diff --git a/docs/usage/security-hardened-k8s-shoot.md b/docs/usage/security-hardened-k8s-shoot.md new file mode 100644 index 00000000..cc128e39 --- /dev/null +++ b/docs/usage/security-hardened-k8s-shoot.md @@ -0,0 +1,54 @@ + + +## Show Security Hardened Kubernetes Compliance for a Gardener Shoot Cluster + +### Introduction + +This part covers the topic of showing compliance with the Security Hardened Kubernetes Cluster for a Gardener shoot cluster. The guide features the `managedk8s` provider, which implements rules from the Security Hardened Kubernetes Cluster ruleset. + +The `managedk8s` provider assumes that the user running the ruleset does not have access to the environment (the seed in this particular case), in which the control plane components reside. + +### Prerequisites + +Make sure you have [diki installed](../../README.md#Installation) and have a running Gardener shoot cluster. + +We will be using the sample [Security Hardened Kubernetes Guide for Shoots configuration file](../../example/guides/security-hardened-k8s.md) for this run. + +### Configuration + +#### Configure the `managedk8s` provider + +Set the following arguments: +- `providers[id=="managedk8s"].args.kubeconfigPath` pointing to a shoot admin kubeconfig. + +In case you need instructions on how to generate such a kubeconfig, please read [Accessing Shoot Clusters](https://github.com/gardener/gardener/blob/master/docs/usage/shoot/shoot_access.md). + +#### Additional configurations + +Additional metadata such as the shoot's name can also be included in the `providers[id=="managedk8s].metadata` section. The metadata section can be used to add additional context to different diki runs. + +The provided configuration contain the recommended rule options for running the both providers, but you can modify rule options parameters according to requirements. All available options can be found in: +- [managedk8s example configuration](../../example/config/managedk8s.yaml). + +### Running the DISA K8s STIGs Ruleset + +To run diki against a Gardener shoot cluster, run the following command: + +```bash +diki run \ + --config=./example/guides/security-hardened-k8s-shoot.yaml \ + --provider=managedk8s \ + --ruleset-id=security-hardened-k8s \ + --ruleset-version=v0.1.0 \ + --output=security-hardened-k8s-shoot-report.json +``` + +### Generating a Report + +We can use the file generated in the previous step to create an html report by using the following command: + +```bash +diki report generate \ + --output=security-hardened-k8s-shoot-report.html \ + security-hardened-k8s-shoot-report.json +``` \ No newline at end of file diff --git a/example/guides/security-hardened-k8s-shoot.yaml b/example/guides/security-hardened-k8s-shoot.yaml new file mode 100644 index 00000000..f07590ef --- /dev/null +++ b/example/guides/security-hardened-k8s-shoot.yaml @@ -0,0 +1,256 @@ +providers: +- id: managedk8s + name: "Managed Kubernetes" + metadata: + shootName: shoot-abcd + args: + kubeconfigPath: .kube/shoot.config # path to shoot admin kubeconfig + rulesets: + - id: security-hardened-k8s + name: Security Hardened Kubernetes Cluster + version: v0.1.0 + ruleOptions: + - ruleID: "2000" + skip: + enabled: true + justification: "System namespaces are allowed to have Ingress and Egress traffic configured" + - ruleID: "2003" + args: + acceptedPods: + - matchLabels: + resources.gardener.cloud/managed-by: gardener + gardener.cloud/role: system-component + k8s-app: calico-node + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "lib-modules" + - "var-run-calico" + - "var-lib-calico" + - "xtables-lock" + - "cni-bin-dir" + - "cni-net-dit" + - "cni-log-dir" + - "policysync" + - "cni-net-dir" + - matchLabels: + app: kubernetes + origin: gardener + gardener.cloud/role: system-component + resources.gardener.cloud/managed-by: gardener + role: proxy + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "ssl-certs-hosts" + - "systembussocket" + - "kernel-modules" + - "kube-proxy-dir" + - "kube-proxy-mode" + - matchLabels: + resources.gardener.cloud/managed-by: gardener + app: node-problem-detector + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "log" + - "kmsg" + - "localtime" + - matchLabels: + resources.gardener.cloud/managed-by: gardener + component: node-exporter + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "host" + - "textfile" + - "log" + - "kmsg" + - "localtime" + - matchLabels: + resources.gardener.cloud/managed-by: gardener + app: vpn-shoot + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "dev-net-tun" + - matchLabels: + app: csi + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "kubelet-dir" + - "plugin-dir" + - "registration-dir" + - "device-dir" + - matchLabels: + k8s-app: egress-filter-applier + gardener.cloud/role: system-component + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "xtables-lock" + - matchLabels: + gardener.cloud/role: network-problem-detector + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "output" + - "log" + - matchLabels: + k8s-app: node-local-dns + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "xtables-lock" + - ruleID: "2005" + skip: + enabled: true + justification: "There is no specific list of required images present" + - ruleID: "2006" + args: + acceptedRoles: + - matchLabels: + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Roles managed by Gardener are allowed to use wildcards in RBAC resources" + acceptedClusterRoles: + - matchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC resources" + - matchLabels: + kubernetes.io/bootstrapping: rbac-defaults + justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs" + - ruleID: "2007" + args: + acceptedRoles: + - matchLabels: + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs" + acceptedClusterRoles: + - matchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs" + - matchLabels: + kubernetes.io/bootstrapping: rbac-defaults + justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs" + - ruleID: "2008" + args: + acceptedPods: + - matchLabels: + resources.gardener.cloud/managed-by: gardener + gardener.cloud/role: system-component + k8s-app: calico-node + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "lib-modules" + - "var-run-calico" + - "var-lib-calico" + - "xtables-lock" + - "cni-bin-dir" + - "cni-net-dit" + - "cni-log-dir" + - "policysync" + - "cni-net-dir" + - matchLabels: + app: kubernetes + origin: gardener + gardener.cloud/role: system-component + resources.gardener.cloud/managed-by: gardener + role: proxy + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "ssl-certs-hosts" + - "systembussocket" + - "kernel-modules" + - "kube-proxy-dir" + - "kube-proxy-mode" + - matchLabels: + resources.gardener.cloud/managed-by: gardener + app: node-problem-detector + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "log" + - "kmsg" + - "localtime" + - matchLabels: + resources.gardener.cloud/managed-by: gardener + component: node-exporter + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "host" + - "textfile" + - "log" + - "kmsg" + - "localtime" + - matchLabels: + resources.gardener.cloud/managed-by: gardener + app: vpn-shoot + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "dev-net-tun" + - matchLabels: + app: csi + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "kubelet-dir" + - "plugin-dir" + - "registration-dir" + - "device-dir" + - matchLabels: + k8s-app: egress-filter-applier + gardener.cloud/role: system-component + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "xtables-lock" + - matchLabels: + gardener.cloud/role: network-problem-detector + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "output" + - "log" + - matchLabels: + k8s-app: node-local-dns + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "xtables-lock" +output: + minStatus: Passed