-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
841a9ef
commit 3081c52
Showing
2 changed files
with
310 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
|
|
||
|
|
||
| ## Show Security Hardened Kubernetes Compliance for a Gardener Shoot Cluster | ||
|
|
||
| ### Introduction | ||
|
|
||
| This part covers the topic of showing compliance with the Security Hardened Kubernetes Cluster for a Gardener shoot cluster. The guide features the `managedk8s` provider, which implements rules from the Security Hardened Kubernetes Cluster ruleset. | ||
|
|
||
| The `managedk8s` provider assumes that the user running the ruleset does not have access to the environment (the seed in this particular case), in which the control plane components reside. | ||
|
|
||
| ### Prerequisites | ||
|
|
||
| Make sure you have [diki installed](../../README.md#Installation) and have a running Gardener shoot cluster. | ||
|
|
||
| We will be using the sample [Security Hardened Kubernetes Guide for Shoots configuration file](../../example/guides/security-hardened-k8s.md) for this run. | ||
|
|
||
| ### Configuration | ||
|
|
||
| #### Configure the `managedk8s` provider | ||
|
|
||
| Set the following arguments: | ||
| - `providers[id=="managedk8s"].args.kubeconfigPath` pointing to a shoot admin kubeconfig. | ||
|
|
||
| In case you need instructions on how to generate such a kubeconfig, please read [Accessing Shoot Clusters](https://github.com/gardener/gardener/blob/master/docs/usage/shoot/shoot_access.md). | ||
|
|
||
| #### Additional configurations | ||
|
|
||
| Additional metadata such as the shoot's name can also be included in the `providers[id=="managedk8s].metadata` section. The metadata section can be used to add additional context to different diki runs. | ||
|
|
||
| The provided configuration contain the recommended rule options for running the both providers, but you can modify rule options parameters according to requirements. All available options can be found in: | ||
| - [managedk8s example configuration](../../example/config/managedk8s.yaml). | ||
|
|
||
| ### Running the DISA K8s STIGs Ruleset | ||
|
|
||
| To run diki against a Gardener shoot cluster, run the following command: | ||
|
|
||
| ```bash | ||
| diki run \ | ||
| --config=./example/guides/security-hardened-k8s-shoot.yaml \ | ||
| --provider=managedk8s \ | ||
| --ruleset-id=security-hardened-k8s \ | ||
| --ruleset-version=v0.1.0 \ | ||
| --output=security-hardened-k8s-shoot-report.json | ||
| ``` | ||
|
|
||
| ### Generating a Report | ||
|
|
||
| We can use the file generated in the previous step to create an html report by using the following command: | ||
|
|
||
| ```bash | ||
| diki report generate \ | ||
| --output=security-hardened-k8s-shoot-report.html \ | ||
| security-hardened-k8s-shoot-report.json | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,256 @@ | ||
| providers: | ||
| - id: managedk8s | ||
| name: "Managed Kubernetes" | ||
| metadata: | ||
| shootName: shoot-abcd | ||
| args: | ||
| kubeconfigPath: .kube/shoot.config # path to shoot admin kubeconfig | ||
| rulesets: | ||
| - id: security-hardened-k8s | ||
| name: Security Hardened Kubernetes Cluster | ||
| version: v0.1.0 | ||
| ruleOptions: | ||
| - ruleID: "2000" | ||
| skip: | ||
| enabled: true | ||
| justification: "System namespaces are allowed to have Ingress and Egress traffic configured" | ||
| - ruleID: "2003" | ||
| args: | ||
| acceptedPods: | ||
| - matchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| gardener.cloud/role: system-component | ||
| k8s-app: calico-node | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "lib-modules" | ||
| - "var-run-calico" | ||
| - "var-lib-calico" | ||
| - "xtables-lock" | ||
| - "cni-bin-dir" | ||
| - "cni-net-dit" | ||
| - "cni-log-dir" | ||
| - "policysync" | ||
| - "cni-net-dir" | ||
| - matchLabels: | ||
| app: kubernetes | ||
| origin: gardener | ||
| gardener.cloud/role: system-component | ||
| resources.gardener.cloud/managed-by: gardener | ||
| role: proxy | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "ssl-certs-hosts" | ||
| - "systembussocket" | ||
| - "kernel-modules" | ||
| - "kube-proxy-dir" | ||
| - "kube-proxy-mode" | ||
| - matchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| app: node-problem-detector | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "log" | ||
| - "kmsg" | ||
| - "localtime" | ||
| - matchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| component: node-exporter | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "host" | ||
| - "textfile" | ||
| - "log" | ||
| - "kmsg" | ||
| - "localtime" | ||
| - matchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| app: vpn-shoot | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "dev-net-tun" | ||
| - matchLabels: | ||
| app: csi | ||
| resources.gardener.cloud/managed-by: gardener | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "kubelet-dir" | ||
| - "plugin-dir" | ||
| - "registration-dir" | ||
| - "device-dir" | ||
| - matchLabels: | ||
| k8s-app: egress-filter-applier | ||
| gardener.cloud/role: system-component | ||
| resources.gardener.cloud/managed-by: gardener | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "xtables-lock" | ||
| - matchLabels: | ||
| gardener.cloud/role: network-problem-detector | ||
| resources.gardener.cloud/managed-by: gardener | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "output" | ||
| - "log" | ||
| - matchLabels: | ||
| k8s-app: node-local-dns | ||
| resources.gardener.cloud/managed-by: gardener | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "xtables-lock" | ||
| - ruleID: "2005" | ||
| skip: | ||
| enabled: true | ||
| justification: "There is no specific list of required images present" | ||
| - ruleID: "2006" | ||
| args: | ||
| acceptedRoles: | ||
| - matchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Roles managed by Gardener are allowed to use wildcards in RBAC resources" | ||
| acceptedClusterRoles: | ||
| - matchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC resources" | ||
| - matchLabels: | ||
| kubernetes.io/bootstrapping: rbac-defaults | ||
| justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs" | ||
| - ruleID: "2007" | ||
| args: | ||
| acceptedRoles: | ||
| - matchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs" | ||
| acceptedClusterRoles: | ||
| - matchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs" | ||
| - matchLabels: | ||
| kubernetes.io/bootstrapping: rbac-defaults | ||
| justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs" | ||
| - ruleID: "2008" | ||
| args: | ||
| acceptedPods: | ||
| - matchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| gardener.cloud/role: system-component | ||
| k8s-app: calico-node | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "lib-modules" | ||
| - "var-run-calico" | ||
| - "var-lib-calico" | ||
| - "xtables-lock" | ||
| - "cni-bin-dir" | ||
| - "cni-net-dit" | ||
| - "cni-log-dir" | ||
| - "policysync" | ||
| - "cni-net-dir" | ||
| - matchLabels: | ||
| app: kubernetes | ||
| origin: gardener | ||
| gardener.cloud/role: system-component | ||
| resources.gardener.cloud/managed-by: gardener | ||
| role: proxy | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "ssl-certs-hosts" | ||
| - "systembussocket" | ||
| - "kernel-modules" | ||
| - "kube-proxy-dir" | ||
| - "kube-proxy-mode" | ||
| - matchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| app: node-problem-detector | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "log" | ||
| - "kmsg" | ||
| - "localtime" | ||
| - matchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| component: node-exporter | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "host" | ||
| - "textfile" | ||
| - "log" | ||
| - "kmsg" | ||
| - "localtime" | ||
| - matchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| app: vpn-shoot | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "dev-net-tun" | ||
| - matchLabels: | ||
| app: csi | ||
| resources.gardener.cloud/managed-by: gardener | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "kubelet-dir" | ||
| - "plugin-dir" | ||
| - "registration-dir" | ||
| - "device-dir" | ||
| - matchLabels: | ||
| k8s-app: egress-filter-applier | ||
| gardener.cloud/role: system-component | ||
| resources.gardener.cloud/managed-by: gardener | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "xtables-lock" | ||
| - matchLabels: | ||
| gardener.cloud/role: network-problem-detector | ||
| resources.gardener.cloud/managed-by: gardener | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "output" | ||
| - "log" | ||
| - matchLabels: | ||
| k8s-app: node-local-dns | ||
| resources.gardener.cloud/managed-by: gardener | ||
| namespaceMatchLabels: | ||
| resources.gardener.cloud/managed-by: gardener | ||
| justification: "Gardener managed resources are allowed to use a wider range of volume types" | ||
| volumeNames: | ||
| - "xtables-lock" | ||
| output: | ||
| minStatus: Passed |