feat: unified policies metadata and new console output

gke-policies-v2/policy/autopilot_cluster.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: GKE Autopilot mode
+# title: Use GKE Autopilot mode
 # description: GKE Autopilot mode is the recommended way to operate a GKE cluster
 # custom:
 #   group: Management
@@ -35,5 +35,5 @@ valid {
 
 violation[msg] {
 	not input.data.gke.autopilot.enabled
-	msg := "GKE Autopilot mode is the recommended way to operate a GKE cluster"
+	msg := "Cluster is not using Autopilot mode"
 }

gke-policies-v2/policy/cluster_binary_authorization.rego

@@ -39,5 +39,5 @@ valid {
 
 violation[msg] {
   not input.data.gke.binary_authorization.enabled
-  msg := "GKE cluster has not configured binary authorization policies"
+  msg := "Cluster is not configured with binary authorization"
 }

gke-policies-v2/policy/cluster_enable_security_posture.rego

@@ -38,5 +38,5 @@ valid {
 
 violation[msg] {
   not input.data.gke.security_posture_config.mode == 2
-  msg := "GKE cluster has not enabled Security Posture"
+  msg := "Cluster is not configure with Security Posture"
 }

gke-policies-v2/policy/cluster_enable_workload_scanning.rego

@@ -40,5 +40,5 @@ valid {
 
 violation[msg] {
   not input.data.gke.security_posture_config.vulnerability_mode == 2
-  msg := "GKE cluster has not configured workload vulnerability scanning"
+  msg := "Cluster is not configured with workload vulnerability scanning"
 }

gke-policies-v2/policy/cluster_gce_csi_driver.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: Use Compute Engine persistent disk CSI driver
+# title: Enable Compute Engine persistent disk CSI driver
 # description: Automatic deployment and management of the Compute Engine persistent disk CSI driver. The driver provides support for features like customer managed encryption keys or volume snapshots.
 # custom:
 #   group: Management
@@ -36,5 +36,5 @@ valid {
 
 violation[msg] {
   not input.data.gke.addons_config.gce_persistent_disk_csi_driver_config.enabled
-  msg := "GKE cluster has not configured GCE persistent disk CSI driver"
+  msg := "Cluster is not configured with GCE persistent disk CSI driver"
 }

gke-policies-v2/policy/cluster_maintenance_window.rego

@@ -13,8 +13,8 @@
 # limitations under the License.
 
 # METADATA
-# title: Schedule maintenance windows and exclusions
-# description: GKE cluster should schedule maintenance windows and exclusions to upgrade predictability and to align updates with off-peak business hours.
+# title: Enable maintenance windows
+# description: GKE cluster should use maintenance windows and exclusions to upgrade predictability and to align updates with off-peak business hours.
 # custom:
 #   group: Management
 #   severity: Medium
@@ -38,5 +38,5 @@ valid {
 
 violation[msg] {
   not input.data.gke.maintenance_policy.window.Policy
-  msg := "GKE cluster has not configured maintenance window"
+  msg := "GKE cluster is not configured with maintenance window"
 }

gke-policies-v2/policy/cluster_receive_updates.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: Receive updates about new GKE versions
+# title: Enable GKE upgrade notifications
 # description: GKE cluster should be proactively receive updates about GKE upgrades and GKE versions
 # custom:
 #   group: Management
@@ -38,10 +38,10 @@ valid {
 
 violation[msg] {
   not input.data.gke.notification_config.pubsub.enabled
-  msg := "Pub/Sub notifications are not enabled"
+  msg := "Cluster is not configured with upgrade notifications"
 }
 
 violation[msg] {
   not input.data.gke.notification_config.pubsub.topic
-  msg := "Pub/Sub topic is not configured"
+  msg := "Cluster is not configured with upgrade notofications topic"
 }

gke-policies-v2/policy/cluster_release_channels.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: Enrollment in Release Channels
+# title: Enroll cluster in Release Channels
 # description: GKE cluster should be enrolled in release channels
 # custom:
 #   group: Security
@@ -40,5 +40,5 @@ valid {
 
 violation[msg] {
   not input.data.gke.release_channel.channel
-  msg := "GKE cluster is not enrolled in release channel"
+  msg := "Cluster is not enrolled in any release channel"
 }

gke-policies-v2/policy/control_plane_access.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: Control Plane endpoint access
+# title: Limit Control Plane endpoint access
 # description: Control Plane endpoint access should be limited to authorized networks only
 # custom:
 #   group: Security
@@ -41,15 +41,15 @@ valid {
 
 violation[msg] {
   not input.data.gke.master_authorized_networks_config.enabled
-  msg := "GKE cluster has not enabled master authorized networks configuration"
+  msg := "Cluster is not configured with master authorized networks"
 }
 
 violation[msg] {
   not input.data.gke.master_authorized_networks_config.cidr_blocks
-  msg := "GKE cluster's master authorized networks has no CIDR blocks element"
+  msg := "Cluster is not configured with master authorized networks CIDRs"
 }
 
 violation[msg] {
   count(input.data.gke.master_authorized_networks_config.cidr_blocks) < 1
-  msg := "GKE cluster's master authorized networks has no CIDR blocks defined"
+  msg := "Cluster is not configured with master authorized networks CIDRs"
 }

gke-policies-v2/policy/control_plane_disable_cert_authentication.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: Control plane user certificate authentication
+# title: Disable control plane certificate authentication
 # description: >-
 #   Disable Client Certificates, which require certificate rotation, for authentication. Instead,
 #   use another authentication method like OpenID Connect.
@@ -40,10 +40,10 @@ valid {
 
 violation[msg] {
 	input.data.gke.master_auth.client_certificate
-	msg := "The GKE cluster authentication should not be configured with a client certificate"
+	msg := "Cluster authentication is configured with a client certificate"
 }
 
 violation[msg] {
 	input.data.gke.master_auth.client_key
-	msg := "The GKE cluster authentication should not be configured with a client key"
+	msg := "Cluster authentication is configured with a client key"
 }

gke-policies-v2/policy/control_plane_disable_legacy_authorization.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: GKE RBAC authorization
+# title: Disable legacy ABAC authorization
 # description: GKE cluster should use RBAC instead of legacy ABAC authorization
 # custom:
 #   group: Security
@@ -39,5 +39,5 @@ valid {
 
 violation[msg] {
 	input.data.gke.legacy_abac.enabled
-	msg := "The GKE cluster is configured to use legacy ABAC authorization mechanism"
+	msg := "Cluster authorization is configured with legacy ABAC"
 }

gke-policies-v2/policy/control_plane_disable_password_authentication.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: Control plane user basic authentication
+# title: Disalbe control plane basic authentication
 # description: >-
 #   Disable Basic Authentication (basic auth) for API server authentication as it uses static
 #   passwords which need to be rotated.
@@ -41,10 +41,10 @@ valid {
 
 violation[msg] {
 	input.data.gke.master_auth.password
-	msg := "The GKE cluster authentication should not be configured with a client password"
+	msg := "Cluster authentication is configured with a client password"
 }
 
 violation[msg] {
 	input.data.gke.master_auth.username
-	msg := "The GKE cluster authentication should not be configured with a client username"
+	msg := "Cluster authentication is configured with a client username"
 }

gke-policies-v2/policy/control_plane_endpoint.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: Control Plane endpoint visibility
+# title: Enable control plane private endpoint
 # description: Control Plane endpoint should be locked from external access
 # custom:
 #   group: Security
@@ -39,5 +39,5 @@ valid {
 
 violation[msg] {
   not input.data.gke.private_cluster_config.enable_private_endpoint
-  msg := "GKE cluster has not enabled private endpoint"
+  msg := "Cluster is not configured with private endpoint"
 }

gke-policies-v2/policy/control_plane_redundancy.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: Control Plane redundancy
+# title: Ensure redundancy of the Control Plane
 # description: GKE cluster should be regional for maximum availability of control plane during upgrades and zonal outages
 # custom:
 #   group: Availability
@@ -37,10 +37,10 @@ valid {
 
 violation[msg] {
   not input.data.gke.location
-  msg := "Missing GKE cluster location object"
+  msg := "Cluster location infromation is missing"
 }
 
 violation[msg] {
   not location.regional(input.data.gke.location)
-  msg := sprintf("Invalid GKE Control plane location %q (not regional)", [input.data.gke.location])
+  msg := sprintf("Cluster location %q is not regional", [input.data.gke.location])
 }

gke-policies-v2/policy/ilb_subsetting.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: GKE L4 ILB Subsetting
+# title: Enable GKE L4 ILB Subsetting
 # description: GKE cluster should use GKE L4 ILB Subsetting if nodes > 250
 # custom:
 #   group: Scalability
@@ -37,7 +37,5 @@ valid {
 violation[msg] {
 	input.data.gke.current_node_count > 250
     not input.data.gke.network_config.enable_l4ilb_subsetting = true
-
-	msg := sprintf("The GKE cluster has %v nodes but is not configured to use L4 ILB Subsetting", [input.data.gke.current_node_count])
-
+	msg := sprintf("Cluster has %v nodes and is not configured with L4 ILB Subsetting", [input.data.gke.current_node_count])
 }

gke-policies-v2/policy/intranode_visibility.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: GKE intranode visibility
+# title: Enable GKE intranode visibility
 # description: GKE cluster should have intranode visibility enabled
 # custom:
 #   group: Security
@@ -39,5 +39,5 @@ valid {
 
 violation[msg] {
 	not input.data.gke.networkConfig.enableIntraNodeVisibility = true
-	msg := "The GKE cluster does not have Intranode Visibility enabled"
+	msg := "Cluster is not configured with Intranode Visibility"
 }

gke-policies-v2/policy/monitoring_and_logging.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: Cloud Monitoring and Logging
+# title: Enable Cloud Monitoring and Logging
 # description: GKE cluster should use Cloud Logging and Monitoring
 # custom:
 #   group: Maintenance
@@ -43,12 +43,10 @@ valid {
 
 violation[msg] {
 	not input.data.gke.logging_config.component_config.enable_components
-
-	msg := "The GKE cluster does not have Cloud Logging enabled"
+	msg := "Cluster is not configured with Cloud Logging"
 }
 
 violation[msg] {
 	not input.data.gke.monitoring_config.component_config.enable_components
-
-	msg := "The GKE cluster does not have Cloud Monitoring enabled"
-}
+	msg := "Cluster is not configured with Cloud Monitoring"
+}

gke-policies-v2/policy/nap_forbid_default_sa.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: Forbid default Service Accounts in Node Auto-Provisioning
+# title: Change default Service Accounts in Node Auto-Provisioning
 # description: Node Auto-Provisioning configuration should not allow default Service Accounts
 # custom:
 #   group: Security
@@ -42,5 +42,5 @@ violation[msg] {
 	not input.data.gke.autopilot.enabled
 	input.data.gke.autoscaling.enable_node_autoprovisioning == true
 	input.data.gke.autoscaling.autoprovisioning_node_pool_defaults.service_account == "default"
-	msg := "GKE cluster Node Auto-Provisioning should have a dedicated Service Account configured"
+	msg := "Cluster is configured with default service account for Node Auto-Provisioning"
 }

gke-policies-v2/policy/nap_forbid_single_zone.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: Ensure that node pool locations within Node Auto-Provisioning are covering more than one zone (or not enforced at all)
+# title: Ensure redundancy of Node Auto-provisioning node pools
 # description: Node Auto-Provisioning configuration should cover more than one zone
 # custom:
 #   group: Security
@@ -37,5 +37,5 @@ valid {
 violation[msg] {
 	input.data.gke.autoscaling.enable_node_autoprovisioning == true
 	count(input.data.gke.autoscaling.autoprovisioning_locations) == 1
-	msg := "GKE cluster Node Auto-Provisioning configuration should cover more than one zone"
+	msg := "Cluster is not configured with multiple zones for NAP node pools"
 }

gke-policies-v2/policy/nap_integrity_monitoring.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: Ensure that nodes in Node Auto-Provisioning node pools will use integrity monitoring
+# title: Enable integrity monitoring for Node Auto-Provisioning node pools
 # description: Nodes in Node Auto-Provisioning should use integrity monitoring
 # custom:
 #   group: Security
@@ -45,6 +45,5 @@ valid {
 violation[msg] {
 	input.data.gke.autoscaling.enable_node_autoprovisioning == true
 	input.data.gke.autoscaling.autoprovisioning_node_pool_defaults.shielded_instance_config.enable_integrity_monitoring == false
-
-	msg := "GKE cluster Node Auto-Provisioning configuration use integrity monitoring"
+	msg := "Cluster is not configured with integrity monitoring for NAP node pools"
 }

gke-policies-v2/policy/nap_use_cos.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: Ensure that nodes in Node Auto-Provisioning node pools will use Container-Optimized OS
+# title: Configure Container-Optimized OS for Node Auto-Provisioning node pools
 # description: Nodes in Node Auto-Provisioning should use Container-Optimized OS
 # custom:
 #   group: Security
@@ -42,6 +42,5 @@ valid {
 violation[msg] {
 	input.data.gke.autoscaling.enable_node_autoprovisioning == true
 	not lower(input.data.gke.autoscaling.autoprovisioning_node_pool_defaults.image_type) in { "cos", "cos_containerd"}
-
-	msg := "GKE cluster Node Auto-Provisioning configuration use Container-Optimized OS"
+	msg := "Cluster is not configured with COS for NAP node pools"
 }

gke-policies-v2/policy/network_policies.rego

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # METADATA
-# title: GKE Network Policies engine
+# title: Enable Kubernetes Network Policies
 # description: GKE cluster should have Network Policies or Dataplane V2 enabled
 # custom:
 #   group: Security
@@ -41,21 +41,19 @@ violation[msg] {
 	input.data.gke.addons_config.network_policy_config.disabled
 	not input.data.gke.network_policy
 	not input.data.gke.network_config.datapath_provider == 2
-
-	msg := "No Network Policies Engines enabled"
+	msg := "Cluster is not configured with Kubneretes Network Policies"
 }
 
 violation[msg] {
 	count(input.data.gke.addons_config.network_policy_config) == 0
 	not input.data.gke.network_policy.enabled
 	not input.data.gke.network_config.datapath_provider == 2
-	msg := "Network Policies enabled but without configuration"
+	msg := "Cluster is configured with Kubneretes Network Policies without configuration"
 }
 
 violation[msg] {
 	input.data.gke.addons_config.network_policy_config.disabled
 	count(input.data.gke.network_policy) == 0
 	not input.data.gke.network_config.datapath_provider == 2
-
-	msg := "Not DPv2 nor Network Policies are enabled onto the cluster"
+	msg := "Cluster is not DPv2 and has not configured Kubneretes Network Policies"
 }