diff --git a/core/mondoo-kubernetes-best-practices.mql.yaml b/core/mondoo-kubernetes-best-practices.mql.yaml index a6956b2c..5311244f 100644 --- a/core/mondoo-kubernetes-best-practices.mql.yaml +++ b/core/mondoo-kubernetes-best-practices.mql.yaml @@ -12,14 +12,16 @@ policies: docs: desc: "## Overview\n\nThe Kubernetes Best Practices by Mondoo policy bundle provides guidance for establishing reliable Kubernetes clusters by encouraging the adoption of best practices.\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Kubernetes clusters requires a `KUBECONFIG` with access to the cluster you want to scan.\n\n### Scan a Kubernetes cluster\n\nOpen a terminal and configure an environment variable with the path to your `KUBECONFIG`:\n\n```bash\nexport KUBECONFIG=/path/to/kubeconfig\n```\n\nRun a scan of the Kubernetes cluster:\n\n```bash\ncnspec scan k8s\n``` \n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions." groups: - - filters: platform.name == "k8s-cronjob" + - title: CronJobs + filters: platform.name == "k8s-cronjob" checks: - uid: mondoo-kubernetes-best-practices-cronjob-default-namespace - uid: mondoo-kubernetes-best-practices-cronjob-hostalias - uid: mondoo-kubernetes-best-practices-cronjob-ports-hostport - uid: mondoo-kubernetes-best-practices-cronjob-requestcpu - uid: mondoo-kubernetes-best-practices-cronjob-requestmemory - - filters: platform.name == "k8s-statefulset" + - title: StatefulSets + filters: platform.name == "k8s-statefulset" checks: - uid: mondoo-kubernetes-best-practices-statefulset-default-namespace - uid: mondoo-kubernetes-best-practices-statefulset-hostalias @@ -28,7 +30,8 @@ policies: - uid: mondoo-kubernetes-best-practices-statefulset-readinessProbe - uid: mondoo-kubernetes-best-practices-statefulset-requestcpu - uid: mondoo-kubernetes-best-practices-statefulset-requestmemory - - filters: platform.name == "k8s-deployment" + - title: Deployments + filters: platform.name == "k8s-deployment" checks: - uid: mondoo-kubernetes-best-practices-deployment-default-namespace - uid: mondoo-kubernetes-best-practices-deployment-hostalias @@ -37,14 +40,16 @@ policies: - uid: mondoo-kubernetes-best-practices-deployment-readinessProbe - uid: mondoo-kubernetes-best-practices-deployment-requestcpu - uid: mondoo-kubernetes-best-practices-deployment-requestmemory - - filters: platform.name == "k8s-job" + - title: Jobs + filters: platform.name == "k8s-job" checks: - uid: mondoo-kubernetes-best-practices-job-default-namespace - uid: mondoo-kubernetes-best-practices-job-hostalias - uid: mondoo-kubernetes-best-practices-job-ports-hostport - uid: mondoo-kubernetes-best-practices-job-requestcpu - uid: mondoo-kubernetes-best-practices-job-requestmemory - - filters: platform.name == "k8s-replicaset" + - title: Replicasets + filters: platform.name == "k8s-replicaset" checks: - uid: mondoo-kubernetes-best-practices-replicaset-default-namespace - uid: mondoo-kubernetes-best-practices-replicaset-hostalias @@ -53,7 +58,8 @@ policies: - uid: mondoo-kubernetes-best-practices-replicaset-readinessProbe - uid: mondoo-kubernetes-best-practices-replicaset-requestcpu - uid: mondoo-kubernetes-best-practices-replicaset-requestmemory - - filters: platform.name == "k8s-daemonset" + - title: Daemonsets + filters: platform.name == "k8s-daemonset" checks: - uid: mondoo-kubernetes-best-practices-daemonset-default-namespace - uid: mondoo-kubernetes-best-practices-daemonset-hostalias @@ -62,7 +68,8 @@ policies: - uid: mondoo-kubernetes-best-practices-daemonset-readinessProbe - uid: mondoo-kubernetes-best-practices-daemonset-requestcpu - uid: mondoo-kubernetes-best-practices-daemonset-requestmemory - - filters: platform.name == "k8s-pod" + - title: Pods + filters: platform.name == "k8s-pod" checks: - uid: mondoo-kubernetes-best-practices-pod-default-namespace - uid: mondoo-kubernetes-best-practices-pod-hostalias @@ -72,7 +79,8 @@ policies: - uid: mondoo-kubernetes-best-practices-pod-readinessProbe - uid: mondoo-kubernetes-best-practices-pod-requestcpu - uid: mondoo-kubernetes-best-practices-pod-requestmemory - - filters: platform.name == "k8s-ingress" + - title: Ingress Configuration + filters: platform.name == "k8s-ingress" checks: - uid: mondoo-kubernetes-best-practices-ingress-cert-expiration scoring_system: 2 @@ -865,6 +873,7 @@ queries: title: Pod Lifecycle - Container probes - uid: mondoo-kubernetes-best-practices-pod-hostalias title: Pod should not define hostAliases + impact: 60 mql: | k8s.pod { podSpec['hostAliases'] == null @@ -894,6 +903,7 @@ queries: title: Adding entries to Pod /etc/hosts with HostAliases - uid: mondoo-kubernetes-best-practices-cronjob-hostalias title: Pod should not define hostAliases + impact: 60 mql: | k8s.cronjob { manifest['spec']['jobTemplate']['spec']['template']['spec']['hostAliases'] == null @@ -923,6 +933,7 @@ queries: title: Adding entries to Pod /etc/hosts with HostAliases - uid: mondoo-kubernetes-best-practices-statefulset-hostalias title: Pod should not define hostAliases + impact: 60 mql: "k8s.statefulset { \n manifest['spec']['template']['spec']['hostAliases'] == null\n}\n" docs: desc: | @@ -949,6 +960,7 @@ queries: title: Adding entries to Pod /etc/hosts with HostAliases - uid: mondoo-kubernetes-best-practices-deployment-hostalias title: Pod should not define hostAliases + impact: 60 mql: | k8s.deployment { manifest['spec']['template']['spec']['hostAliases'] == null @@ -980,6 +992,7 @@ queries: title: Adding entries to Pod /etc/hosts with HostAliases - uid: mondoo-kubernetes-best-practices-job-hostalias title: Pod should not define hostAliases + impact: 60 mql: "k8s.job { \n manifest['spec']['template']['spec']['hostAliases'] == null\n}\n" docs: desc: | @@ -1006,6 +1019,7 @@ queries: title: Adding entries to Pod /etc/hosts with HostAliases - uid: mondoo-kubernetes-best-practices-replicaset-hostalias title: Pod should not define hostAliases + impact: 60 mql: "k8s.replicaset { \n manifest['spec']['template']['spec']['hostAliases'] == null\n}\n" docs: desc: | @@ -1032,6 +1046,7 @@ queries: title: Adding entries to Pod /etc/hosts with HostAliases - uid: mondoo-kubernetes-best-practices-daemonset-hostalias title: Pod should not define hostAliases + impact: 60 mql: "k8s.daemonset { \n manifest['spec']['template']['spec']['hostAliases'] == null\n}\n" docs: desc: | diff --git a/core/mondoo-kubernetes-security.mql.yaml b/core/mondoo-kubernetes-security.mql.yaml index 4238342e..dba21549 100644 --- a/core/mondoo-kubernetes-security.mql.yaml +++ b/core/mondoo-kubernetes-security.mql.yaml @@ -463,6 +463,7 @@ queries: ``` - uid: mondoo-kubernetes-security-secure-kube-apiserver-yml title: Set secure file permissions on the API server pod specification file + impact: 60 mql: | if (file("/etc/kubernetes/manifests/kube-apiserver.yaml").exists) { file("/etc/kubernetes/manifests/kube-apiserver.yaml") { @@ -494,6 +495,7 @@ queries: title: | Set secure directory permissions on the etcd data directory. Otherwise unprivileged users might get access to sensitive data stored in etcd, i.e., Kubernetes Secrets. + impact: 60 mql: | if (file("/var/lib/etcd").exists) { file("/var/lib/etcd") { @@ -544,6 +546,7 @@ queries: title: Kubernetes Secrets - uid: mondoo-kubernetes-security-secure-admin-conf title: Set secure file permissions on the admin.conf file + impact: 60 mql: | if (file("/etc/kubernetes/admin.conf").exists) { file("/etc/kubernetes/admin.conf") { @@ -576,6 +579,7 @@ queries: title: Kubernetes Setup - uid: mondoo-kubernetes-security-secure-scheduler_conf title: Set secure file permissions on the scheduler.conf file + impact: 60 mql: | if (file("/etc/kubernetes/scheduler.conf").exists) { file("/etc/kubernetes/scheduler.conf") { @@ -603,6 +607,7 @@ queries: ``` - uid: mondoo-kubernetes-security-secure-controller-manager_conf title: Set secure file permissions on the controller-manager.conf file + impact: 60 mql: | if (file("/etc/kubernetes/controller-manager.conf").exists) { file("/etc/kubernetes/controller-manager.conf") { @@ -630,6 +635,7 @@ queries: ``` - uid: mondoo-kubernetes-security-secure-pki-directory title: Ensure that the Kubernetes PKI/SSL directory is owned by root:root + impact: 65 mql: | if (processes.where(executable == /kube-apiserver/).list[0].flags["etcd-certfile"] != null) { clientCAFile = processes.where(executable == /kube-apiserver/).list[0].flags["etcd-certfile"] @@ -665,6 +671,7 @@ queries: title: PKI certificates and requirements - uid: mondoo-kubernetes-security-https-api-server title: Ensure the kube-apiserver is not listening on an insecure HTTP port + impact: 70 mql: | processes.where(executable == /kube-apiserver/).list { flags["insecure-port"] == 0 @@ -685,6 +692,7 @@ queries: title: | Ensure the kube-apiserver does not allow anonymous authentication. When allowed, request will have the privileges of the role `system:public-info-viewer`. This might expose data to an attacker. + impact: 100 mql: | processes.where(executable == /kube-apiserver/).list { flags["anonymous-auth"] == "false"