From 3081c522e51c36a3a9bcc71457bef24f6b4e123f Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 13 Dec 2024 12:22:36 +0200 Subject: [PATCH 1/3] Add documents --- docs/usage/security-hardened-k8s-shoot.md | 54 ++++ .../guides/security-hardened-k8s-shoot.yaml | 256 ++++++++++++++++++ 2 files changed, 310 insertions(+) create mode 100644 docs/usage/security-hardened-k8s-shoot.md create mode 100644 example/guides/security-hardened-k8s-shoot.yaml diff --git a/docs/usage/security-hardened-k8s-shoot.md b/docs/usage/security-hardened-k8s-shoot.md new file mode 100644 index 00000000..cc128e39 --- /dev/null +++ b/docs/usage/security-hardened-k8s-shoot.md @@ -0,0 +1,54 @@ + + +## Show Security Hardened Kubernetes Compliance for a Gardener Shoot Cluster + +### Introduction + +This part covers the topic of showing compliance with the Security Hardened Kubernetes Cluster for a Gardener shoot cluster. The guide features the `managedk8s` provider, which implements rules from the Security Hardened Kubernetes Cluster ruleset. + +The `managedk8s` provider assumes that the user running the ruleset does not have access to the environment (the seed in this particular case), in which the control plane components reside. + +### Prerequisites + +Make sure you have [diki installed](../../README.md#Installation) and have a running Gardener shoot cluster. + +We will be using the sample [Security Hardened Kubernetes Guide for Shoots configuration file](../../example/guides/security-hardened-k8s.md) for this run. + +### Configuration + +#### Configure the `managedk8s` provider + +Set the following arguments: +- `providers[id=="managedk8s"].args.kubeconfigPath` pointing to a shoot admin kubeconfig. + +In case you need instructions on how to generate such a kubeconfig, please read [Accessing Shoot Clusters](https://github.com/gardener/gardener/blob/master/docs/usage/shoot/shoot_access.md). + +#### Additional configurations + +Additional metadata such as the shoot's name can also be included in the `providers[id=="managedk8s].metadata` section. The metadata section can be used to add additional context to different diki runs. + +The provided configuration contain the recommended rule options for running the both providers, but you can modify rule options parameters according to requirements. All available options can be found in: +- [managedk8s example configuration](../../example/config/managedk8s.yaml). + +### Running the DISA K8s STIGs Ruleset + +To run diki against a Gardener shoot cluster, run the following command: + +```bash +diki run \ + --config=./example/guides/security-hardened-k8s-shoot.yaml \ + --provider=managedk8s \ + --ruleset-id=security-hardened-k8s \ + --ruleset-version=v0.1.0 \ + --output=security-hardened-k8s-shoot-report.json +``` + +### Generating a Report + +We can use the file generated in the previous step to create an html report by using the following command: + +```bash +diki report generate \ + --output=security-hardened-k8s-shoot-report.html \ + security-hardened-k8s-shoot-report.json +``` \ No newline at end of file diff --git a/example/guides/security-hardened-k8s-shoot.yaml b/example/guides/security-hardened-k8s-shoot.yaml new file mode 100644 index 00000000..f07590ef --- /dev/null +++ b/example/guides/security-hardened-k8s-shoot.yaml @@ -0,0 +1,256 @@ +providers: +- id: managedk8s + name: "Managed Kubernetes" + metadata: + shootName: shoot-abcd + args: + kubeconfigPath: .kube/shoot.config # path to shoot admin kubeconfig + rulesets: + - id: security-hardened-k8s + name: Security Hardened Kubernetes Cluster + version: v0.1.0 + ruleOptions: + - ruleID: "2000" + skip: + enabled: true + justification: "System namespaces are allowed to have Ingress and Egress traffic configured" + - ruleID: "2003" + args: + acceptedPods: + - matchLabels: + resources.gardener.cloud/managed-by: gardener + gardener.cloud/role: system-component + k8s-app: calico-node + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "lib-modules" + - "var-run-calico" + - "var-lib-calico" + - "xtables-lock" + - "cni-bin-dir" + - "cni-net-dit" + - "cni-log-dir" + - "policysync" + - "cni-net-dir" + - matchLabels: + app: kubernetes + origin: gardener + gardener.cloud/role: system-component + resources.gardener.cloud/managed-by: gardener + role: proxy + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "ssl-certs-hosts" + - "systembussocket" + - "kernel-modules" + - "kube-proxy-dir" + - "kube-proxy-mode" + - matchLabels: + resources.gardener.cloud/managed-by: gardener + app: node-problem-detector + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "log" + - "kmsg" + - "localtime" + - matchLabels: + resources.gardener.cloud/managed-by: gardener + component: node-exporter + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "host" + - "textfile" + - "log" + - "kmsg" + - "localtime" + - matchLabels: + resources.gardener.cloud/managed-by: gardener + app: vpn-shoot + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "dev-net-tun" + - matchLabels: + app: csi + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "kubelet-dir" + - "plugin-dir" + - "registration-dir" + - "device-dir" + - matchLabels: + k8s-app: egress-filter-applier + gardener.cloud/role: system-component + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "xtables-lock" + - matchLabels: + gardener.cloud/role: network-problem-detector + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "output" + - "log" + - matchLabels: + k8s-app: node-local-dns + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "xtables-lock" + - ruleID: "2005" + skip: + enabled: true + justification: "There is no specific list of required images present" + - ruleID: "2006" + args: + acceptedRoles: + - matchLabels: + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Roles managed by Gardener are allowed to use wildcards in RBAC resources" + acceptedClusterRoles: + - matchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC resources" + - matchLabels: + kubernetes.io/bootstrapping: rbac-defaults + justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs" + - ruleID: "2007" + args: + acceptedRoles: + - matchLabels: + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs" + acceptedClusterRoles: + - matchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs" + - matchLabels: + kubernetes.io/bootstrapping: rbac-defaults + justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs" + - ruleID: "2008" + args: + acceptedPods: + - matchLabels: + resources.gardener.cloud/managed-by: gardener + gardener.cloud/role: system-component + k8s-app: calico-node + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "lib-modules" + - "var-run-calico" + - "var-lib-calico" + - "xtables-lock" + - "cni-bin-dir" + - "cni-net-dit" + - "cni-log-dir" + - "policysync" + - "cni-net-dir" + - matchLabels: + app: kubernetes + origin: gardener + gardener.cloud/role: system-component + resources.gardener.cloud/managed-by: gardener + role: proxy + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "ssl-certs-hosts" + - "systembussocket" + - "kernel-modules" + - "kube-proxy-dir" + - "kube-proxy-mode" + - matchLabels: + resources.gardener.cloud/managed-by: gardener + app: node-problem-detector + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "log" + - "kmsg" + - "localtime" + - matchLabels: + resources.gardener.cloud/managed-by: gardener + component: node-exporter + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "host" + - "textfile" + - "log" + - "kmsg" + - "localtime" + - matchLabels: + resources.gardener.cloud/managed-by: gardener + app: vpn-shoot + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "dev-net-tun" + - matchLabels: + app: csi + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "kubelet-dir" + - "plugin-dir" + - "registration-dir" + - "device-dir" + - matchLabels: + k8s-app: egress-filter-applier + gardener.cloud/role: system-component + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "xtables-lock" + - matchLabels: + gardener.cloud/role: network-problem-detector + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "output" + - "log" + - matchLabels: + k8s-app: node-local-dns + resources.gardener.cloud/managed-by: gardener + namespaceMatchLabels: + resources.gardener.cloud/managed-by: gardener + justification: "Gardener managed resources are allowed to use a wider range of volume types" + volumeNames: + - "xtables-lock" +output: + minStatus: Passed From 0d5227445c8f23713dfd4f712ff5bb09cf5f1008 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 13 Dec 2024 13:27:57 +0200 Subject: [PATCH 2/3] Remove skipped rules --- example/guides/security-hardened-k8s-shoot.yaml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/example/guides/security-hardened-k8s-shoot.yaml b/example/guides/security-hardened-k8s-shoot.yaml index f07590ef..6f3e221c 100644 --- a/example/guides/security-hardened-k8s-shoot.yaml +++ b/example/guides/security-hardened-k8s-shoot.yaml @@ -4,16 +4,12 @@ providers: metadata: shootName: shoot-abcd args: - kubeconfigPath: .kube/shoot.config # path to shoot admin kubeconfig + kubeconfigPath: /shoot-abcd-access/kubeconfig # path to shoot admin kubeconfig rulesets: - id: security-hardened-k8s name: Security Hardened Kubernetes Cluster version: v0.1.0 ruleOptions: - - ruleID: "2000" - skip: - enabled: true - justification: "System namespaces are allowed to have Ingress and Egress traffic configured" - ruleID: "2003" args: acceptedPods: @@ -116,10 +112,6 @@ providers: justification: "Gardener managed resources are allowed to use a wider range of volume types" volumeNames: - "xtables-lock" - - ruleID: "2005" - skip: - enabled: true - justification: "There is no specific list of required images present" - ruleID: "2006" args: acceptedRoles: From e60686edba629d0116fe8944b5ebabd70aee04e8 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Mon, 16 Dec 2024 10:05:15 +0200 Subject: [PATCH 3/3] Fix link pointing to the example configuration --- docs/usage/security-hardened-k8s-shoot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage/security-hardened-k8s-shoot.md b/docs/usage/security-hardened-k8s-shoot.md index cc128e39..9cb55a0f 100644 --- a/docs/usage/security-hardened-k8s-shoot.md +++ b/docs/usage/security-hardened-k8s-shoot.md @@ -12,7 +12,7 @@ The `managedk8s` provider assumes that the user running the ruleset does not hav Make sure you have [diki installed](../../README.md#Installation) and have a running Gardener shoot cluster. -We will be using the sample [Security Hardened Kubernetes Guide for Shoots configuration file](../../example/guides/security-hardened-k8s.md) for this run. +We will be using the sample [Security Hardened Kubernetes Guide for Shoots configuration file](../../example/guides/security-hardened-k8s-shoot.yaml) for this run. ### Configuration