Skip to content

Releases: gardener/diki

v0.13.0

09 Dec 15:19
Compare
Choose a tag to compare

[gardener/diki]

⚠️ Breaking Changes

  • [USER] Argument minPodSecurityLevel for rule 254800 from the disa-k8s-stig ruleset for provider gardener was renamed to minPodSecurityStandardsProfile. by @georgibaltiev [#374]

✨ New Features

  • [USER] Rules can now specify severity level. by @georgibaltiev [#352]
  • [USER] Implementation for rule 2001 from the security-hardened-k8s ruleset for provider managedk8s. by @AleksandarSavchev [#375]
  • [USER] Implementation for rule 2000 from the security-hardened-k8s ruleset for provider managedk8s. by @AleksandarSavchev [#383]
  • [USER] Implementation for rule 2007 from the security-hardened-k8s ruleset for provider managedk8s. by @georgibaltiev [#389]
  • [USER] Implementation for rule 2002 from the security-hardened-shoot-cluster ruleset for provider garden. by @georgibaltiev [#360]
  • [USER] Implementation for rule 2002 from the security-hardened-k8s ruleset for provider managedk8s. by @georgibaltiev [#387]
  • [USER] Implementation for rule 2003 from the security-hardened-k8s ruleset for provider managedk8s. by @georgibaltiev [#391]
  • [USER] Implementation for rule 2006 from the security-hardened-k8s ruleset for provider managedk8s. by @AleksandarSavchev [#382]
  • [USER] Implementation for rule 2006 from the security-hardened-shoot-cluster ruleset for provider garden. by @georgibaltiev [#366]
  • [USER] Implementation for rule 2004 from the security-hardened-k8s ruleset for provider managedk8s. by @AleksandarSavchev [#376]
  • [USER] Implementation for rule 2000 from the security-hardened-shoot-cluster ruleset for provider garden. by @georgibaltiev [#362]
  • [USER] Severity level has been set to all current rules. by @georgibaltiev [#354]
  • [USER] Implementation for rule 2008 from the security-hardened-k8s ruleset for provider managedk8s. by @AleksandarSavchev [#371]
  • [USER] Implementation for rule 2007 from the security-hardened-shoot-cluster ruleset for provider garden. by @georgibaltiev [#374]
  • [USER] Implementation for rule 2005 from the security-hardened-k8s ruleset for provider managedk8s. by @AleksandarSavchev [#380]
  • [USER] Implementation for rule 1000 from the security-hardened-shoot-cluster ruleset for provider garden. by @georgibaltiev [#381]
  • [USER] Implementation for rule 2001 from the security-hardened-shoot-cluster ruleset for provider garden. by @georgibaltiev [#358]
  • [USER] Implementation for rule 2004 from the security-hardened-shoot-cluster ruleset for provider garden. by @georgibaltiev [#365]
  • [USER] Implementation for rule 2005 from the security-hardened-shoot-cluster ruleset for provider garden. by @georgibaltiev [#363]

🐛 Bug Fixes

  • [USER] A bug causing some rules to error when they encounter a Pod without an OwnerReference has been fixed. by @AleksandarSavchev [#399]

🏃 Others

  • [USER] Rule 242418 from DISA K8s STIG was revisited to fail when insecure tls ciphers are configured for the kube-apiserver. by @AleksandarSavchev [#390]
  • [OPERATOR] Pods created by diki will be terminated 300 seconds after start. by @dimityrmirchev [#364]

Docker Images

  • diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.13.0
  • diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.13.0

v0.12.0

08 Nov 11:41
Compare
Choose a tag to compare

[gardener/diki]

⚠️ Breaking Changes

  • [USER] This change affects only the managedk8s provider. Configuration for DISA K8s STIG rules 242383 and 242417 now does not accept namespace names directly but rely on matching namespaces by labels. Please, see the example configuration options for more details. by @georgibaltiev [#316]
  • [DEVELOPER] The function "pkg/rule.SingleCheckResult" was removed. Use "pkg/rule.Result" instead. by @dimityrmirchev [#341]

✨ New Features

  • [USER] DISA K8s STIG rule 242382 now also checks AuthorizationConfiguration when it is set via authorization-config. by @AleksandarSavchev [#351]
  • [USER] Implementation for rule 2003 from the security-hardened-shoot-cluster ruleset for provider garden. by @dimityrmirchev [#343]
  • [USER] DISA K8s STIG rule 242390 is now implemented for provider managedk8s. by @georgibaltiev [#334]

🐛 Bug Fixes

  • [USER] A bug causing generated summary reports to not contain provider.metadata, when --ruleset-id and --ruleset-version flags are set, was fixed. by @georgibaltiev [#318]
  • [USER] A bug causing DISA Kubernetes STIG rules that check the kube-proxy container to fail to find the container, when the container name is proxy, was fixed. by @georgibaltiev [#325]
  • [USER] A bug that was causing reports to sometimes include empty targets was fixed. by @dimityrmirchev [#344]
  • [USER] A bug causing rule 242442 for all providers to parse image names incorrectly under certain circumstances (for example the image name containing additional semicolons before the tag/digest) was fixed. by @georgibaltiev [#321]

🏃 Others

  • [OPERATOR] gosec is made available for SAST(static application security testing), it can be run with make sast or make sast-report, but is also incorporated in the verify and verify-extended makefile targets. by @georgibaltiev [#333]
  • [USER] Log messages now consistently use rule_id instead of both rule_id and rule to identify the rule. by @georgibaltiev [#311]

Docker Images

  • diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.12.0
  • diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.12.0

v0.11.0

11 Sep 05:56
Compare
Choose a tag to compare

[gardener/diki]

✨ New Features

Docker Images

  • diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.11.0
  • diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.11.0

v0.10.0

18 Jul 12:04
Compare
Choose a tag to compare

[gardener/diki]

✨ New Features

  • [USER] The disa-kubernetes-stig ruleset rules for virtualgarden and managedk8s providers can now be retried if their results contain a known Errored message. by @AleksandarSavchev [#259]
  • [USER] A new rule option kubeProxyDisabled is added to rules that check many components, which contain the kube-proxy. Setting this option to true would skip only the kube-proxy check in the rule. Defaults to true. by @AleksandarSavchev [#264]
  • [USER] Glossary has been added to html reports that explains rule statuses. by @AleksandarSavchev [#270]
  • [USER] For gardener provider's disa-kubernetes-stig ruleset, rule execution can now be retried if their checkResults contains a known Errored message. by @AleksandarSavchev [#257]
  • [USER] A new args field is introduced for rulesets, where ruleset specific arguments can be set. by @AleksandarSavchev [#257]
  • [USER] For gardener provider's disa-kubernetes-stig ruleset, the args field has been enhanced with maxRetries setting, which sets the number of maximum retries for rule runs. Defaults to 1. by @AleksandarSavchev [#257]
  • [USER] A bug causing rules that check files on nodes to error with could not find files in foo when there were no regular files in foo was fixed. by @AleksandarSavchev [#252]
  • [USER] The disa-kubernetes-stig ruleset config for virtualgarden and managedk8s providers has been enhanced with maxRetries setting, which sets the number of maximum retries for rule runs. Defaults to 1. by @AleksandarSavchev [#259]

🏃 Others

  • [USER] Rules that cannot find kube-proxy pod now return Errored check result. by @AleksandarSavchev [#255]
  • [USER] Rules that cannot find specific pod now return Errored check result. by @AleksandarSavchev [#261]
  • [USER] SimplePodExecutor now retries command timeouts and server errors. by @AleksandarSavchev [#260]
  • [USER] Improved disa-kubernetes-stig ruleset rule 242442 for gardener provider to check pod images per namespace. by @AleksandarSavchev [#265]

Docker Images

  • diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.10.0
  • diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.10.0

v0.9.0

11 Jun 13:05
Compare
Choose a tag to compare

[gardener/diki]

✨ New Features

  • [USER] The report generate command now accepts a --format flag which determines the output format of the generated report. It can be set to one of html or json. Defaults to html. by @AleksandarSavchev [#249]

Docker Images

  • diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.9.0
  • diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.9.0

v0.8.0

10 May 10:39
Compare
Choose a tag to compare

[gardener/diki]

✨ New Features

  • [USER] A new field .args.additionalOpsPodLabels has been added to the gardener, managedk8s and virtual providers. The field contains key value pairs that will be added to the diki ops pods as additional labels. by @AleksandarSavchev [#223]
  • [USER] The generated json report summary now contains a dikiVersion containing the release version of Diki. by @AleksandarSavchev [#233]
  • [USER] Report metadata can now be added by setting the metadata field in the Diki config file. by @AleksandarSavchev [#235]

🐛 Bug Fixes

  • [USER] A bug causing generated html reports to not truncate target path has been fixed. by @AleksandarSavchev [#236]

Docker Images

  • diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.8.0
  • diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.8.0

v0.7.0

19 Apr 09:03
Compare
Choose a tag to compare

[gardener/diki]

✨ New Features

🐛 Bug Fixes

  • [USER] A bug causing rule 242452 for gardener provider to check seed nodes instead of shoot nodes was fixed. by @AleksandarSavchev [#212]

🏃 Others

Docker Images

  • diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.7.0
  • diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.7.0

v0.6.1

03 Apr 06:17
Compare
Choose a tag to compare

[gardener/diki]

🐛 Bug Fixes

  • [USER] A bug causing rule 242451 validation for managedk8s provider to crash when no file owner options for the rule were set was fixed. by @AleksandarSavchev [#205]

Docker Images

  • diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.6.1
  • diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.6.1

v0.6.0

02 Apr 10:44
Compare
Choose a tag to compare

[gardener/diki]

⚠️ Breaking Changes

  • [USER] The functionality corresponding to the diki report command is now available under the diki report generate command. by @AleksandarSavchev [#164]
  • [USER] Setting output.path in the diki configuration file is now deprecated. Users are advised to use the --output flag instead. by @AleksandarSavchev [#194]
  • [OPERATOR] Release new diki versions to europe-docker.pkg.dev/gardener-project/releases by @zkdev [#203]

✨ New Features

  • [USER] A new command diki report diff was introduced, that creates a json containing the difference between two json outputs from diki run. by @AleksandarSavchev [#164]
  • [USER] A new command diki report generate diff that converts one or more json difference reports into a single html difference report was introduced. by @AleksandarSavchev [#199]
  • [USER] Rule options are now validated before running ruleset rules. by @AleksandarSavchev [#175]
  • [USER] The diki run command now accepts an --output flag. If set diki will write a report summary to the file path location. by @AleksandarSavchev [#194]
  • [USER] The commands diki report generate and diki report diff now accept a --output flag that can be used to specify a file where the output report should be written. by @AleksandarSavchev [#164]

🐛 Bug Fixes

  • [USER] Virtual Garden provider no longer requires garden kubeconfig to execute rulesets. by @AleksandarSavchev [#173]

Docker Images

  • diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.6.0
  • diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.6.0

v0.5.0

14 Mar 12:08
Compare
Choose a tag to compare

[gardener/diki]

✨ New Features

  • [USER] Rule 242459 from DISA K8s STIG was revisited to expect maximum 0640 permissions instead of 0600. by @AleksandarSavchev [#154]
  • [USER] Diki no longer supports DISA Kubernetes STIGs version v1r10. by @AleksandarSavchev [#168]
  • [USER] New hack/run.sh script that executes diki run added. The script sets default ldflags if not specified and provides a comprehensive --help message. by @AleksandarSavchev [#120]

Docker Images

  • diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.5.0
  • diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.5.0