Releases: gardener/diki
Releases · gardener/diki
v0.13.0
[gardener/diki]
⚠️ Breaking Changes
[USER]
ArgumentminPodSecurityLevel
for rule254800
from thedisa-k8s-stig
ruleset for providergardener
was renamed tominPodSecurityStandardsProfile
. by @georgibaltiev [#374]
✨ New Features
[USER]
Rules can now specify severity level. by @georgibaltiev [#352][USER]
Implementation for rule2001
from thesecurity-hardened-k8s
ruleset for providermanagedk8s
. by @AleksandarSavchev [#375][USER]
Implementation for rule2000
from thesecurity-hardened-k8s
ruleset for providermanagedk8s
. by @AleksandarSavchev [#383][USER]
Implementation for rule2007
from thesecurity-hardened-k8s
ruleset for providermanagedk8s
. by @georgibaltiev [#389][USER]
Implementation for rule2002
from thesecurity-hardened-shoot-cluster
ruleset for providergarden
. by @georgibaltiev [#360][USER]
Implementation for rule2002
from thesecurity-hardened-k8s
ruleset for providermanagedk8s
. by @georgibaltiev [#387][USER]
Implementation for rule2003
from thesecurity-hardened-k8s
ruleset for providermanagedk8s
. by @georgibaltiev [#391][USER]
Implementation for rule2006
from thesecurity-hardened-k8s
ruleset for providermanagedk8s
. by @AleksandarSavchev [#382][USER]
Implementation for rule2006
from thesecurity-hardened-shoot-cluster
ruleset for providergarden
. by @georgibaltiev [#366][USER]
Implementation for rule2004
from thesecurity-hardened-k8s
ruleset for providermanagedk8s
. by @AleksandarSavchev [#376][USER]
Implementation for rule2000
from thesecurity-hardened-shoot-cluster
ruleset for providergarden
. by @georgibaltiev [#362][USER]
Severity level has been set to all current rules. by @georgibaltiev [#354][USER]
Implementation for rule2008
from thesecurity-hardened-k8s
ruleset for providermanagedk8s
. by @AleksandarSavchev [#371][USER]
Implementation for rule2007
from thesecurity-hardened-shoot-cluster
ruleset for providergarden
. by @georgibaltiev [#374][USER]
Implementation for rule2005
from thesecurity-hardened-k8s
ruleset for providermanagedk8s
. by @AleksandarSavchev [#380][USER]
Implementation for rule1000
from thesecurity-hardened-shoot-cluster
ruleset for providergarden
. by @georgibaltiev [#381][USER]
Implementation for rule2001
from thesecurity-hardened-shoot-cluster
ruleset for providergarden
. by @georgibaltiev [#358][USER]
Implementation for rule2004
from thesecurity-hardened-shoot-cluster
ruleset for providergarden
. by @georgibaltiev [#365][USER]
Implementation for rule2005
from thesecurity-hardened-shoot-cluster
ruleset for providergarden
. by @georgibaltiev [#363]
🐛 Bug Fixes
[USER]
A bug causing some rules to error when they encounter aPod
without anOwnerReference
has been fixed. by @AleksandarSavchev [#399]
🏃 Others
[USER]
Rule 242418 from DISA K8s STIG was revisited to fail when insecure tls ciphers are configured for the kube-apiserver. by @AleksandarSavchev [#390][OPERATOR]
Pods created by diki will be terminated 300 seconds after start. by @dimityrmirchev [#364]
Docker Images
- diki-ops:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.13.0
- diki:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.13.0
v0.12.0
[gardener/diki]
⚠️ Breaking Changes
[USER]
This change affects only themanagedk8s
provider. Configuration for DISA K8s STIG rules242383
and242417
now does not accept namespace names directly but rely on matching namespaces by labels. Please, see the example configuration options for more details. by @georgibaltiev [#316][DEVELOPER]
The function "pkg/rule.SingleCheckResult" was removed. Use "pkg/rule.Result" instead. by @dimityrmirchev [#341]
✨ New Features
[USER]
DISA K8s STIG rule 242382 now also checksAuthorizationConfiguration
when it is set viaauthorization-config
. by @AleksandarSavchev [#351][USER]
Implementation for rule2003
from thesecurity-hardened-shoot-cluster
ruleset for providergarden
. by @dimityrmirchev [#343][USER]
DISA K8s STIG rule 242390 is now implemented for providermanagedk8s
. by @georgibaltiev [#334]
🐛 Bug Fixes
[USER]
A bug causing generated summary reports to not containprovider.metadata
, when--ruleset-id
and--ruleset-version
flags are set, was fixed. by @georgibaltiev [#318][USER]
A bug causing DISA Kubernetes STIG rules that check thekube-proxy
container to fail to find the container, when the container name isproxy
, was fixed. by @georgibaltiev [#325][USER]
A bug that was causing reports to sometimes include empty targets was fixed. by @dimityrmirchev [#344][USER]
A bug causing rule 242442 for all providers to parse image names incorrectly under certain circumstances (for example the image name containing additional semicolons before the tag/digest) was fixed. by @georgibaltiev [#321]
🏃 Others
[OPERATOR]
gosec
is made available for SAST(static application security testing), it can be run withmake sast
ormake sast-report
, but is also incorporated in theverify
andverify-extended
makefile targets. by @georgibaltiev [#333][USER]
Log messages now consistently userule_id
instead of bothrule_id
andrule
to identify the rule. by @georgibaltiev [#311]
Docker Images
- diki-ops:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.12.0
- diki:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.12.0
v0.11.0
[gardener/diki]
✨ New Features
[USER]
Diki now supports DISA Kubernetes STIG versionv2r1
by @AleksandarSavchev [#287]
Docker Images
- diki-ops:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.11.0
- diki:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.11.0
v0.10.0
[gardener/diki]
✨ New Features
[USER]
Thedisa-kubernetes-stig
ruleset rules forvirtualgarden
andmanagedk8s
providers can now be retried if their results contain a knownErrored
message. by @AleksandarSavchev [#259][USER]
A new rule optionkubeProxyDisabled
is added to rules that check many components, which contain thekube-proxy
. Setting this option totrue
would skip only thekube-proxy
check in the rule. Defaults totrue
. by @AleksandarSavchev [#264][USER]
Glossary has been added to html reports that explains rule statuses. by @AleksandarSavchev [#270][USER]
Forgardener
provider'sdisa-kubernetes-stig
ruleset, rule execution can now be retried if theircheckResults
contains a knownErrored
message. by @AleksandarSavchev [#257][USER]
A newargs
field is introduced forrulesets
, where ruleset specific arguments can be set. by @AleksandarSavchev [#257][USER]
Forgardener
provider'sdisa-kubernetes-stig
ruleset, theargs
field has been enhanced withmaxRetries
setting, which sets the number of maximum retries for rule runs. Defaults to 1. by @AleksandarSavchev [#257][USER]
A bug causing rules that check files on nodes to error withcould not find files in foo
when there were no regular files infoo
was fixed. by @AleksandarSavchev [#252][USER]
Thedisa-kubernetes-stig
ruleset config forvirtualgarden
andmanagedk8s
providers has been enhanced withmaxRetries
setting, which sets the number of maximum retries for rule runs. Defaults to 1. by @AleksandarSavchev [#259]
🏃 Others
[USER]
Rules that cannot findkube-proxy
pod now returnErrored
check result. by @AleksandarSavchev [#255][USER]
Rules that cannot find specific pod now returnErrored
check result. by @AleksandarSavchev [#261][USER]
SimplePodExecutor
now retries command timeouts and server errors. by @AleksandarSavchev [#260][USER]
Improveddisa-kubernetes-stig
ruleset rule242442
forgardener
provider to check pod images per namespace. by @AleksandarSavchev [#265]
Docker Images
- diki-ops:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.10.0
- diki:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.10.0
v0.9.0
[gardener/diki]
✨ New Features
[USER]
Thereport generate
command now accepts a--format
flag which determines the output format of the generated report. It can be set to one ofhtml
orjson
. Defaults tohtml
. by @AleksandarSavchev [#249]
Docker Images
- diki-ops:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.9.0
- diki:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.9.0
v0.8.0
[gardener/diki]
✨ New Features
[USER]
A new field.args.additionalOpsPodLabels
has been added to thegardener
,managedk8s
andvirtual
providers. The field contains key value pairs that will be added to thediki
ops pods as additional labels. by @AleksandarSavchev [#223][USER]
The generatedjson
report summary now contains adikiVersion
containing the release version ofDiki
. by @AleksandarSavchev [#233][USER]
Report metadata can now be added by setting themetadata
field in the Diki config file. by @AleksandarSavchev [#235]
🐛 Bug Fixes
[USER]
A bug causing generatedhtml
reports to not truncate target path has been fixed. by @AleksandarSavchev [#236]
Docker Images
- diki-ops:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.8.0
- diki:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.8.0
v0.7.0
[gardener/diki]
✨ New Features
[USER]
Tailwind CSS classes in HTML reports now havetw-
prefix. by @AleksandarSavchev [#211]
🐛 Bug Fixes
[USER]
A bug causing rule 242452 for gardener provider to check seed nodes instead of shoot nodes was fixed. by @AleksandarSavchev [#212]
🏃 Others
[USER]
Rules in html reports are now sorted by rule ID. by @AleksandarSavchev [#216][OPERATOR]
diki-ops container image now includes only needed binaries. by @AleksandarSavchev [#215]
Docker Images
- diki-ops:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.7.0
- diki:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.7.0
v0.6.1
[gardener/diki]
🐛 Bug Fixes
[USER]
A bug causing rule 242451 validation for managedk8s provider to crash when no file owner options for the rule were set was fixed. by @AleksandarSavchev [#205]
Docker Images
- diki-ops:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.6.1
- diki:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.6.1
v0.6.0
[gardener/diki]
⚠️ Breaking Changes
[USER]
The functionality corresponding to thediki report
command is now available under thediki report generate
command. by @AleksandarSavchev [#164][USER]
Settingoutput.path
in the diki configuration file is now deprecated. Users are advised to use the--output
flag instead. by @AleksandarSavchev [#194][OPERATOR]
Release new diki versions to europe-docker.pkg.dev/gardener-project/releases by @zkdev [#203]
✨ New Features
[USER]
A new commanddiki report diff
was introduced, that creates ajson
containing the difference between twojson
outputs fromdiki run
. by @AleksandarSavchev [#164][USER]
A new commanddiki report generate diff
that converts one or morejson
difference reports into a singlehtml
difference report was introduced. by @AleksandarSavchev [#199][USER]
Rule options are now validated before running ruleset rules. by @AleksandarSavchev [#175][USER]
Thediki run
command now accepts an--output
flag. If set diki will write a report summary to the file path location. by @AleksandarSavchev [#194][USER]
The commandsdiki report generate
anddiki report diff
now accept a--output
flag that can be used to specify a file where the output report should be written. by @AleksandarSavchev [#164]
🐛 Bug Fixes
[USER]
Virtual Garden provider no longer requires garden kubeconfig to execute rulesets. by @AleksandarSavchev [#173]
Docker Images
- diki-ops:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.6.0
- diki:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.6.0
v0.5.0
[gardener/diki]
✨ New Features
[USER]
Rule 242459 from DISA K8s STIG was revisited to expect maximum0640
permissions instead of0600
. by @AleksandarSavchev [#154][USER]
Diki no longer supports DISA Kubernetes STIGs versionv1r10
. by @AleksandarSavchev [#168][USER]
Newhack/run.sh
script that executesdiki run
added. The script sets defaultldflags
if not specified and provides a comprehensive--help
message. by @AleksandarSavchev [#120]
Docker Images
- diki-ops:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.5.0
- diki:
europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.5.0