lint rule for gke serial port logging org policy-issue#30

gcpdiag/lint/gke/err_2025_001_serial_port_logging.py

@@ -0,0 +1,61 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Lint as: python3
+"""GKE clusters must comply with serial port logging policy.
+
+When the constraints/compute.disableSerialPortLogging policy is enabled,
+GKE clusters must be created with logging disabled (serial-port-logging-enable: 'false'),
+otherwise the creation will fail.
+"""
+
+from gcpdiag import lint, models
+from gcpdiag.queries import gke
+
+def run_rule(context: models.Context, report: lint.LintReportRuleInterface):
+  clusters = gke.get_clusters(context)
+  clusters_checked = 0
+
+  for cluster in clusters.values():
+    clusters_checked += 1
+
+    try:
+      # Skip Autopilot clusters as they are managed by Google
+      if cluster.is_autopilot:
+        report.add_skipped(
+            cluster,
+            'Skipping Autopilot cluster - serial port logging managed by Google'
+        )
+        continue
+
+      # Check if cluster complies with serial port logging policy
+      if cluster.is_serial_port_logging_compliant():
+        report.add_ok(cluster)
+      else:
+        report.add_failed(
+            cluster,
+            msg=
+            ('Cluster does not comply with serial port logging policy. '
+             'When constraints/compute.disableSerialPortLogging is enabled, '
+             'all node pools must have serial-port-logging-enable set to false'
+            ),
+            remediation=(
+                'Update the node pool metadata to set '
+                '"serial-port-logging-enable": "false" for all node pools'))
+
+    except Exception as e:
+      report.add_skipped(cluster, f'Error checking cluster: {str(e)}')
+
+  if not clusters_checked:
+    report.add_skipped(None, 'No clusters found')

gcpdiag/lint/gke/snapshots/ERR_2025_001.txt

@@ -0,0 +1,2 @@
+*  gke/ERR/2025_001: When the constraints/compute.disableSerialPortLogging policy is enabled,
+GKE clusters must be created with logging disabled (serial-port-logging-enable: 'false')

gcpdiag/queries/gke.py

@@ -28,7 +28,7 @@
 from boltons.iterutils import get_path
 
 from gcpdiag import caching, config, models, utils
-from gcpdiag.queries import apis, crm, gce, network, web
+from gcpdiag.queries import apis, crm, gce, network, orgpolicy, web
 from gcpdiag.utils import Version
 
 # To avoid name conflict with L342
@@ -61,6 +61,23 @@ def image_type(self) -> str:
   def oauth_scopes(self) -> list:
     return self._resource_data['oauthScopes']
 
+  @property
+  def metadata(self) -> dict:
+    return self._resource_data.get('metadata', {})
+
+  def is_serial_port_logging_enabled(self) -> bool:
+    """Check if serial port logging is enabled in the node configuration.
+
+    Returns:
+        bool: True if serial port logging is enabled or not explicitly disabled,
+              False if explicitly disabled
+    """
+    metadata = self.metadata
+    # Check if serial-port-logging-enable exists in metadata
+    # If not specified or set to 'true', it's considered enabled
+    return metadata.get('serial-port-logging-enable', 'true').lower() == 'true'
+
+
 
 class NodePool(models.Resource):
   """Represents a GKE node pool."""
@@ -461,6 +478,51 @@ def cluster_hash(self) -> Optional[str]:
       return self._resource_data['id'][:8]
     raise UndefinedClusterPropertyError('no id')
 
+  def check_serial_port_logging_policy(self) -> Optional[bool]:
+    """
+        Checks if serial port logging policy is enforced and if cluster complies with it.
+
+        Returns:
+            bool: True if cluster complies with policy, False if not compliant,
+                 None if policy not enforced
+        """
+    try:
+      # Get the policy constraint status
+      constraint = orgpolicy.get_effective_org_policy(
+          self.project_id, 'constraints/compute.disableSerialPortLogging')
+
+      # If policy is not enforced, return None (no compliance check needed)
+      if not isinstance(
+          constraint,
+          orgpolicy.BooleanPolicyConstraint) or not constraint.is_enforced():
+        return None
+
+      # Get cluster node pools
+      for nodepool in self.nodepools:
+        # Check if serial port logging is disabled in node config metadata
+        if nodepool.config.is_serial_port_logging_enabled():
+          return False
+
+      return True
+
+    except ValueError:
+      # Policy not found or not supported
+      return None
+    except Exception as e:
+      logging.error(f"Error checking serial port logging policy: {e}")
+      return None
+
+  def is_serial_port_logging_compliant(self) -> bool:
+    """
+        Checks if the cluster is compliant with serial port logging policy.
+
+        Returns:
+            bool: True if compliant or policy not enforced, False if non-compliant
+        """
+    compliance = self.check_serial_port_logging_policy()
+    # Return True if policy is not enforced (compliance is None) or cluster is compliant
+    return compliance is None or compliance
+
 
 @caching.cached_api_call
 def get_clusters(context: models.Context) -> Mapping[str, Cluster]:
@@ -694,3 +756,4 @@ def find_date_str_in_td(e):
   ) as e:
     logging.error('Error in extracting gke release schedule: %s', e)
     return release_data
+

website/content/en/rules/gke/ERR/2025_001.md

@@ -0,0 +1,25 @@
+---
+title: "gke/ERR/2025_001"
+linkTitle: "ERR/2025_001"
+weight: 1
+type: docs
+description: >
+  GKE clusters must comply with serial port logging organization policy.
+---
+
+**Product**: [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine)\
+**Rule class**: ERR - Something that is very likely to be wrong
+
+### Description
+
+When the constraints/compute.disableSerialPortLogging organization policy is enabled,
+GKE clusters must be created with logging disabled (serial-port-logging-enable: 'false'),
+otherwise the creation will fail.
+
+
+### Remediation
+
+### Further information
+
+1. https://cloud.google.com/kubernetes-engine/docs/how-to/view-logs
+