From 1fb4542c78153de1c2df5ed9aa67c5130ed4475b Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sun, 16 Jun 2024 10:24:40 +0400 Subject: [PATCH] added security and compliance templates --- .../deployments/k8s-seccomp-profile-set.yaml | 53 ++++++++++++++++++ .../k8s-def-egress-rules.yaml | 48 ---------------- .../k8s-netpol-egress-rules.yaml | 47 ++++++++++++++++ .../k8s-netpol-namespace.yaml | 48 ++++++++++++++++ .../k8s-network-ingress-rules.yaml | 27 ++++----- .../network-policies/k8s-ns-policy-set.yaml | 55 ------------------- .../k8s-allow-privilege-escalation-set.yaml | 4 +- .../k8s-audit-log-path-set.yaml | 40 ++++++++++++++ .../k8s-enc-prov-conf.yaml | 38 +++++++++++++ .../k8s-etcd-cafile-set.yaml | 39 +++++++++++++ .../k8s-etcd-files-set.yaml | 39 +++++++++++++ .../k8s-ns-usage-check.yaml | 40 ++++++++++++++ .../k8s-svc-acct-issuer-set.yaml | 38 +++++++++++++ .../security-compliance/k8s-svc-acct-key.yaml | 40 ++++++++++++++ .../k8s-svc-acct-lookup-set.yaml | 38 +++++++++++++ .../k8s-tls-config-set.yaml | 41 ++++++++++++++ 16 files changed, 517 insertions(+), 118 deletions(-) create mode 100644 cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml delete mode 100644 cloud/kubernetes/network-policies/k8s-def-egress-rules.yaml create mode 100644 cloud/kubernetes/network-policies/k8s-netpol-egress-rules.yaml create mode 100644 cloud/kubernetes/network-policies/k8s-netpol-namespace.yaml delete mode 100644 cloud/kubernetes/network-policies/k8s-ns-policy-set.yaml create mode 100644 cloud/kubernetes/security-compliance/k8s-audit-log-path-set.yaml create mode 100644 cloud/kubernetes/security-compliance/k8s-enc-prov-conf.yaml create mode 100644 cloud/kubernetes/security-compliance/k8s-etcd-cafile-set.yaml create mode 100644 cloud/kubernetes/security-compliance/k8s-etcd-files-set.yaml create mode 100644 cloud/kubernetes/security-compliance/k8s-ns-usage-check.yaml create mode 100644 cloud/kubernetes/security-compliance/k8s-svc-acct-issuer-set.yaml create mode 100644 cloud/kubernetes/security-compliance/k8s-svc-acct-key.yaml create mode 100644 cloud/kubernetes/security-compliance/k8s-svc-acct-lookup-set.yaml create mode 100644 cloud/kubernetes/security-compliance/k8s-tls-config-set.yaml diff --git a/cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml b/cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml new file mode 100644 index 0000000000..ca1b3adbbb --- /dev/null +++ b/cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml @@ -0,0 +1,53 @@ +id: k8s-seccomp-profile-set + +info: + name: Set appropriate seccomp profile + author: princechaddha + severity: medium + description: Checks if the seccomp profile is set to docker/default or runtime/default in Kubernetes Deployments. + impact: | + Using a default seccomp profile helps in reducing the attack surface of the container by limiting the syscalls containers can make, which can prevent certain types of exploits. + remediation: | + Ensure that all containers in Kubernetes Deployments have a seccomp profile of docker/default or runtime/default set in their security contexts. + reference: + - https://kubernetes.io/docs/tutorials/clusters/seccomp/ + tags: cloud,devops,kubernetes,security,devsecops,containers + +flow: | + code(1); + for (let deployment of template.items) { + set("deployment", deployment) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get deployments --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + deployment = JSON.parse(template.deployment); + deployment.spec.template.spec.containers.forEach(container => { + if (container.securityContext && container.securityContext.seccompProfile && + (container.securityContext.seccompProfile.type === 'RuntimeDefault' || container.securityContext.seccompProfile.type === 'DockerDefault')) { + // No action needed, configured properly + } else { + let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' does not have an appropriate seccomp profile set.`); + Export(result); + } + }); + + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a004730450221008b59741a5c3cbb00fea807cbfad091c4bbd5b4cfb68d0eaba6cbad0f5b41b031022021a3ff36185afd480db929ad18207f2b03a2a823ec1d1858de0facf7fd7b2bbf:366f2a24c8eb519f6968bd8801c08ebe \ No newline at end of file diff --git a/cloud/kubernetes/network-policies/k8s-def-egress-rules.yaml b/cloud/kubernetes/network-policies/k8s-def-egress-rules.yaml deleted file mode 100644 index e6c88c2c1d..0000000000 --- a/cloud/kubernetes/network-policies/k8s-def-egress-rules.yaml +++ /dev/null @@ -1,48 +0,0 @@ -id: k8s-def-egress-rules - -info: - name: Ensure egress rules are defined - author: princechaddha - severity: medium - description: Checks for network policies that define specific egress rules, ensuring controlled outbound traffic. - impact: | - Lack of egress rules in network policies may allow unrestricted outbound network traffic. This can lead to potential security risks, including data exfiltration. - remediation: | - Define egress rules in the network policy to manage and restrict outbound traffic effectively. Specify allowed destinations and ports to limit network traffic. - reference: - - https://kubernetes.io/docs/concepts/services-networking/network-policies/ - tags: cloud,devops,kubernetes,security,devsecops,network - -flow: | - code(1); - for (let policy of template.items) { - set("policy", policy) - javascript(1); - } - -self-contained: true -code: - - engine: - - sh - - bash - source: kubectl get networkpolicies --all-namespaces --output=json - extractors: - - type: json - name: items - internal: true - json: - - '.items[] | {name: .metadata.name, namespace: .metadata.namespace, egress: .spec.egress}' - -javascript: - - code: | - let policyData = template.policy; - if (!policyData.egress || policyData.egress.length === 0) { - let result = `Network policy '${policyData.name}' in namespace '${policyData.namespace}' does not define any egress rules.`; - Export(result); - } - - extractors: - - type: dsl - dsl: - - response -# digest: 490a0046304402203da66eea889668b34e537e161930c32db95c287c91bf4b25ea42fab9207aa20b022066509c25e5056f4f842cc9720a481689aaf3c3208c6f91ce5dd051819e0325a6:366f2a24c8eb519f6968bd8801c08ebe \ No newline at end of file diff --git a/cloud/kubernetes/network-policies/k8s-netpol-egress-rules.yaml b/cloud/kubernetes/network-policies/k8s-netpol-egress-rules.yaml new file mode 100644 index 0000000000..b8f6316dbb --- /dev/null +++ b/cloud/kubernetes/network-policies/k8s-netpol-egress-rules.yaml @@ -0,0 +1,47 @@ +id: netpol-egress-rules + +info: + name: Network policies define egress rules + author: princechaddha + severity: medium + description: Checks for network policies in Kubernetes that do not define egress rules, which can leave the network exposed to external threats. + impact: | + Lack of egress rules in network policies can result in unrestricted outbound network traffic, which may allow data exfiltration or unauthorized access to external services. + remediation: Define egress rules in all network policies to control outbound traffic from your Kubernetes pods, thereby reducing security risks. + reference: + - https://kubernetes.io/docs/concepts/services-networking/network-policies/ + tags: cloud,devops,kubernetes,security,devsecops,network + +flow: | + code(1); + for (let policy of template.items) { + set("policy", policy) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get networkpolicies --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[] | {policy: .metadata.name, egress: .spec.egress}' + +javascript: + - code: | + let policyData = JSON.parse(template.policy); + if (!policyData.egress || policyData.egress.length === 0) { + let result = (`Network policy '${policyData.policy}' does not define egress rules.`); + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4b0a00483046022100adb84e8a912b21d2e2bfd1f9253aec9cc33b6feb9fe7ee538ee0057e61ef8bb9022100d26ff6d9a2ac5f662df09dbb322793b0f9402594c96c361189367f58586344bc:366f2a24c8eb519f6968bd8801c08ebe \ No newline at end of file diff --git a/cloud/kubernetes/network-policies/k8s-netpol-namespace.yaml b/cloud/kubernetes/network-policies/k8s-netpol-namespace.yaml new file mode 100644 index 0000000000..2051aae380 --- /dev/null +++ b/cloud/kubernetes/network-policies/k8s-netpol-namespace.yaml @@ -0,0 +1,48 @@ +id: k8s-netpol-namespace + +info: + name: Network Policies specify namespace + author: princechaddha + severity: medium + description: Checks for Kubernetes Network Policies that do not specify a namespace, which can lead to potential misconfigurations and security issues. + impact: | + Omitting the namespace in Network Policies can cause the policies to apply incorrectly, potentially exposing Kubernetes resources to unauthorized access. This poses a security risk by not isolating network traffic properly within the cluster. + remediation: | + Ensure that all Network Policies explicitly define a namespace to maintain proper network isolation and security boundaries. + reference: + - https://kubernetes.io/docs/concepts/services-networking/network-policies/ + tags: cloud,devops,kubernetes,security,devsecops,networking + +flow: | + code(1); + for (let policy of template.items) { + set("policy", policy) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get netpol --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[] | {policy: .metadata.name, namespace: .metadata.namespace}' + +javascript: + - code: | + let policyData = JSON.parse(template.policy); + if (!policyData.namespace) { + let result = (`Network Policy '${policyData.policy}' does not specify a namespace.`); + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 490a00463044022005edb8b78c4db40572f8297946636ce446d578c62f1ec7bf7f1621ed021f27c9022078555811953b55f080c0dc21ec6138fbd712b5069ca571e2492c5e7cc3172759:366f2a24c8eb519f6968bd8801c08ebe \ No newline at end of file diff --git a/cloud/kubernetes/network-policies/k8s-network-ingress-rules.yaml b/cloud/kubernetes/network-policies/k8s-network-ingress-rules.yaml index 77a341ebdb..0d8070c784 100644 --- a/cloud/kubernetes/network-policies/k8s-network-ingress-rules.yaml +++ b/cloud/kubernetes/network-policies/k8s-network-ingress-rules.yaml @@ -1,21 +1,22 @@ -id: k8s-network-ingress-rules +id: k8s-ingress-rules info: - name: Network policies define ingress + name: Define network ingress rules author: princechaddha severity: medium - description: Ensures network policies define ingress rules to control traffic flow within the cluster, enhancing security. + description: Checks if Kubernetes network policies define specific ingress rules, which can help secure network communication within the cluster. impact: | - Without defined ingress rules, network policies might allow unrestricted inbound traffic, potentially exposing the cluster to security threats. Properly defined ingress rules help mitigate this risk by restricting traffic flow. - remediation: Define ingress rules in network policies to restrict and control inbound traffic within the Kubernetes cluster. + Without specific ingress rules defined in network policies, unintended traffic may access pods within the Kubernetes cluster, increasing the risk of malicious activity. + remediation: | + Define specific ingress rules in all network policies to control the flow of inbound traffic to pods, ensuring only authorized traffic can access cluster resources. reference: - https://kubernetes.io/docs/concepts/services-networking/network-policies/ - tags: cloud,devops,kubernetes,security,devsecops,networking + tags: cloud,devops,kubernetes,security,networking flow: | code(1); - for (let networkPolicy of template.items) { - set("networkPolicy", networkPolicy) + for (let policy of template.items) { + set("policy", policy) javascript(1); } @@ -30,13 +31,13 @@ code: name: items internal: true json: - - '.items[]' + - '.items[] | {policy: .metadata.name, ingress: .spec.ingress}' javascript: - code: | - let networkPolicy = JSON.parse(template.networkPolicy); - if (!networkPolicy.spec.ingress || networkPolicy.spec.ingress.length === 0) { - let result = (`Network policy '${networkPolicy.metadata.name}' in namespace '${networkPolicy.metadata.namespace}' does not define any ingress rules.`); + let policyData = JSON.parse(template.policy); + if (!policyData.ingress || policyData.ingress.length === 0) { + let result = `Network policy '${policyData.policy}' does not define any ingress rules.`; Export(result); } @@ -44,4 +45,4 @@ javascript: - type: dsl dsl: - response -# digest: 4a0a00473045022100c53e3615f3c1dd115d8efd4e9415177289e366c07ee24d4694d19c882c77044102203ce3bd2c002e4ab82073e7c770d39298407a1c40246b5c657104d01b4f642f6a:366f2a24c8eb519f6968bd8801c08ebe \ No newline at end of file +# digest: 4a0a004730450220506a30ff32ae7bcddc875449aabe33208c4437745e3f0ba016b3087a8d780fe2022100c1be39affffaa403e6022ded544a51e09ff5b41c4812601ee90848f89039ae3f:366f2a24c8eb519f6968bd8801c08ebe \ No newline at end of file diff --git a/cloud/kubernetes/network-policies/k8s-ns-policy-set.yaml b/cloud/kubernetes/network-policies/k8s-ns-policy-set.yaml deleted file mode 100644 index 4e11702e52..0000000000 --- a/cloud/kubernetes/network-policies/k8s-ns-policy-set.yaml +++ /dev/null @@ -1,55 +0,0 @@ -id: k8s-ns-policy-set - -info: - name: Network policies specify namespace - author: princechaddha - severity: medium - description: Checks for Kubernetes network policies that do not specify a namespace, potentially leading to misconfigurations and security risks. - impact: | - Failure to specify a namespace in network policies can cause the policies to not be enforced as expected, leading to potential security vulnerabilities where unauthorized traffic could be allowed. - remediation: | - Ensure that all network policies explicitly define the namespace they apply to. This helps in enforcing security boundaries and preventing cross-namespace traffic unless explicitly allowed. - reference: - - https://kubernetes.io/docs/concepts/services-networking/network-policies/ - tags: cloud,devops,kubernetes,security,devsecops,networking - -flow: | - code(1); - for (let policy of template.items) { - set("policy", policy) - javascript(1); - } - -self-contained: true -code: - - engine: - - sh - - bash - source: kubectl get networkpolicies --all-namespaces --output=json - extractors: - - type: json - name: items - internal: true - json: - - '.items[] | {policy: .metadata.name, namespace: .metadata.namespace}' - -javascript: - - code: | - if (template.items.length === 0) { - log(template.items.length) - Export('No network policies found. Ensure that network policies are defined and namespaces are specified.'); - } else { - template.items.forEach(policy => { - let policyData = JSON.parse(policy); - if (!policyData.namespace) { - let result = (`Network Policy '${policyData.policy}' does not specify a namespace.`); - Export(result); - } - }); - } - - extractors: - - type: dsl - dsl: - - response -# digest: 4a0a0047304502204f78530d043f4ee9c2844ef6ea271cdee74ef99154f17f43f120ff4cad1ff417022100dc262780f80d0e64648e5fa555c35032837ae0ecd21c274df318d593c2a1a626:366f2a24c8eb519f6968bd8801c08ebe \ No newline at end of file diff --git a/cloud/kubernetes/pods/k8s-allow-privilege-escalation-set.yaml b/cloud/kubernetes/pods/k8s-allow-privilege-escalation-set.yaml index cde9f87928..d85b30b78d 100644 --- a/cloud/kubernetes/pods/k8s-allow-privilege-escalation-set.yaml +++ b/cloud/kubernetes/pods/k8s-allow-privilege-escalation-set.yaml @@ -34,7 +34,7 @@ code: javascript: - code: | - let podData = JSON.parse(template.container); // container is now a JSON object with 'pod' and 'containers' + let podData = JSON.parse(template.container); podData.containers.forEach(container => { if (container.securityContext && container.securityContext.allowPrivilegeEscalation === true) { let result = (`Container '${container.name}' in pod '${podData.pod}' running with allowPrivilegeEscalation enabled.`); @@ -47,4 +47,4 @@ javascript: - type: dsl dsl: - response -# digest: 490a00463044022022d7414cae87fa28332a6a123d954251d677ec6d3900d9695773585fa2659b1c02200c516a4fac6f46fc00bea745add53ff77b6f95557fceb66c8227ba2d1771ea45:366f2a24c8eb519f6968bd8801c08ebe \ No newline at end of file +# digest: 490a0046304402202e23ef1e6b258a44e394494f51808bb7b81a856101efe5a929429a6fcde414d4022058eacd480cb3e4b61fe6a86674f1f218b53144a3e8fed02c20554c0a34ae00d1:366f2a24c8eb519f6968bd8801c08ebe \ No newline at end of file diff --git a/cloud/kubernetes/security-compliance/k8s-audit-log-path-set.yaml b/cloud/kubernetes/security-compliance/k8s-audit-log-path-set.yaml new file mode 100644 index 0000000000..0566d127fa --- /dev/null +++ b/cloud/kubernetes/security-compliance/k8s-audit-log-path-set.yaml @@ -0,0 +1,40 @@ +id: audit-log-path-set + +info: + name: Ensure audit-log-path set + author: princechaddha + severity: medium + description: Checks if the audit-log-path argument is properly set in the Kubernetes API server configuration, which is essential for maintaining a reliable audit trail. + impact: | + Without the audit-log-path argument, Kubernetes does not record API server audit logs, reducing the visibility into operations and making it harder to detect and respond to malicious activities. + remediation: | + Configure the Kubernetes API server to include the audit-log-path argument pointing to a secure, writeable directory where audit logs will be stored. Ensure that this directory is properly secured and regularly monitored. + reference: + - https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ + tags: cloud,devops,kubernetes,security,devsecops,api-server + +self-contained: true +code: + - engine: + - sh + - bash + source: | + kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}" + + matchers-condition: and + matchers: + - type: word + words: + - 'kube-apiserver' + + - type: word + words: + - "audit-log-path" + negative: true + + extractors: + - type: dsl + dsl: + - "API server configuration is missing the audit-log-path argument." + +# digest: 4c0a006730b50222003e5c33fedeeb5d9b8b9af1d43e89b7b8b97c51aa77c345d7f976f9350e22e746022 diff --git a/cloud/kubernetes/security-compliance/k8s-enc-prov-conf.yaml b/cloud/kubernetes/security-compliance/k8s-enc-prov-conf.yaml new file mode 100644 index 0000000000..4a95a30227 --- /dev/null +++ b/cloud/kubernetes/security-compliance/k8s-enc-prov-conf.yaml @@ -0,0 +1,38 @@ +id: k8s-enc-prov-conf + +info: + name: Ensure that encryption providers are configured + author: princechaddha + severity: medium + description: Checks if encryption providers are appropriately configured in Kubernetes, ensuring that data at rest is secured. + impact: | + Misconfigured encryption providers can lead to unsecured data at rest, potentially exposing sensitive information to unauthorized access. + remediation: | + Ensure that the encryption provider configuration file is set up correctly and referenced properly in the API server configuration. Encryption should be enabled and configured according to the security best practices. + reference: + - https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ + tags: cloud,devops,kubernetes,security,devsecops,encryption + +self-contained: true +code: + - engine: + - sh + - bash + source: | + kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}" + + matchers-condition: and + matchers: + - type: word + words: + - 'kube-apiserver' + + - type: word + words: + - "--encryption-provider-config" + negative: true + + extractors: + - type: dsl + dsl: + - "Encryption provider configuration is not appropriately set." \ No newline at end of file diff --git a/cloud/kubernetes/security-compliance/k8s-etcd-cafile-set.yaml b/cloud/kubernetes/security-compliance/k8s-etcd-cafile-set.yaml new file mode 100644 index 0000000000..e0a05ee92e --- /dev/null +++ b/cloud/kubernetes/security-compliance/k8s-etcd-cafile-set.yaml @@ -0,0 +1,39 @@ +id: k8s-etcd-cafile-set + +info: + name: Ensure etcd-cafile argument set + author: princechaddha + severity: medium + description: Checks if the etcd-cafile argument is properly set in the etcd configuration, crucial for secure client connections to etcd. + impact: | + Without specifying the etcd-cafile argument, etcd might not establish secure and authenticated connections, leading to potential security breaches. + remediation: | + Configure etcd to use an etcd-cafile argument that points to a valid CA certificate bundle. This setting should be part of the etcd startup arguments or in its configuration file. + reference: + - https://etcd.io/docs/v3.5/op-guide/security/ + tags: cloud,devops,kubernetes,security,devsecops,etcd + +self-contained: true +code: + - engine: + - sh + - bash + source: | + kubectl get pods -n kube-system -l component=etcd -o jsonpath="{.items[*].spec.containers[*].command}" + + matchers-condition: and + matchers: + - type: word + words: + - 'etcd' + + - type: word + words: + - "etcd-cafile" + negative: true + + extractors: + - type: dsl + dsl: + - "Etcd configuration is missing the etcd-cafile argument." +# digest: 490a004630440220707289eec6b2f08d1bc88620d1d58ff41c2f661a0956d079441ee324f9ae7591022003d8bd244a842d8ba73ac829f52bb4790ab780328b5f42299d826d12d5728039:366f2a24c8eb519f6968bd8801c08ebe \ No newline at end of file diff --git a/cloud/kubernetes/security-compliance/k8s-etcd-files-set.yaml b/cloud/kubernetes/security-compliance/k8s-etcd-files-set.yaml new file mode 100644 index 0000000000..342f97c575 --- /dev/null +++ b/cloud/kubernetes/security-compliance/k8s-etcd-files-set.yaml @@ -0,0 +1,39 @@ +id: k8s-etcd-files-set + +info: + name: Ensure etcd cert and key set + author: princechaddha + severity: medium + description: Checks if the etcd-certfile and etcd-keyfile arguments are properly set in the etcd server configuration, crucial for secure communication. + impact: | + If the etcd-certfile and etcd-keyfile arguments are not set, the etcd server might not encrypt its communications, potentially allowing unauthorized access to sensitive data. + remediation: | + Configure the etcd server to use etcd-certfile and etcd-keyfile arguments that point to valid certificate and key files respectively. This ensures that communications to and from the etcd server are properly encrypted. + reference: + - https://etcd.io/docs/v3.4.0/op-guide/security/ + tags: cloud,devops,kubernetes,security,devsecops,etcd + +self-contained: true +code: + - engine: + - sh + - bash + source: | + kubectl get pods -n kube-system -l component=etcd -o jsonpath="{.items[*].spec.containers[*].command}" + + matchers-condition: and + matchers: + - type: word + words: + - 'etcd' + + - type: word + words: + - "etcd-certfile" + - "etcd-keyfile" + negative: true + + extractors: + - type: dsl + dsl: + - "etcd server configuration is missing the etcd-certfile or etcd-keyfile arguments." diff --git a/cloud/kubernetes/security-compliance/k8s-ns-usage-check.yaml b/cloud/kubernetes/security-compliance/k8s-ns-usage-check.yaml new file mode 100644 index 0000000000..64f7d6a04b --- /dev/null +++ b/cloud/kubernetes/security-compliance/k8s-ns-usage-check.yaml @@ -0,0 +1,40 @@ +id: k8s-ns-usage-check + +info: + name: Ensure namespaces are utilized + author: princechaddha + severity: info + description: Checks if Kubernetes namespaces are actively used to separate resources, which is critical for resource organization and access control. + impact: | + Lack of namespaces usage can lead to disorganized resources and potentially flawed access controls, impacting security and management. + remediation: | + Implement and use namespaces to organize resources within the Kubernetes cluster effectively. Define access controls and resource quotas on a per-namespace basis. + reference: + - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + tags: cloud,devops,kubernetes,security,devsecops,namespaces + +self-contained: true +code: + - engine: + - sh + - bash + source: | + kubectl get namespaces --output=json + + matchers-condition: and + matchers: + - type: word + words: + - '"items":' + + - type: word + words: + - '"Namespace"' + negative: true + + extractors: + - type: dsl + dsl: + - "Kubernetes cluster is not utilizing namespaces." + +# digest: 4b0a00483046022100a4752be32718d5e3bf67d19c2 diff --git a/cloud/kubernetes/security-compliance/k8s-svc-acct-issuer-set.yaml b/cloud/kubernetes/security-compliance/k8s-svc-acct-issuer-set.yaml new file mode 100644 index 0000000000..823bcf2729 --- /dev/null +++ b/cloud/kubernetes/security-compliance/k8s-svc-acct-issuer-set.yaml @@ -0,0 +1,38 @@ +id: k8s-svc-acct-issuer-set + +info: + name: Checks if service-account-issuer is correctly configured + author: princechaddha + severity: medium + description: Checks if the service-account-issuer argument is correctly configured in the API server, critical for issuing valid service tokens. + impact: | + If the service-account-issuer argument is not set, the API server may issue tokens that are not accepted by other services, leading to authentication failures. + remediation: | + Set the service-account-issuer argument to a valid issuer URL in the API server's startup arguments or configuration file. This ensures the tokens issued are trusted across services. + reference: + - https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + tags: cloud,devops,kubernetes,security,devsecops,api-server + +self-contained: true +code: + - engine: + - sh + - bash + source: | + kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}" + + matchers-condition: and + matchers: + - type: word + words: + - 'kube-apiserver' + + - type: word + words: + - "service-account-issuer" + negative: true + + extractors: + - type: dsl + dsl: + - "API server configuration lacks the service-account-issuer argument." \ No newline at end of file diff --git a/cloud/kubernetes/security-compliance/k8s-svc-acct-key.yaml b/cloud/kubernetes/security-compliance/k8s-svc-acct-key.yaml new file mode 100644 index 0000000000..3c48a6ed5f --- /dev/null +++ b/cloud/kubernetes/security-compliance/k8s-svc-acct-key.yaml @@ -0,0 +1,40 @@ +id: k8s-svc-acct-key + +info: + name: Ensure service-account-key-file set + author: princechaddha + severity: medium + description: Checks if the service-account-key-file argument is properly set in the API server configuration, which is critical for validating service account tokens. + impact: | + The absence of the service-account-key-file argument means that the API server might not perform robust authentication checks for service accounts, potentially allowing unauthorized access. + remediation: | + Configure the API server to use a service-account-key-file that points to a valid private key used to sign service account tokens. This setting should be part of the API server startup arguments or in its configuration file. + reference: + - https://kubernetes.io/docs/admin/kube-apiserver/ + tags: cloud,devops,kubernetes,security,devsecops,api-server + +self-contained: true +code: + - engine: + - sh + - bash + source: | + kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}" + + matchers-condition: and + matchers: + - type: word + words: + - 'kube-apiserver' + + - type: word + words: + - "service-account-key-file" + negative: true + + extractors: + - type: dsl + dsl: + - "API server configuration is missing the service-account-key-file argument." + +# digest: 4a0a00473045022100e3dc33fefeeb5d3b9a9af3d43e89b7b7c97c50aa77b344d7e976f9340e22e7450220159e8da06b7ceb82c532bd1caeeeffba7c237c568a57988f1ada334a7c09fa83:366f2a24c8eb519f6968bd8801c08ebe \ No newline at end of file diff --git a/cloud/kubernetes/security-compliance/k8s-svc-acct-lookup-set.yaml b/cloud/kubernetes/security-compliance/k8s-svc-acct-lookup-set.yaml new file mode 100644 index 0000000000..049615a486 --- /dev/null +++ b/cloud/kubernetes/security-compliance/k8s-svc-acct-lookup-set.yaml @@ -0,0 +1,38 @@ +id: k8s-svc-acct-lookup-set + +info: + name: Ensure service-account-lookup set + author: princechaddha + severity: medium + description: Checks if the service-account-lookup argument is set to true in the API server configuration, which is essential for verifying service accounts against the stored secrets. + impact: | + Without the service-account-lookup argument set to true, the API server may not verify service accounts against stored secrets, potentially allowing unauthorized access. + remediation: | + Set the service-account-lookup argument to true in the API server's startup arguments or configuration file to ensure proper verification of service accounts. + reference: + - https://kubernetes.io/docs/admin/kube-apiserver/ + tags: cloud,devops,kubernetes,security,devsecops,api-server + +self-contained: true +code: + - engine: + - sh + - bash + source: | + kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}" + + matchers-condition: and + matchers: + - type: word + words: + - 'kube-apiserver' + + - type: word + words: + - "service-account-lookup=true" + negative: true + + extractors: + - type: dsl + dsl: + - "API server configuration is missing the 'service-account-lookup=true' argument." diff --git a/cloud/kubernetes/security-compliance/k8s-tls-config-set.yaml b/cloud/kubernetes/security-compliance/k8s-tls-config-set.yaml new file mode 100644 index 0000000000..8c982f216a --- /dev/null +++ b/cloud/kubernetes/security-compliance/k8s-tls-config-set.yaml @@ -0,0 +1,41 @@ +id: k8s-tls-config-set + +info: + name: Ensure TLS config appropriately set + author: princechaddha + severity: medium + description: Checks if the tls-cert-file and tls-private-key-file arguments are properly set in the API server configuration, which is essential for secure communication. + impact: | + The absence of tls-cert-file and tls-private-key-file arguments means that the API server may not use TLS for secure communications, leading to potential security risks. + remediation: | + Configure the API server to use tls-cert-file and tls-private-key-file that point to a valid certificate and key file respectively. This setting should be part of the API server startup arguments or in its configuration file. + reference: + - https://kubernetes.io/docs/admin/kube-apiserver/ + tags: cloud,devops,kubernetes,security,devsecops,api-server + +self-contained: true +code: + - engine: + - sh + - bash + source: | + kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}" + + matchers-condition: and + matchers: + - type: word + words: + - 'kube-apiserver' + + - type: word + words: + - "tls-cert-file" + - "tls-private-key-file" + negative: true + + extractors: + - type: dsl + dsl: + - "API server configuration is missing the tls-cert-file or tls-private-key-file argument." + +# digest: 4a0a00473045022100e3dc33fefeeb5d3b9a9af3d43e89b7b7c97c50aa77b344d7e976f9340e22e7450220159e8da06b7ceb82c532bd1caeeeffba7c237c568a57988f1ada334a7c09fa83:366f2a24c8eb519f6968bd8801c08ebe