gardener · georgibaltiev · Dec 13, 2024 · Dec 13, 2024
@@ -0,0 +1,54 @@
+
+
+## Show Security Hardened Kubernetes Compliance for a Gardener Shoot Cluster
+
+### Introduction
+
+This part covers the topic of showing compliance with the Security Hardened Kubernetes Cluster for a Gardener shoot cluster. The guide features the `managedk8s` provider, which implements rules from the Security Hardened Kubernetes Cluster ruleset.
+
+The `managedk8s` provider assumes that the user running the ruleset does not have access to the environment (the seed in this particular case), in which the control plane components reside.
+
+### Prerequisites
+
+Make sure you have [diki installed](../../README.md#Installation) and have a running Gardener shoot cluster.
+
+We will be using the sample [Security Hardened Kubernetes Guide for Shoots configuration file](../../example/guides/security-hardened-k8s.md) for this run.
+
+### Configuration
+
+#### Configure the `managedk8s` provider
+
+Set the following arguments:
+- `providers[id=="managedk8s"].args.kubeconfigPath` pointing to a shoot admin kubeconfig.
+
+In case you need instructions on how to generate such a kubeconfig, please read [Accessing Shoot Clusters](https://github.com/gardener/gardener/blob/master/docs/usage/shoot/shoot_access.md).
+
+#### Additional configurations
+
+Additional metadata such as the shoot's name can also be included in the `providers[id=="managedk8s].metadata` section. The metadata section can be used to add additional context to different diki runs.
+
+The provided configuration contain the recommended rule options for running the both providers, but you can modify rule options parameters according to requirements. All available options can be found in:
+- [managedk8s example configuration](../../example/config/managedk8s.yaml).
+
+### Running the DISA K8s STIGs Ruleset
+
+To run diki against a Gardener shoot cluster, run the following command:
+
+```bash
+diki run \
+    --config=./example/guides/security-hardened-k8s-shoot.yaml \
+    --provider=managedk8s \
+    --ruleset-id=security-hardened-k8s \
+    --ruleset-version=v0.1.0 \
+    --output=security-hardened-k8s-shoot-report.json
+```
+
+### Generating a Report
+
+We can use the file generated in the previous step to create an html report by using the following command:
+
+```bash
+diki report generate \
+    --output=security-hardened-k8s-shoot-report.html \
+    security-hardened-k8s-shoot-report.json
+```
@@ -0,0 +1,248 @@
+providers:
+- id: managedk8s
+  name: "Managed Kubernetes"
+  metadata:
+    shootName: shoot-abcd
+  args:
+    kubeconfigPath: /shoot-abcd-access/kubeconfig  # path to shoot admin kubeconfig
+  rulesets:
+  - id: security-hardened-k8s
+    name: Security Hardened Kubernetes Cluster
+    version: v0.1.0
+    ruleOptions:
+    - ruleID: "2003"
+      args:
+        acceptedPods:
+        - matchLabels:
+            resources.gardener.cloud/managed-by: gardener
+            gardener.cloud/role: system-component
+            k8s-app: calico-node
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "lib-modules"
+          - "var-run-calico"
+          - "var-lib-calico"
+          - "xtables-lock"
+          - "cni-bin-dir"
+          - "cni-net-dit"
+          - "cni-log-dir"
+          - "policysync"
+          - "cni-net-dir"
+        - matchLabels:
+            app: kubernetes
+            origin: gardener
+            gardener.cloud/role: system-component
+            resources.gardener.cloud/managed-by: gardener
+            role: proxy
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "ssl-certs-hosts"
+          - "systembussocket"
+          - "kernel-modules"
+          - "kube-proxy-dir"
+          - "kube-proxy-mode"
+        - matchLabels:
+            resources.gardener.cloud/managed-by: gardener
+            app: node-problem-detector
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "log"
+          - "kmsg"
+          - "localtime"
+        - matchLabels:
+            resources.gardener.cloud/managed-by: gardener
+            component: node-exporter
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "host"
+          - "textfile"
+          - "log"
+          - "kmsg"
+          - "localtime"
+        - matchLabels:
+            resources.gardener.cloud/managed-by: gardener
+            app: vpn-shoot
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "dev-net-tun"
+        - matchLabels:
+            app: csi
+            resources.gardener.cloud/managed-by: gardener
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "kubelet-dir"
+          - "plugin-dir"
+          - "registration-dir"
+          - "device-dir"
+        - matchLabels:
+            k8s-app: egress-filter-applier
+            gardener.cloud/role: system-component
+            resources.gardener.cloud/managed-by: gardener
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "xtables-lock"
+        - matchLabels:
+            gardener.cloud/role: network-problem-detector
+            resources.gardener.cloud/managed-by: gardener
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "output"
+          - "log"
+        - matchLabels:
+            k8s-app: node-local-dns
+            resources.gardener.cloud/managed-by: gardener
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "xtables-lock"
+    - ruleID: "2006"
+      args:
+        acceptedRoles:
+        - matchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Roles managed by Gardener are allowed to use wildcards in RBAC resources"
+        acceptedClusterRoles:
+        - matchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC resources"
+        - matchLabels:
+             kubernetes.io/bootstrapping: rbac-defaults
+          justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs"
+    - ruleID: "2007"
+      args:
+        acceptedRoles:
+        - matchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs"
+        acceptedClusterRoles:
+        - matchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs"
+        - matchLabels:
+             kubernetes.io/bootstrapping: rbac-defaults
+          justification: "ClusterRoles managed by Gardener are allowed to use wildcards in RBAC verbs"
+    - ruleID: "2008"
+      args:
+        acceptedPods:
+        - matchLabels:
+            resources.gardener.cloud/managed-by: gardener
+            gardener.cloud/role: system-component
+            k8s-app: calico-node
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "lib-modules"
+          - "var-run-calico"
+          - "var-lib-calico"
+          - "xtables-lock"
+          - "cni-bin-dir"
+          - "cni-net-dit"
+          - "cni-log-dir"
+          - "policysync"
+          - "cni-net-dir"
+        - matchLabels:
+            app: kubernetes
+            origin: gardener
+            gardener.cloud/role: system-component
+            resources.gardener.cloud/managed-by: gardener
+            role: proxy
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "ssl-certs-hosts"
+          - "systembussocket"
+          - "kernel-modules"
+          - "kube-proxy-dir"
+          - "kube-proxy-mode"
+        - matchLabels:
+            resources.gardener.cloud/managed-by: gardener
+            app: node-problem-detector
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "log"
+          - "kmsg"
+          - "localtime"
+        - matchLabels:
+            resources.gardener.cloud/managed-by: gardener
+            component: node-exporter
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "host"
+          - "textfile"
+          - "log"
+          - "kmsg"
+          - "localtime"
+        - matchLabels:
+            resources.gardener.cloud/managed-by: gardener
+            app: vpn-shoot
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "dev-net-tun"
+        - matchLabels:
+            app: csi
+            resources.gardener.cloud/managed-by: gardener
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "kubelet-dir"
+          - "plugin-dir"
+          - "registration-dir"
+          - "device-dir"
+        - matchLabels:
+            k8s-app: egress-filter-applier
+            gardener.cloud/role: system-component
+            resources.gardener.cloud/managed-by: gardener
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "xtables-lock"
+        - matchLabels:
+            gardener.cloud/role: network-problem-detector
+            resources.gardener.cloud/managed-by: gardener
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "output"
+          - "log"
+        - matchLabels:
+            k8s-app: node-local-dns
+            resources.gardener.cloud/managed-by: gardener
+          namespaceMatchLabels:
+            resources.gardener.cloud/managed-by: gardener
+          justification: "Gardener managed resources are allowed to use a wider range of volume types"
+          volumeNames:
+          - "xtables-lock"
+output:
+  minStatus: Passed