Skip to content

Commit

Permalink
🧹 Fix for Manuel/149 (#200)
Browse files Browse the repository at this point in the history 
Fixes: #149

---------

Signed-off-by: Manuel Weber <[email protected]>
  • Loading branch information
@mm-weber
mm-weber authored Mar 29, 2023
1 parent ea1f959 commit 88f830c
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 8 deletions.
31 changes: 23 additions & 8 deletions core/mondoo-kubernetes-best-practices.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,16 @@ policies:
docs:
desc: "## Overview\n\nThe Kubernetes Best Practices by Mondoo policy bundle provides guidance for establishing reliable Kubernetes clusters by encouraging the adoption of best practices.\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Kubernetes clusters requires a `KUBECONFIG` with access to the cluster you want to scan.\n\n### Scan a Kubernetes cluster\n\nOpen a terminal and configure an environment variable with the path to your `KUBECONFIG`:\n\n```bash\nexport KUBECONFIG=/path/to/kubeconfig\n```\n\nRun a scan of the Kubernetes cluster:\n\n```bash\ncnspec scan k8s\n``` \n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions."
groups:
- filters: platform.name == "k8s-cronjob"
- title: CronJobs
filters: platform.name == "k8s-cronjob"
checks:
- uid: mondoo-kubernetes-best-practices-cronjob-default-namespace
- uid: mondoo-kubernetes-best-practices-cronjob-hostalias
- uid: mondoo-kubernetes-best-practices-cronjob-ports-hostport
- uid: mondoo-kubernetes-best-practices-cronjob-requestcpu
- uid: mondoo-kubernetes-best-practices-cronjob-requestmemory
- filters: platform.name == "k8s-statefulset"
- title: StatefulSets
filters: platform.name == "k8s-statefulset"
checks:
- uid: mondoo-kubernetes-best-practices-statefulset-default-namespace
- uid: mondoo-kubernetes-best-practices-statefulset-hostalias
Expand All @@ -28,7 +30,8 @@ policies:
- uid: mondoo-kubernetes-best-practices-statefulset-readinessProbe
- uid: mondoo-kubernetes-best-practices-statefulset-requestcpu
- uid: mondoo-kubernetes-best-practices-statefulset-requestmemory
- filters: platform.name == "k8s-deployment"
- title: Deployments
filters: platform.name == "k8s-deployment"
checks:
- uid: mondoo-kubernetes-best-practices-deployment-default-namespace
- uid: mondoo-kubernetes-best-practices-deployment-hostalias
Expand All @@ -37,14 +40,16 @@ policies:
- uid: mondoo-kubernetes-best-practices-deployment-readinessProbe
- uid: mondoo-kubernetes-best-practices-deployment-requestcpu
- uid: mondoo-kubernetes-best-practices-deployment-requestmemory
- filters: platform.name == "k8s-job"
- title: Jobs
filters: platform.name == "k8s-job"
checks:
- uid: mondoo-kubernetes-best-practices-job-default-namespace
- uid: mondoo-kubernetes-best-practices-job-hostalias
- uid: mondoo-kubernetes-best-practices-job-ports-hostport
- uid: mondoo-kubernetes-best-practices-job-requestcpu
- uid: mondoo-kubernetes-best-practices-job-requestmemory
- filters: platform.name == "k8s-replicaset"
- title: Replicasets
filters: platform.name == "k8s-replicaset"
checks:
- uid: mondoo-kubernetes-best-practices-replicaset-default-namespace
- uid: mondoo-kubernetes-best-practices-replicaset-hostalias
Expand All @@ -53,7 +58,8 @@ policies:
- uid: mondoo-kubernetes-best-practices-replicaset-readinessProbe
- uid: mondoo-kubernetes-best-practices-replicaset-requestcpu
- uid: mondoo-kubernetes-best-practices-replicaset-requestmemory
- filters: platform.name == "k8s-daemonset"
- title: Daemonsets
filters: platform.name == "k8s-daemonset"
checks:
- uid: mondoo-kubernetes-best-practices-daemonset-default-namespace
- uid: mondoo-kubernetes-best-practices-daemonset-hostalias
Expand All @@ -62,7 +68,8 @@ policies:
- uid: mondoo-kubernetes-best-practices-daemonset-readinessProbe
- uid: mondoo-kubernetes-best-practices-daemonset-requestcpu
- uid: mondoo-kubernetes-best-practices-daemonset-requestmemory
- filters: platform.name == "k8s-pod"
- title: Pods
filters: platform.name == "k8s-pod"
checks:
- uid: mondoo-kubernetes-best-practices-pod-default-namespace
- uid: mondoo-kubernetes-best-practices-pod-hostalias
Expand All @@ -72,7 +79,8 @@ policies:
- uid: mondoo-kubernetes-best-practices-pod-readinessProbe
- uid: mondoo-kubernetes-best-practices-pod-requestcpu
- uid: mondoo-kubernetes-best-practices-pod-requestmemory
- filters: platform.name == "k8s-ingress"
- title: Ingress Configuration
filters: platform.name == "k8s-ingress"
checks:
- uid: mondoo-kubernetes-best-practices-ingress-cert-expiration
scoring_system: 2
Expand Down Expand Up @@ -865,6 +873,7 @@ queries:
title: Pod Lifecycle - Container probes
- uid: mondoo-kubernetes-best-practices-pod-hostalias
title: Pod should not define hostAliases
impact: 60
mql: |
k8s.pod {
podSpec['hostAliases'] == null
Expand Down Expand Up @@ -894,6 +903,7 @@ queries:
title: Adding entries to Pod /etc/hosts with HostAliases
- uid: mondoo-kubernetes-best-practices-cronjob-hostalias
title: Pod should not define hostAliases
impact: 60
mql: |
k8s.cronjob {
manifest['spec']['jobTemplate']['spec']['template']['spec']['hostAliases'] == null
Expand Down Expand Up @@ -923,6 +933,7 @@ queries:
title: Adding entries to Pod /etc/hosts with HostAliases
- uid: mondoo-kubernetes-best-practices-statefulset-hostalias
title: Pod should not define hostAliases
impact: 60
mql: "k8s.statefulset { \n manifest['spec']['template']['spec']['hostAliases'] == null\n}\n"
docs:
desc: |
Expand All @@ -949,6 +960,7 @@ queries:
title: Adding entries to Pod /etc/hosts with HostAliases
- uid: mondoo-kubernetes-best-practices-deployment-hostalias
title: Pod should not define hostAliases
impact: 60
mql: |
k8s.deployment {
manifest['spec']['template']['spec']['hostAliases'] == null
Expand Down Expand Up @@ -980,6 +992,7 @@ queries:
title: Adding entries to Pod /etc/hosts with HostAliases
- uid: mondoo-kubernetes-best-practices-job-hostalias
title: Pod should not define hostAliases
impact: 60
mql: "k8s.job { \n manifest['spec']['template']['spec']['hostAliases'] == null\n}\n"
docs:
desc: |
Expand All @@ -1006,6 +1019,7 @@ queries:
title: Adding entries to Pod /etc/hosts with HostAliases
- uid: mondoo-kubernetes-best-practices-replicaset-hostalias
title: Pod should not define hostAliases
impact: 60
mql: "k8s.replicaset { \n manifest['spec']['template']['spec']['hostAliases'] == null\n}\n"
docs:
desc: |
Expand All @@ -1032,6 +1046,7 @@ queries:
title: Adding entries to Pod /etc/hosts with HostAliases
- uid: mondoo-kubernetes-best-practices-daemonset-hostalias
title: Pod should not define hostAliases
impact: 60
mql: "k8s.daemonset { \n manifest['spec']['template']['spec']['hostAliases'] == null\n}\n"
docs:
desc: |
Expand Down
8 changes: 8 additions & 0 deletions core/mondoo-kubernetes-security.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -463,6 +463,7 @@ queries:
```
- uid: mondoo-kubernetes-security-secure-kube-apiserver-yml
title: Set secure file permissions on the API server pod specification file
impact: 60
mql: |
if (file("/etc/kubernetes/manifests/kube-apiserver.yaml").exists) {
file("/etc/kubernetes/manifests/kube-apiserver.yaml") {
Expand Down Expand Up @@ -494,6 +495,7 @@ queries:
title: |
Set secure directory permissions on the etcd data directory.
Otherwise unprivileged users might get access to sensitive data stored in etcd, i.e., Kubernetes Secrets.
impact: 60
mql: |
if (file("/var/lib/etcd").exists) {
file("/var/lib/etcd") {
Expand Down Expand Up @@ -544,6 +546,7 @@ queries:
title: Kubernetes Secrets
- uid: mondoo-kubernetes-security-secure-admin-conf
title: Set secure file permissions on the admin.conf file
impact: 60
mql: |
if (file("/etc/kubernetes/admin.conf").exists) {
file("/etc/kubernetes/admin.conf") {
Expand Down Expand Up @@ -576,6 +579,7 @@ queries:
title: Kubernetes Setup
- uid: mondoo-kubernetes-security-secure-scheduler_conf
title: Set secure file permissions on the scheduler.conf file
impact: 60
mql: |
if (file("/etc/kubernetes/scheduler.conf").exists) {
file("/etc/kubernetes/scheduler.conf") {
Expand Down Expand Up @@ -603,6 +607,7 @@ queries:
```
- uid: mondoo-kubernetes-security-secure-controller-manager_conf
title: Set secure file permissions on the controller-manager.conf file
impact: 60
mql: |
if (file("/etc/kubernetes/controller-manager.conf").exists) {
file("/etc/kubernetes/controller-manager.conf") {
Expand Down Expand Up @@ -630,6 +635,7 @@ queries:
```
- uid: mondoo-kubernetes-security-secure-pki-directory
title: Ensure that the Kubernetes PKI/SSL directory is owned by root:root
impact: 65
mql: |
if (processes.where(executable == /kube-apiserver/).list[0].flags["etcd-certfile"] != null) {
clientCAFile = processes.where(executable == /kube-apiserver/).list[0].flags["etcd-certfile"]
Expand Down Expand Up @@ -665,6 +671,7 @@ queries:
title: PKI certificates and requirements
- uid: mondoo-kubernetes-security-https-api-server
title: Ensure the kube-apiserver is not listening on an insecure HTTP port
impact: 70
mql: |
processes.where(executable == /kube-apiserver/).list {
flags["insecure-port"] == 0
Expand All @@ -685,6 +692,7 @@ queries:
title: |
Ensure the kube-apiserver does not allow anonymous authentication.
When allowed, request will have the privileges of the role `system:public-info-viewer`. This might expose data to an attacker.
impact: 100
mql: |
processes.where(executable == /kube-apiserver/).list {
flags["anonymous-auth"] == "false"
Expand Down

0 comments on commit 88f830c

Please sign in to comment.