From beb013aa65caa0f761ea677db80e32532f96ff6f Mon Sep 17 00:00:00 2001 From: chenk Date: Mon, 28 Mar 2022 11:59:06 +0300 Subject: [PATCH] docs: compliance reports support Signed-off-by: chenk --- README.md | 1 + docs/compliance/nsa-1.0.md | 57 ++ docs/crds/clustercompliance-report.md | 744 ++++++++++++++++++++ docs/crds/clustercompliancedetail-report.md | 426 +++++++++++ docs/crds/index.md | 20 +- docs/index.md | 1 + docs/operator/index.md | 2 + mkdocs.yml | 4 + 8 files changed, 1247 insertions(+), 8 deletions(-) create mode 100644 docs/compliance/nsa-1.0.md create mode 100644 docs/crds/clustercompliance-report.md create mode 100644 docs/crds/clustercompliancedetail-report.md diff --git a/README.md b/README.md index f1528746a..71aebdb03 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,7 @@ Starboard provides: - Automated vulnerability scanning for Kubernetes workloads. - Automated configuration audits for Kubernetes resources with predefined rules or custom Open Policy Agent (OPA) policies. - Automated infrastructures scanning and compliance checks with CIS Benchmarks published by the Center for Internet Security (CIS). +- Automated compliance report - NSA, CISA Kubernetes Hardening Kubernetes Guidance v1.0 - Penetration test results for a Kubernetes cluster. - [Custom Resource Definitions] and a [Go module] to work with and integrate a range of security scanners. - The [Octant Plugin] and the [Lens Extension] that make security reports available through familiar Kubernetes interfaces. diff --git a/docs/compliance/nsa-1.0.md b/docs/compliance/nsa-1.0.md new file mode 100644 index 000000000..3ae54b82e --- /dev/null +++ b/docs/compliance/nsa-1.0.md @@ -0,0 +1,57 @@ +NSA, CISA Kubernetes Hardening Guidance v1.0 cybersecurity technical report is produced by starboard and validate the following control checks : + +| NAME | DESCRIPTION | KINDS | +|----------------------------------------------------------|---------------------------------------------------------------------------------------------------------|---------------| +| Non-root containers | Check that container is not running as root | Workload | +| Immutable container file systems | Check that container root file system is immutable | Workload | +| Preventing privileged containers | Controls whether Pods can run privileged containers | Workload | +| Share containers process namespaces | Controls whether containers can share process namespaces | Workload | +| Share host process namespaces | Controls whether share host process namespaces | Workload | +| Use the host network | Controls whether containers can use the host network | Workload | +| Run with root privileges or with root group membership | Controls whether container applications can run with
root privileges or with root group membership | Workload | +| Restricts escalation to root privileges | Control check restrictions escalation to root privileges | Workload | +| Sets the SELinux context of the container | Control checks if pod sets the SELinux context of the container | Workload | +| Restrict a container's access to resources with AppArmor | Control checks the restriction of containers access to resources with AppArmor | Workload | +| Sets the seccomp profile used to sandbox containers | Control checks the sets the seccomp profile used to sandbox containers | Workload | +| Protecting Pod service account tokens | Control check whether disable secret token been mount ,automountServiceAccountToken: false | Node | +| Namespace kube-system should not be used by users | Control check whether Namespace kube-system is not be used by users | NetworkPolicy | +| Pod and/or namespace Selectors usage | Control check validate the pod and/or namespace Selectors usage | NetworkPolicy | +| Use CNI plugin that supports NetworkPolicy API | Control check whether check cni plugin installed | Node | +| Use ResourceQuota policies to limit resources | Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace | ResourceQuota | +| Use LimitRange policies to limit resources | Control check the use of LimitRange policy limit resource usage for namespaces or nodes | LimitRange | +| Control plan disable insecure port | Control check whether control plan disable insecure port | Node | +| Encrypt etcd communication | Control check whether etcd communication is encrypted | Node | +| Ensure kube config file permission | Control check whether kube config file permissions | Node | +| Check that encryption resource has been set | Control checks whether encryption resource has been set | Node | +| Check encryption provider | Control checks whether encryption provider has been set | Node | +| Make sure anonymous-auth is unset | Control checks whether anonymous-auth is unset | Node | +| Make sure -authorization-mode=RBAC | Control check whether RBAC permission is in use | Node | +| Audit policy is configure | Control check whether audit policy is configure | Node | +| Audit log path is configure | Control check whether audit log path is configure | Node | +| Audit log aging | Control check whether audit log aging is configure | Node | + + +NSA, CISA Kubernetes Hardening Guidance v1.0 report will be generated every three hours by default. + +The NSA compliance report is composed of two parts : + +- `spec`: represents the NSA compliance control checks specification, check details, and the mapping to the security scanner + +- `status`: represents the NSA compliance control checks results + +Spec can be customized by amending the control checks `severity` or `cron` expression (report execution interval). +As an example, let's enter `vi` edit mode and change the `cron` expression. +```shell +kubectl edit compliance +``` +Once the report has been generated, you can fetch and review its results section. As an example, let's fetch the compliance status report in JSON format + +```shell +kubectl get compliance nsa -o=jsonpath='{.status}' | jq . +``` + +If failures are found in the NSA report and additional investigation is required, you can fetch the nsa-details report for advance investigation. +As an example, let's fetch the report in JSON format +```shell +kubectl get compliancedetail nsa-details -o json +``` diff --git a/docs/crds/clustercompliance-report.md b/docs/crds/clustercompliance-report.md new file mode 100644 index 000000000..948c26931 --- /dev/null +++ b/docs/crds/clustercompliance-report.md @@ -0,0 +1,744 @@ +# ClusterComplianceReport + +The ClusterComplianceReport is a cluster-scoped resource, which represents the latest compliance control checks results. +The report spec defines a mapping between pre-defined compliance control check ids to security scanners check ids. +Currently, only `kube-bench` and `config-audit` security scanners are supported + + +The NSA compliance report is composed of two parts : + +- `spec:` represents the compliance control checks specification, check details, and the mapping to the security scanner (this part is defined by the user) + +- `status:` represents the compliance control checks (as defined by spec mapping) results extracted from the security scanners reports (this part is output by starboard) + +The following shows a sample ClusterComplianceReport NSA specification associated with the `cluster` + +```json +{ + "apiVersion": "aquasecurity.github.io/v1alpha1", + "kind": "ClusterComplianceReport", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/last-applied-configuration": "" + },x§ + "creationTimestamp": "2022-03-27T07:03:29Z", + "generation": 2, + "labels": { + "app.kubernetes.io/instance": "starboard-operator", + "app.kubernetes.io/managed-by": "kubectl", + "app.kubernetes.io/name": "starboard-operator", + "app.kubernetes.io/version": "0.15.0" + }, + "name": "nsa", + "resourceVersion": "15745", + "uid": "d11e8af1-daac-457d-96ea-45be4b043814" + }, + "spec": { + "controls": [ + { + "description": "Check that container is not running as root", + "id": "1.0", + "kinds": [ + "Workload" + ], + "mapping": { + "checks": [ + { + "id": "KSV012" + } + ], + "scanner": "config-audit" + }, + "name": "Non-root containers", + "severity": "MEDIUM" + }, + { + "description": "Check that container root file system is immutable", + "id": "1.1", + "kinds": [ + "Workload" + ], + "mapping": { + "checks": [ + { + "id": "KSV014" + } + ], + "scanner": "config-audit" + }, + "name": "Immutable container file systems", + "severity": "LOW" + }, + { + "description": "Controls whether Pods can run privileged containers", + "id": "1.2", + "kinds": [ + "Workload" + ], + "mapping": { + "checks": [ + { + "id": "KSV017" + } + ], + "scanner": "config-audit" + }, + "name": "Preventing privileged containers", + "severity": "HIGH" + }, + { + "description": "Controls whether containers can share process namespaces", + "id": "1.3", + "kinds": [ + "Workload" + ], + "mapping": { + "checks": [ + { + "id": "KSV008" + } + ], + "scanner": "config-audit" + }, + "name": "Share containers process namespaces", + "severity": "HIGH" + }, + { + "description": "Controls whether share host process namespaces", + "id": "1.4", + "kinds": [ + "Workload" + ], + "mapping": { + "checks": [ + { + "id": "KSV009" + } + ], + "scanner": "config-audit" + }, + "name": "Share host process namespaces.", + "severity": "HIGH" + }, + { + "description": "Controls whether containers can use the host network", + "id": "1.5", + "kinds": [ + "Workload" + ], + "mapping": { + "checks": [ + { + "id": "KSV010" + } + ], + "scanner": "config-audit" + }, + "name": "use the host network", + "severity": "HIGH" + }, + { + "description": "Controls whether container applications can run with root privileges or with root group membership", + "id": "1.6", + "kinds": [ + "Workload" + ], + "mapping": { + "checks": [ + { + "id": "KSV029" + } + ], + "scanner": "config-audit" + }, + "name": "Run with root privileges or with root group membership", + "severity": "LOW" + }, + { + "description": "Control check restrictions escalation to root privileges", + "id": "1.7", + "kinds": [ + "Workload" + ], + "mapping": { + "checks": [ + { + "id": "KSV001" + } + ], + "scanner": "config-audit" + }, + "name": "Restricts escalation to root privileges", + "severity": "MEDIUM" + }, + { + "description": "Control checks if pod sets the SELinux context of the container", + "id": "1.8", + "kinds": [ + "Workload" + ], + "mapping": { + "checks": [ + { + "id": "KSV002" + } + ], + "scanner": "config-audit" + }, + "name": "Sets the SELinux context of the container", + "severity": "MEDIUM" + }, + { + "description": "Control checks the restriction of containers access to resources with AppArmor", + "id": "1.9", + "kinds": [ + "Workload" + ], + "mapping": { + "checks": [ + { + "id": "KSV030" + } + ], + "scanner": "config-audit" + }, + "name": "Restrict a container's access to resources with AppArmor", + "severity": "MEDIUM" + }, + { + "description": "Control checks the sets the seccomp profile used to sandbox containers", + "id": "1.10", + "kinds": [ + "Workload" + ], + "mapping": { + "checks": [ + { + "id": "KSV030" + } + ], + "scanner": "config-audit" + }, + "name": "Sets the seccomp profile used to sandbox containers.", + "severity": "LOW" + }, + { + "description": "Control check whether disable secret token been mount ,automountServiceAccountToken: false", + "id": "1.11", + "kinds": [ + "Workload" + ], + "mapping": { + "checks": [ + { + "id": "KSV036" + } + ], + "scanner": "config-audit" + }, + "name": "Protecting Pod service account tokens", + "severity": "MEDIUM" + }, + { + "defaultStatus": "FAIL", + "description": "Control check whether Namespace kube-system is not be used by users", + "id": "1.12", + "kinds": [ + "NetworkPolicy" + ], + "mapping": { + "checks": [ + { + "id": "KSV037" + } + ], + "scanner": "config-audit" + }, + "name": "Namespace kube-system should not be used by users", + "severity": "MEDIUM" + }, + { + "defaultStatus": "FAIL", + "description": "Control check validate the pod and/or namespace Selectors usage", + "id": "2.0", + "kinds": [ + "NetworkPolicy" + ], + "mapping": { + "checks": [ + { + "id": "KSV038" + } + ], + "scanner": "config-audit" + }, + "name": "Pod and/or namespace Selectors usage", + "severity": "MEDIUM" + }, + { + "description": "Control check whether check cni plugin installed\t", + "id": "3.0", + "kinds": [ + "Node" + ], + "mapping": { + "checks": [ + { + "id": "5.3.1" + } + ], + "scanner": "kube-bench" + }, + "name": "Use CNI plugin that supports NetworkPolicy API", + "severity": "CRITICAL" + }, + { + "defaultStatus": "FAIL", + "description": "Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace", + "id": "4.0", + "kinds": [ + "ResourceQuota" + ], + "mapping": { + "checks": [ + { + "id": "KSV040" + } + ], + "scanner": "config-audit" + }, + "name": "Use ResourceQuota policies to limit resources", + "severity": "MEDIUM" + }, + { + "defaultStatus": "FAIL", + "description": "Control check the use of LimitRange policy limit resource usage for namespaces or nodes", + "id": "4.1", + "kinds": [ + "ResourceQuota" + ], + "mapping": { + "checks": [ + { + "id": "KSV039" + } + ], + "scanner": "config-audit" + }, + "name": "Use LimitRange policies to limit resources", + "severity": "MEDIUM" + }, + { + "description": "Control check whether control plan disable insecure port", + "id": "5.0", + "kinds": [ + "Node" + ], + "mapping": { + "checks": [ + { + "id": "1.2.19" + } + ], + "scanner": "kube-bench" + }, + "name": "Control plan disable insecure port", + "severity": "CRITICAL" + }, + { + "description": "Control check whether etcd communication is encrypted", + "id": "5.1", + "kinds": [ + "Node" + ], + "mapping": { + "checks": [ + { + "id": "2.1" + } + ], + "scanner": "kube-bench" + }, + "name": "Encrypt etcd communication", + "severity": "CRITICAL" + }, + { + "description": "Control check whether kube config file permissions", + "id": "6.0", + "kinds": [ + "Node" + ], + "mapping": { + "checks": [ + { + "id": "4.1.3" + }, + { + "id": "4.1.4" + } + ], + "scanner": "kube-bench" + }, + "name": "Ensure kube config file permission", + "severity": "CRITICAL" + }, + { + "description": "Control checks whether encryption resource has been set", + "id": "6.1", + "kinds": [ + "Node" + ], + "mapping": { + "checks": [ + { + "id": "1.2.31" + }, + { + "id": "1.2.32" + } + ], + "scanner": "kube-bench" + }, + "name": "Check that encryption resource has been set", + "severity": "CRITICAL" + }, + { + "description": "Control checks whether encryption provider has been set", + "id": "6.2", + "kinds": [ + "Node" + ], + "mapping": { + "checks": [ + { + "id": "1.2.3" + } + ], + "scanner": "kube-bench" + }, + "name": "Check encryption provider", + "severity": "CRITICAL" + }, + { + "description": "Control checks whether anonymous-auth is unset", + "id": "7.0", + "kinds": [ + "Node" + ], + "mapping": { + "checks": [ + { + "id": "1.2.1" + } + ], + "scanner": "kube-bench" + }, + "name": "Make sure anonymous-auth is unset", + "severity": "CRITICAL" + }, + { + "description": "Control check whether RBAC permission is in use", + "id": "7.1", + "kinds": [ + "Node" + ], + "mapping": { + "checks": [ + { + "id": "1.2.7" + }, + { + "id": "1.2.8" + } + ], + "scanner": "kube-bench" + }, + "name": "Make sure -authorization-mode=RBAC", + "severity": "CRITICAL" + }, + { + "description": "Control check whether audit policy is configure", + "id": "8.0", + "kinds": [ + "Node" + ], + "mapping": { + "checks": [ + { + "id": "3.2.1" + } + ], + "scanner": "kube-bench" + }, + "name": "Audit policy is configure", + "severity": "HIGH" + }, + { + "description": "Control check whether audit log path is configure", + "id": "8.1", + "kinds": [ + "Node" + ], + "mapping": { + "checks": [ + { + "id": "1.2.22" + } + ], + "scanner": "kube-bench" + }, + "name": "Audit log path is configure", + "severity": "MEDIUM" + }, + { + "description": "Control check whether audit log aging is configure", + "id": "8.2", + "kinds": [ + "Node" + ], + "mapping": { + "checks": [ + { + "id": "1.2.23" + } + ], + "scanner": "kube-bench" + }, + "name": "Audit log aging", + "severity": "MEDIUM" + } + ], + "cron": "* * * * *", + "description": "National Security Agency - Kubernetes Hardening Guidance", + "name": "nsa", + "version": "1.0" + }, + "status": { + "controlCheck": [ + { + "description": "Controls whether Pods can run privileged containers", + "failTotal": 0, + "id": "1.2", + "name": "Preventing privileged containers", + "passTotal": 11, + "severity": "HIGH" + }, + { + "description": "Controls whether containers can share process namespaces", + "failTotal": 0, + "id": "1.3", + "name": "Share containers process namespaces", + "passTotal": 11, + "severity": "HIGH" + }, + { + "description": "Control checks whether anonymous-auth is unset", + "failTotal": 0, + "id": "7.0", + "name": "Make sure anonymous-auth is unset", + "passTotal": 0, + "severity": "CRITICAL" + }, + { + "description": "Control check restrictions escalation to root privileges", + "failTotal": 6, + "id": "1.7", + "name": "Restricts escalation to root privileges", + "passTotal": 5, + "severity": "MEDIUM" + }, + { + "description": "Control checks the restriction of containers access to resources with AppArmor", + "failTotal": 0, + "id": "1.9", + "name": "Restrict a container's access to resources with AppArmor", + "passTotal": 11, + "severity": "MEDIUM" + }, + { + "description": "Check that container is not running as root", + "failTotal": 9, + "id": "1.0", + "name": "Non-root containers", + "passTotal": 2, + "severity": "MEDIUM" + }, + { + "description": "Controls whether share host process namespaces", + "failTotal": 0, + "id": "1.4", + "name": "Share host process namespaces.", + "passTotal": 11, + "severity": "HIGH" + }, + { + "description": "Control checks whether encryption resource has been set", + "failTotal": 0, + "id": "6.1", + "name": "Check that encryption resource has been set", + "passTotal": 1, + "severity": "CRITICAL" + }, + { + "description": "Control check whether check cni plugin installed\t", + "failTotal": 0, + "id": "3.0", + "name": "Use CNI plugin that supports NetworkPolicy API", + "passTotal": 1, + "severity": "CRITICAL" + }, + { + "description": "Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace", + "failTotal": 1, + "id": "4.0", + "name": "Use ResourceQuota policies to limit resources", + "passTotal": 0, + "severity": "MEDIUM" + }, + { + "description": "Control check whether kube config file permissions", + "failTotal": 0, + "id": "6.0", + "name": "Ensure kube config file permission", + "passTotal": 1, + "severity": "CRITICAL" + }, + { + "description": "Control checks whether encryption provider has been set", + "failTotal": 0, + "id": "6.2", + "name": "Check encryption provider", + "passTotal": 1, + "severity": "CRITICAL" + }, + { + "description": "Control check whether RBAC permission is in use", + "failTotal": 0, + "id": "7.1", + "name": "Make sure -authorization-mode=RBAC", + "passTotal": 0, + "severity": "CRITICAL" + }, + { + "description": "Check that container root file system is immutable", + "failTotal": 5, + "id": "1.1", + "name": "Immutable container file systems", + "passTotal": 6, + "severity": "LOW" + }, + { + "description": "Control checks if pod sets the SELinux context of the container", + "failTotal": 0, + "id": "1.8", + "name": "Sets the SELinux context of the container", + "passTotal": 11, + "severity": "MEDIUM" + }, + { + "description": "Control check whether disable secret token been mount ,automountServiceAccountToken: false", + "failTotal": 1, + "id": "1.11", + "name": "Protecting Pod service account tokens", + "passTotal": 10, + "severity": "MEDIUM" + }, + { + "description": "Control check the use of LimitRange policy limit resource usage for namespaces or nodes", + "failTotal": 1, + "id": "4.1", + "name": "Use LimitRange policies to limit resources", + "passTotal": 0, + "severity": "MEDIUM" + }, + { + "description": "Control check whether audit log aging is configure", + "failTotal": 0, + "id": "8.2", + "name": "Audit log aging", + "passTotal": 0, + "severity": "MEDIUM" + }, + { + "description": "Control check whether Namespace kube-system is not be used by users", + "failTotal": 8, + "id": "1.12", + "name": "Namespace kube-system should not be used by users", + "passTotal": 3, + "severity": "MEDIUM" + }, + { + "description": "Controls whether containers can use the host network", + "failTotal": 0, + "id": "1.5", + "name": "use the host network", + "passTotal": 11, + "severity": "HIGH" + }, + { + "description": "Controls whether container applications can run with root privileges or with root group membership", + "failTotal": 1, + "id": "1.6", + "name": "Run with root privileges or with root group membership", + "passTotal": 10, + "severity": "LOW" + }, + { + "description": "Control check whether audit log path is configure", + "failTotal": 0, + "id": "8.1", + "name": "Audit log path is configure", + "passTotal": 1, + "severity": "MEDIUM" + }, + { + "description": "Control checks the sets the seccomp profile used to sandbox containers", + "failTotal": 0, + "id": "1.10", + "name": "Sets the seccomp profile used to sandbox containers.", + "passTotal": 11, + "severity": "LOW" + }, + { + "description": "Control check validate the pod and/or namespace Selectors usage", + "failTotal": 1, + "id": "2.0", + "name": "Pod and/or namespace Selectors usage", + "passTotal": 0, + "severity": "MEDIUM" + }, + { + "description": "Control check whether control plan disable insecure port", + "failTotal": 0, + "id": "5.0", + "name": "Control plan disable insecure port", + "passTotal": 1, + "severity": "CRITICAL" + }, + { + "description": "Control check whether etcd communication is encrypted", + "failTotal": 0, + "id": "5.1", + "name": "Encrypt etcd communication", + "passTotal": 1, + "severity": "CRITICAL" + }, + { + "description": "Control check whether audit policy is configure", + "failTotal": 0, + "id": "8.0", + "name": "Audit policy is configure", + "passTotal": 1, + "severity": "HIGH" + } + ], + "summary": { + "failCount": 33, + "passCount": 113 + }, + "updateTimestamp": "2022-03-27T07:06:00Z" + } +} +``` + + diff --git a/docs/crds/clustercompliancedetail-report.md b/docs/crds/clustercompliancedetail-report.md new file mode 100644 index 000000000..cbc4504fa --- /dev/null +++ b/docs/crds/clustercompliancedetail-report.md @@ -0,0 +1,426 @@ +# ClusterComplianceDetailReport + +The ClusterComplianceDetailReport is a cluster-scoped resource, which represents the latest result of the Cluster Compliance Detail report. +The report data provide granular information on control checks failures that occur in `ClusterComplianceReport` for further investigation. + +The compliance detail report provides granular information insight on control check failures: + +- Failing resource kind +- Name of the failing resource +- Namespace of the failing resource +- Failure error message +- Remediation + +The following listing shows a sample ClusterComplianceDetailReport for NSA specification associated with the `cluster` + +```json +{ + "apiVersion": "aquasecurity.github.io/v1alpha1", + "kind": "ClusterComplianceDetailReport", + "metadata": { + "creationTimestamp": "2022-03-27T07:04:21Z", + "generation": 6, + "name": "nsa-details", + "resourceVersion": "15788", + "uid": "9d36889d-086a-4fb3-b660-a3a3ecffe3c6" + }, + "report": { + "controlCheck": [ + { + "checkResults": [ + { + "details": [ + { + "msg": "ReplicaSet 'coredns-96cc4f57d' should not be set with 'kube-system' namespace", + "name": "replicaset-coredns-96cc4f57d", + "namespace": "kube-system", + "status": "FAIL" + }, + { + "msg": "ReplicaSet 'coredns-5789895cd' should not be set with 'kube-system' namespace", + "name": "replicaset-coredns-5789895cd", + "namespace": "kube-system", + "status": "FAIL" + }, + { + "msg": "ReplicaSet 'traefik-56c4b88c4b' should not be set with 'kube-system' namespace", + "name": "replicaset-traefik-56c4b88c4b", + "namespace": "kube-system", + "status": "FAIL" + }, + { + "msg": "ReplicaSet 'metrics-server-ff9dbcb6c' should not be set with 'kube-system' namespace", + "name": "replicaset-metrics-server-ff9dbcb6c", + "namespace": "kube-system", + "status": "FAIL" + }, + { + "msg": "ReplicaSet 'local-path-provisioner-84bb864455' should not be set with 'kube-system' namespace", + "name": "replicaset-local-path-provisioner-84bb864455", + "namespace": "kube-system", + "status": "FAIL" + } + ], + "id": "KSV037", + "objectType": "ReplicaSet" + }, + { + "details": [ + { + "msg": "DaemonSet 'svclb-traefik' should not be set with 'kube-system' namespace", + "name": "daemonset-svclb-traefik", + "namespace": "kube-system", + "status": "FAIL" + } + ], + "id": "KSV037", + "objectType": "DaemonSet" + }, + { + "details": [ + { + "msg": "Job 'helm-install-traefik-crd' should not be set with 'kube-system' namespace", + "name": "job-helm-install-traefik-crd", + "namespace": "kube-system", + "status": "FAIL" + }, + { + "msg": "Job 'helm-install-traefik' should not be set with 'kube-system' namespace", + "name": "job-helm-install-traefik", + "namespace": "kube-system", + "status": "FAIL" + } + ], + "id": "KSV037", + "objectType": "Job" + } + ], + "description": "Control check whether Namespace kube-system is not be used by users", + "id": "1.12", + "name": "Namespace kube-system should not be used by users", + "severity": "MEDIUM" + }, + { + "checkResults": [ + { + "details": [ + { + "msg": "Resource do not exist in cluster", + "status": "FAIL" + } + ], + "objectType": "ResourceQuota" + } + ], + "description": "Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace", + "id": "4.0", + "name": "Use ResourceQuota policies to limit resources", + "severity": "MEDIUM" + }, + { + "checkResults": [ + { + "details": [ + { + "msg": "Container 'traefik' of ReplicaSet 'traefik-56c4b88c4b' should set 'securityContext.allowPrivilegeEscalation' to false", + "name": "replicaset-traefik-56c4b88c4b", + "namespace": "kube-system", + "status": "FAIL" + }, + { + "msg": "Container 'local-path-provisioner' of ReplicaSet 'local-path-provisioner-84bb864455' should set 'securityContext.allowPrivilegeEscalation' to false", + "name": "replicaset-local-path-provisioner-84bb864455", + "namespace": "kube-system", + "status": "FAIL" + } + ], + "id": "KSV001", + "objectType": "ReplicaSet" + }, + { + "details": [ + { + "msg": "Container 'lb-port-443' of DaemonSet 'svclb-traefik' should set 'securityContext.allowPrivilegeEscalation' to false", + "name": "daemonset-svclb-traefik", + "namespace": "kube-system", + "status": "FAIL" + } + ], + "id": "KSV001", + "objectType": "DaemonSet" + }, + { + "details": [ + { + "msg": "Container 'helm' of Job 'helm-install-traefik-crd' should set 'securityContext.allowPrivilegeEscalation' to false", + "name": "job-helm-install-traefik-crd", + "namespace": "kube-system", + "status": "FAIL" + }, + { + "msg": "Container 'helm' of Job 'helm-install-traefik' should set 'securityContext.allowPrivilegeEscalation' to false", + "name": "job-helm-install-traefik", + "namespace": "kube-system", + "status": "FAIL" + } + ], + "id": "KSV001", + "objectType": "Job" + }, + { + "details": [ + { + "msg": "Container 'nginx' of Pod 'nginx-jr99v' should set 'securityContext.allowPrivilegeEscalation' to false", + "name": "pod-nginx-jr99v", + "namespace": "starboard-itest", + "status": "FAIL" + } + ], + "id": "KSV001", + "objectType": "Pod" + } + ], + "description": "Control check restrictions escalation to root privileges", + "id": "1.7", + "name": "Restricts escalation to root privileges", + "severity": "MEDIUM" + }, + { + "checkResults": [ + { + "details": [ + { + "msg": "Resource do not exist in cluster", + "status": "FAIL" + } + ], + "objectType": "ResourceQuota" + } + ], + "description": "Control check the use of LimitRange policy limit resource usage for namespaces or nodes", + "id": "4.1", + "name": "Use LimitRange policies to limit resources", + "severity": "MEDIUM" + }, + { + "checkResults": [ + { + "details": [ + { + "msg": "Container 'local-path-provisioner' of ReplicaSet 'local-path-provisioner-84bb864455' should set 'securityContext.readOnlyRootFilesystem' to true", + "name": "replicaset-local-path-provisioner-84bb864455", + "namespace": "kube-system", + "status": "FAIL" + } + ], + "id": "KSV014", + "objectType": "ReplicaSet" + }, + { + "details": [ + { + "msg": "Container 'lb-port-443' of DaemonSet 'svclb-traefik' should set 'securityContext.readOnlyRootFilesystem' to true", + "name": "daemonset-svclb-traefik", + "namespace": "kube-system", + "status": "FAIL" + } + ], + "id": "KSV014", + "objectType": "DaemonSet" + }, + { + "details": [ + { + "msg": "Container 'helm' of Job 'helm-install-traefik-crd' should set 'securityContext.readOnlyRootFilesystem' to true", + "name": "job-helm-install-traefik-crd", + "namespace": "kube-system", + "status": "FAIL" + }, + { + "msg": "Container 'helm' of Job 'helm-install-traefik' should set 'securityContext.readOnlyRootFilesystem' to true", + "name": "job-helm-install-traefik", + "namespace": "kube-system", + "status": "FAIL" + } + ], + "id": "KSV014", + "objectType": "Job" + }, + { + "details": [ + { + "msg": "Container 'nginx' of Pod 'nginx-jr99v' should set 'securityContext.readOnlyRootFilesystem' to true", + "name": "pod-nginx-jr99v", + "namespace": "starboard-itest", + "status": "FAIL" + } + ], + "id": "KSV014", + "objectType": "Pod" + } + ], + "description": "Check that container root file system is immutable", + "id": "1.1", + "name": "Immutable container file systems", + "severity": "LOW" + }, + { + "checkResults": [ + { + "details": [ + { + "msg": "ReplicaSet 'traefik-56c4b88c4b' should set 'spec.securityContext.runAsGroup', 'spec.securityContext.supplementalGroups[*]' and 'spec.securityContext.fsGroup' to integer greater than 0", + "name": "replicaset-traefik-56c4b88c4b", + "namespace": "kube-system", + "status": "FAIL" + } + ], + "id": "KSV029", + "objectType": "ReplicaSet" + } + ], + "description": "Controls whether container applications can run with root privileges or with root group membership", + "id": "1.6", + "name": "Run with root privileges or with root group membership", + "severity": "LOW" + }, + { + "checkResults": [ + { + "details": [ + { + "msg": "Container of Pod 'nginx-jr99v' should set 'spec.automountServiceAccountToken' to false", + "name": "pod-nginx-jr99v", + "namespace": "starboard-itest", + "status": "FAIL" + } + ], + "id": "KSV036", + "objectType": "Pod" + } + ], + "description": "Control check whether disable secret token been mount ,automountServiceAccountToken: false", + "id": "1.11", + "name": "Protecting Pod service account tokens", + "severity": "MEDIUM" + }, + { + "checkResults": [ + { + "details": [ + { + "msg": "Resource do not exist in cluster", + "status": "FAIL" + } + ], + "objectType": "NetworkPolicy" + } + ], + "description": "Control check validate the pod and/or namespace Selectors usage", + "id": "2.0", + "name": "Pod and/or namespace Selectors usage", + "severity": "MEDIUM" + }, + { + "checkResults": [ + { + "details": [ + { + "msg": "Container 'starboard-operator' of ReplicaSet 'starboard-operator-7cf866c47b' should set 'securityContext.runAsNonRoot' to true", + "name": "replicaset-starboard-operator-7cf866c47b", + "namespace": "starboard-system", + "status": "FAIL" + }, + { + "msg": "Container 'coredns' of ReplicaSet 'coredns-96cc4f57d' should set 'securityContext.runAsNonRoot' to true", + "name": "replicaset-coredns-96cc4f57d", + "namespace": "kube-system", + "status": "FAIL" + }, + { + "msg": "Container 'coredns' of ReplicaSet 'coredns-5789895cd' should set 'securityContext.runAsNonRoot' to true", + "name": "replicaset-coredns-5789895cd", + "namespace": "kube-system", + "status": "FAIL" + }, + { + "msg": "Container 'starboard-operator' of ReplicaSet 'starboard-operator-c94dd56d' should set 'securityContext.runAsNonRoot' to true", + "name": "replicaset-starboard-operator-c94dd56d", + "namespace": "starboard-system", + "status": "FAIL" + }, + { + "msg": "Container 'local-path-provisioner' of ReplicaSet 'local-path-provisioner-84bb864455' should set 'securityContext.runAsNonRoot' to true", + "name": "replicaset-local-path-provisioner-84bb864455", + "namespace": "kube-system", + "status": "FAIL" + } + ], + "id": "KSV012", + "objectType": "ReplicaSet" + }, + { + "details": [ + { + "msg": "Container 'lb-port-443' of DaemonSet 'svclb-traefik' should set 'securityContext.runAsNonRoot' to true", + "name": "daemonset-svclb-traefik", + "namespace": "kube-system", + "status": "FAIL" + } + ], + "id": "KSV012", + "objectType": "DaemonSet" + }, + { + "details": [ + { + "msg": "Container 'helm' of Job 'helm-install-traefik-crd' should set 'securityContext.runAsNonRoot' to true", + "name": "job-helm-install-traefik-crd", + "namespace": "kube-system", + "status": "FAIL" + }, + { + "msg": "Container 'helm' of Job 'helm-install-traefik' should set 'securityContext.runAsNonRoot' to true", + "name": "job-helm-install-traefik", + "namespace": "kube-system", + "status": "FAIL" + } + ], + "id": "KSV012", + "objectType": "Job" + }, + { + "details": [ + { + "msg": "Container 'nginx' of Pod 'nginx-jr99v' should set 'securityContext.runAsNonRoot' to true", + "name": "pod-nginx-jr99v", + "namespace": "starboard-itest", + "status": "FAIL" + } + ], + "id": "KSV012", + "objectType": "Pod" + } + ], + "description": "Check that container is not running as root", + "id": "1.0", + "name": "Non-root containers", + "severity": "MEDIUM" + } + ], + "summary": { + "failCount": 33, + "passCount": 113 + }, + "type": { + "description": "national security agency - kubernetes hardening guidance", + "name": "nsa-details", + "version": "1.0" + }, + "updateTimestamp": "2022-03-27T07:09:00Z" + } +} + + +``` + diff --git a/docs/crds/index.md b/docs/crds/index.md index 408c5e0ae..f2c143b95 100644 --- a/docs/crds/index.md +++ b/docs/crds/index.md @@ -3,14 +3,16 @@ This project houses CustomResourceDefinitions (CRDs) related to security and compliance checks along with the code generated by Kubernetes [code generators][k8s-code-generator] to write such custom resources in a programmable way. -| NAME | SHORTNAMES | APIGROUP | NAMESPACED | KIND | -|-------------------------------|---------------------------|------------------------|------------|----------------------------------------------------------------| -| [vulnerabilityreports] | vulns,vuln | aquasecurity.github.io | true | [VulnerabilityReport](./vulnerability-report.md) | -| [clustervulnerabilityreports] | clustervulns, clustervuln | aquasecurity.github.io | false | [ClusterVulnerabilityReport](./clustervulnerability-report.md) | -| [configauditreports] | configaudit | aquasecurity.github.io | true | [ConfigAuditReport](./configaudit-report.md) | -| [clusterconfigauditreports] | clusterconfigaudit | aquasecurity.github.io | false | [ClusterConfigAuditReport](./clusterconfigaudit-report.md) | -| [ciskubebenchreports] | kubebench | aquasecurity.github.io | false | [CISKubeBenchReport](./ciskubebench-report.md) | -| [kubehunterreports] | kubehunter | aquasecurity.github.io | false | [KubeHunterReport](./kubehunter-report.md) | +| NAME | SHORTNAMES | APIGROUP | NAMESPACED | KIND | +|-------------------------------|---------------------------|------------------------|------------|----------------------------------------------------------------------| +| [vulnerabilityreports] | vulns,vuln | aquasecurity.github.io | true | [VulnerabilityReport](./vulnerability-report.md) | +| [clustervulnerabilityreports] | clustervulns, clustervuln | aquasecurity.github.io | false | [ClusterVulnerabilityReport](./clustervulnerability-report.md) | +| [configauditreports] | configaudit | aquasecurity.github.io | true | [ConfigAuditReport](./configaudit-report.md) | +| [clusterconfigauditreports] | clusterconfigaudit | aquasecurity.github.io | false | [ClusterConfigAuditReport](./clusterconfigaudit-report.md) | +| [ciskubebenchreports] | kubebench | aquasecurity.github.io | false | [CISKubeBenchReport](./ciskubebench-report.md) | +| [kubehunterreports] | kubehunter | aquasecurity.github.io | false | [KubeHunterReport](./kubehunter-report.md) | +| [clustercompliancereports] | compliance | aquasecurity.github.io | false | [ClusterComplianceReport](./clustercompliance-report.md) | +| [clustercompliancereports] | comoliancedetail | aquasecurity.github.io | false | [ClusterComplianceDetailReport](./clustercompliancedetail-report.md) | !!! note @@ -25,5 +27,7 @@ generated by Kubernetes [code generators][k8s-code-generator] to write such cust [kubehunterreports]: https://raw.githubusercontent.com/aquasecurity/starboard/{{ git.tag }}/deploy/crd/kubehunterreports.crd.yaml [configauditreports]: https://raw.githubusercontent.com/aquasecurity/starboard/{{ git.tag }}/deploy/crd/configauditreports.crd.yaml [clusterconfigauditreports]: https://raw.githubusercontent.com/aquasecurity/starboard/{{ git.tag }}/deploy/crd/clusterconfigauditreports.crd.yaml +[clustercompliancereports]: https://raw.githubusercontent.com/aquasecurity/starboard/{{ git.tag }}/deploy/crd/clustercompliancereports.crd.yaml +[clustercompliancedetailreports]: https://raw.githubusercontent.com/aquasecurity/starboard/{{ git.tag }}/deploy/crd/clustercompliancedetailreports.crd.yaml diff --git a/docs/index.md b/docs/index.md index a890c8c13..750fd967e 100644 --- a/docs/index.md +++ b/docs/index.md @@ -14,6 +14,7 @@ Starboard provides: - Automated vulnerability scanning for Kubernetes workloads. - Automated configuration audits for Kubernetes resources with predefined rules or custom Open Policy Agent (OPA) policies. - Automated infrastructures scanning and compliance checks with CIS Benchmarks published by the Center for Internet Security (CIS). +- Automated compliance report - NSA, CISA Kubernetes Hardening Kubernetes Guidance v1.0 - Penetration test results for a Kubernetes cluster. - [Custom Resource Definitions] and a [Go module] to work with and integrate a range of security scanners. - The [Octant Plugin] and the [Lens Extension] that make security reports available through familiar Kubernetes interfaces. diff --git a/docs/operator/index.md b/docs/operator/index.md index f082f2b3e..b3ce7beca 100644 --- a/docs/operator/index.md +++ b/docs/operator/index.md @@ -50,5 +50,7 @@ with new plugin's configuration. [configauditreports]: ./../crds/configaudit-report.md [ciskubebenchreports]: ./../crds/ciskubebench-report.md [kubehunterreports]: ./../crds/kubehunter-report.md +[clustercompliancereports]: ./../crds/clustercompliance-report.md +[clustercompliancedetailreports]: ./../crds/clustercompliancedetail-report.md [k8s-garbage-collection]: https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/ diff --git a/mkdocs.yml b/mkdocs.yml index 3d48c92fc..2f294901b 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -54,6 +54,10 @@ nav: - ClusterConfigAuditReport: crds/clusterconfigaudit-report.md - CISKubeBenchReport: crds/ciskubebench-report.md - KubeHunterReport: crds/kubehunter-report.md + - ClusterComplianceReport: crds/clustercompliance-report.md + - ClusterComplianceDetailReport: crds/clustercompliancedetail-report.md + - Compliance Reports: + - National Security Agency: compliance/nsa-1.0.md - Frequently Asked Questions: faq.md - Further Reading: further-reading.md