diff --git a/deploy/static/starboard.yaml b/deploy/static/starboard.yaml index 225b53206..d660d6419 100644 --- a/deploy/static/starboard.yaml +++ b/deploy/static/starboard.yaml @@ -2022,296 +2022,3 @@ spec: readOnlyRootFilesystem: true securityContext: {} ---- -apiVersion: aquasecurity.github.io/v1alpha1 -kind: ClusterComplianceReport -metadata: - name: nsa - labels: - app.kubernetes.io/name: starboard-operator - app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.0-rc6" - app.kubernetes.io/managed-by: kubectl -spec: - name: nsa - description: National Security Agency - Kubernetes Hardening Guidance - version: "1.0" - cron: "0 */3 * * *" - controls: - - name: Non-root containers - description: 'Check that container is not running as root' - id: '1.0' - kinds: - - Workload - mapping: - scanner: config-audit - checks: - - id: KSV012 - severity: 'MEDIUM' - - name: Immutable container file systems - description: 'Check that container root file system is immutable' - id: '1.1' - kinds: - - Workload - mapping: - scanner: config-audit - checks: - - id: KSV014 - severity: 'LOW' - - name: Preventing privileged containers - description: 'Controls whether Pods can run privileged containers' - id: '1.2' - kinds: - - Workload - mapping: - scanner: config-audit - checks: - - id: KSV017 - severity: 'HIGH' - - name: Share containers process namespaces - description: 'Controls whether containers can share process namespaces' - id: '1.3' - kinds: - - Workload - mapping: - scanner: config-audit - checks: - - id: KSV008 - severity: 'HIGH' - - name: Share host process namespaces. - description: 'Controls whether share host process namespaces' - id: '1.4' - kinds: - - Workload - mapping: - scanner: config-audit - checks: - - id: KSV009 - severity: 'HIGH' - - name: use the host network - description: 'Controls whether containers can use the host network' - id: '1.5' - kinds: - - Workload - mapping: - scanner: config-audit - checks: - - id: KSV010 - severity: 'HIGH' - - name: Run with root privileges or with root group membership - description: 'Controls whether container applications can run with root privileges or with root group membership' - id: '1.6' - kinds: - - Workload - mapping: - scanner: config-audit - checks: - - id: KSV029 - severity: 'LOW' - - name: Restricts escalation to root privileges - description: 'Control check restrictions escalation to root privileges' - id: '1.7' - kinds: - - Workload - mapping: - scanner: config-audit - checks: - - id: KSV001 - severity: 'MEDIUM' - - name: Sets the SELinux context of the container - description: 'Control checks if pod sets the SELinux context of the container' - id: '1.8' - kinds: - - Workload - mapping: - scanner: config-audit - checks: - - id: KSV002 - severity: 'MEDIUM' - - name: Restrict a container's access to resources with AppArmor - description: 'Control checks the restriction of containers access to resources with AppArmor' - id: '1.9' - kinds: - - Workload - mapping: - scanner: config-audit - checks: - - id: KSV030 - severity: 'MEDIUM' - - name: Sets the seccomp profile used to sandbox containers. - description: 'Control checks the sets the seccomp profile used to sandbox containers' - id: '1.10' - kinds: - - Workload - mapping: - scanner: config-audit - checks: - - id: KSV030 - severity: 'LOW' - - name: Protecting Pod service account tokens - description: 'Control check whether disable secret token been mount ,automountServiceAccountToken: false' - id: '1.11' - kinds: - - Workload - mapping: - scanner: config-audit - checks: - - id: KSV036 - severity: 'MEDIUM' - - name: Namespace kube-system should not be used by users - description: 'Control check whether Namespace kube-system is not be used by users' - id: '1.12' - kinds: - - NetworkPolicy - defaultStatus: 'FAIL' - mapping: - scanner: config-audit - checks: - - id: KSV037 - severity: 'MEDIUM' - - name: Pod and/or namespace Selectors usage - description: 'Control check validate the pod and/or namespace Selectors usage' - id: '2.0' - kinds: - - NetworkPolicy - defaultStatus: 'FAIL' - mapping: - scanner: config-audit - checks: - - id: KSV038 - severity: 'MEDIUM' - - name: Use CNI plugin that supports NetworkPolicy API - description: 'Control check whether check cni plugin installed ' - id: '3.0' - kinds: - - Node - mapping: - scanner: kube-bench - checks: - - id: 5.3.1 - severity: 'CRITICAL' - - name: Use ResourceQuota policies to limit resources - description: 'Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace' - id: '4.0' - kinds: - - ResourceQuota - defaultStatus: 'FAIL' - mapping: - scanner: config-audit - checks: - - id: "KSV040" - severity: 'MEDIUM' - - name: Use LimitRange policies to limit resources - description: 'Control check the use of LimitRange policy limit resource usage for namespaces or nodes' - id: '4.1' - kinds: - - ResourceQuota - defaultStatus: 'FAIL' - mapping: - scanner: config-audit - checks: - - id: "KSV039" - severity: 'MEDIUM' - - name: Control plan disable insecure port - description: 'Control check whether control plan disable insecure port' - id: '5.0' - kinds: - - Node - mapping: - scanner: kube-bench - checks: - - id: 1.2.19 - severity: 'CRITICAL' - - name: Encrypt etcd communication - description: 'Control check whether etcd communication is encrypted' - id: '5.1' - kinds: - - Node - mapping: - scanner: kube-bench - checks: - - id: '2.1' - severity: 'CRITICAL' - - name: Ensure kube config file permission - description: 'Control check whether kube config file permissions' - id: '6.0' - kinds: - - Node - mapping: - scanner: kube-bench - checks: - - id: 4.1.3 - - id: 4.1.4 - severity: 'CRITICAL' - - name: Check that encryption resource has been set - description: 'Control checks whether encryption resource has been set' - id: '6.1' - kinds: - - Node - mapping: - scanner: kube-bench - checks: - - id: 1.2.31 - - id: 1.2.32 - severity: 'CRITICAL' - - name: Check encryption provider - description: 'Control checks whether encryption provider has been set' - id: '6.2' - kinds: - - Node - mapping: - scanner: kube-bench - checks: - - id: 1.2.3 - severity: 'CRITICAL' - - name: Make sure anonymous-auth is unset - description: 'Control checks whether anonymous-auth is unset' - id: '7.0' - kinds: - - Node - mapping: - scanner: kube-bench - checks: - - id: 1.2.1 - severity: 'CRITICAL' - - name: Make sure -authorization-mode=RBAC - description: 'Control check whether RBAC permission is in use' - id: '7.1' - kinds: - - Node - mapping: - scanner: kube-bench - checks: - - id: 1.2.7 - - id: 1.2.8 - severity: 'CRITICAL' - - name: Audit policy is configure - description: 'Control check whether audit policy is configure' - id: '8.0' - kinds: - - Node - mapping: - scanner: kube-bench - checks: - - id: 3.2.1 - severity: 'HIGH' - - name: Audit log path is configure - description: 'Control check whether audit log path is configure' - id: '8.1' - kinds: - - Node - mapping: - scanner: kube-bench - checks: - - id: 1.2.22 - severity: 'MEDIUM' - - name: Audit log aging - description: 'Control check whether audit log aging is configure' - id: '8.2' - kinds: - - Node - mapping: - scanner: kube-bench - checks: - - id: 1.2.23 - severity: 'MEDIUM' diff --git a/docs/operator/installation/kubectl.md b/docs/operator/installation/kubectl.md index cf14ea386..50a124747 100644 --- a/docs/operator/installation/kubectl.md +++ b/docs/operator/installation/kubectl.md @@ -22,14 +22,22 @@ If for some reason it's not ready yet, check the logs of the `starboard-operator kubectl logs deployment/starboard-operator -n starboard-system ``` -Starboard ensures the default [settings] stored in ConfigMaps and Secrets created in the `starboard-system` namespace. +Starboard ensures the default [Settings] stored in ConfigMaps and Secrets created in the `starboard-system` namespace. You can always change these settings by editing configuration objects. For example, you can use Trivy in [ClientServer] mode, which is more efficient that the [Standalone] mode, or switch to [Aqua Enterprise] as an alternative vulnerability scanner. -You can further [configure](./../configuration.md) the operator with environment variables. For example, to change the -target namespace from the `defaul` namespace to all namespaces update the value of the `OPERATOR_TARGET_NAMESPACES` -environment variable from `default` to a blank string (i.e., `OPERATOR_TARGET_NAMESPACES=""`). +You can further adjust the [Configuration](./../configuration.md) of the operator with environment variables. For +example, to change the target namespace from the `defaul` namespace to all namespaces edit the `starboard-operator` +Deployment in the `starobard-system` namespace and change the value of the `OPERATOR_TARGET_NAMESPACES` environment +variable from `default` to a blank string (i.e., `OPERATOR_TARGET_NAMESPACES=""`). + +Starboard can generate the compliance report based on the [NSA, CISA Kubernetes Hardening Guidance v1.0]. In order to do +that you must install the `nsa` ClusterComplianceReport resource: + +``` +kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ git.tag }}/deploy/specs/nsa-1.0.yaml +``` Static YAML manifests with fixed values have shortcomings. For example, if you want to change the container image or modify default configuration settings, you have to edit existing manifests or customize them with tools such as @@ -46,9 +54,10 @@ You can uninstall the operator with the following command: kubectl delete -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ git.tag }}/deploy/static/starboard.yaml ``` -[settings]: ./../../settings.md +[Settings]: ./../../settings.md [Standalone]: ./../../integrations/vulnerability-scanners/trivy.md#standalone [ClientServer]: ./../../integrations/vulnerability-scanners/trivy.md#clientserver [Aqua Enterprise]: ./../../integrations/vulnerability-scanners/aqua-enterprise.md [Kustomize]: https://kustomize.io [Helm]: ./helm.md +[NSA, CISA Kubernetes Hardening Guidance v1.0]: ./../../specs/NSA_Kubernetes_Hardening_Guidance_1.0.pdf \ No newline at end of file diff --git a/docs/operator/installation/olm.md b/docs/operator/installation/olm.md index c6eacdba9..36aadcf98 100644 --- a/docs/operator/installation/olm.md +++ b/docs/operator/installation/olm.md @@ -41,7 +41,7 @@ configure it to watch the `default` namespaces: the `starboard-system` namespace. For example, you can use Trivy in [ClientServer](./../../integrations/vulnerability-scanners/trivy.md#clientserver) mode or [Aqua Enterprise](./../../integrations/vulnerability-scanners/aqua-enterprise.md) as an active vulnerability scanner. - If you skip this step, the operator will ensure default [Starboard Settings](./../../settings.md) on startup: + If you skip this step, the operator will ensure default [Settings](./../../settings.md) on startup: ``` kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ git.tag }}/deploy/static/03-starboard-operator.config.yaml ``` diff --git a/docs/settings.md b/docs/settings.md index d93b19f96..bfea6671e 100644 --- a/docs/settings.md +++ b/docs/settings.md @@ -1,4 +1,4 @@ -# Starboard Settings +# Settings The Starboard CLI and Starboard Operator read configuration settings from ConfigMaps, as well as Secrets that holds confidential settings (such as a GitHub token). Starboard plugins read configuration and secret data from ConfigMaps diff --git a/hack/update-starboard.yaml.sh b/hack/update-starboard.yaml.sh index 8af66ea21..aa7e9ba30 100755 --- a/hack/update-starboard.yaml.sh +++ b/hack/update-starboard.yaml.sh @@ -3,7 +3,6 @@ SCRIPT_ROOT=$(dirname "${BASH_SOURCE[0]}")/.. CRD_DIR=$SCRIPT_ROOT/deploy/crd -SPECS_DIR=$SCRIPT_ROOT/deploy/specs STATIC_DIR=$SCRIPT_ROOT/deploy/static cat $CRD_DIR/vulnerabilityreports.crd.yaml \ @@ -16,5 +15,4 @@ cat $CRD_DIR/vulnerabilityreports.crd.yaml \ $STATIC_DIR/02-starboard-operator.rbac.yaml \ $STATIC_DIR/03-starboard-operator.config.yaml \ $STATIC_DIR/04-starboard-operator.policies.yaml \ - $STATIC_DIR/05-starboard-operator.deployment.yaml \ - $SPECS_DIR/nsa-1.0.yaml > $STATIC_DIR/starboard.yaml + $STATIC_DIR/05-starboard-operator.deployment.yaml > $STATIC_DIR/starboard.yaml diff --git a/mkdocs.yml b/mkdocs.yml index 8f903605e..2e08c0be8 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -9,15 +9,6 @@ copyright: Copyright 2019-2022 Aqua Security Software Ltd. nav: - Introduction: index.md - - Starboard CLI: - - Overview: cli/index.md - - Installation: - - From the Binary Releases: cli/installation/binary-releases.md - - Krew: cli/installation/krew.md - - Docker: cli/installation/docker.md - - From Source (Linux, macOS): cli/installation/source.md - - Getting Started: cli/getting-started.md - - Troubleshooting: cli/troubleshooting.md - Starboard Operator: - Overview: operator/index.md - Installation: @@ -27,7 +18,16 @@ nav: - Upgrade: operator/installation/upgrade.md - Getting Started: operator/getting-started.md - Configuration: operator/configuration.md - - Starboard Settings: settings.md + - Starboard CLI: + - Overview: cli/index.md + - Installation: + - From the Binary Releases: cli/installation/binary-releases.md + - Krew: cli/installation/krew.md + - Docker: cli/installation/docker.md + - From Source (Linux, macOS): cli/installation/source.md + - Getting Started: cli/getting-started.md + - Troubleshooting: cli/troubleshooting.md + - Settings: settings.md - Integrations: - Vulnerability Scanners: - Overview: integrations/vulnerability-scanners/index.md