From 814e793cc2dd18103839c3bc3c3f1dcc048d27b1 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 18 Jun 2024 16:04:45 +0400 Subject: [PATCH] added kubernetes cluster security profile --- cloud/kubernetes/deployments/k8s-cpu-limits-not-set.yaml | 2 +- cloud/kubernetes/deployments/k8s-cpu-requests-not-set.yaml | 2 +- .../kubernetes/deployments/k8s-default-namespace-used.yaml | 2 +- cloud/kubernetes/deployments/k8s-host-ports-check.yaml | 2 +- .../deployments/k8s-image-pull-policy-always.yaml | 2 +- cloud/kubernetes/deployments/k8s-image-tag-not-fixed.yaml | 2 +- .../deployments/k8s-liveness-probe-not-configured.yaml | 2 +- cloud/kubernetes/deployments/k8s-memory-limits-not-set.yaml | 2 +- .../kubernetes/deployments/k8s-memory-requests-not-set.yaml | 2 +- .../deployments/k8s-minimize-added-capabilities.yaml | 2 +- cloud/kubernetes/deployments/k8s-privileged-container.yaml | 2 +- .../kubernetes/deployments/k8s-readiness-probe-not-set.yaml | 2 +- .../deployments/k8s-root-container-admission.yaml | 2 +- cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml | 2 +- cloud/kubernetes/kubernetes-code-env.yaml | 2 +- .../network-policies/k8s-netpol-egress-rules.yaml | 2 +- cloud/kubernetes/network-policies/k8s-netpol-namespace.yaml | 2 +- .../network-policies/k8s-network-ingress-rules.yaml | 2 +- .../kubernetes/pods/k8s-allow-privilege-escalation-set.yaml | 2 +- cloud/kubernetes/pods/k8s-containers-share-host-ipc.yaml | 2 +- .../kubernetes/pods/k8s-host-network-namespace-shared.yaml | 2 +- cloud/kubernetes/pods/k8s-host-pid-namespace-sharing.yaml | 2 +- cloud/kubernetes/pods/k8s-readonly-fs.yaml | 2 +- cloud/kubernetes/pods/k8s-readonly-rootfs.yaml | 2 +- cloud/kubernetes/pods/k8s-root-user-id.yaml | 2 +- .../security-compliance/k8s-audit-log-path-set.yaml | 2 +- cloud/kubernetes/security-compliance/k8s-enc-prov-conf.yaml | 2 +- .../kubernetes/security-compliance/k8s-etcd-cafile-set.yaml | 2 +- .../kubernetes/security-compliance/k8s-etcd-files-set.yaml | 2 +- .../kubernetes/security-compliance/k8s-ns-usage-check.yaml | 2 +- .../security-compliance/k8s-svc-acct-issuer-set.yaml | 2 +- cloud/kubernetes/security-compliance/k8s-svc-acct-key.yaml | 2 +- .../security-compliance/k8s-svc-acct-lookup-set.yaml | 2 +- .../kubernetes/security-compliance/k8s-tls-config-set.yaml | 2 +- profiles/k8s-cluster-security.yml | 6 ++++++ 35 files changed, 40 insertions(+), 34 deletions(-) create mode 100644 profiles/k8s-cluster-security.yml diff --git a/cloud/kubernetes/deployments/k8s-cpu-limits-not-set.yaml b/cloud/kubernetes/deployments/k8s-cpu-limits-not-set.yaml index 7daf55f8d7..3331f2e607 100644 --- a/cloud/kubernetes/deployments/k8s-cpu-limits-not-set.yaml +++ b/cloud/kubernetes/deployments/k8s-cpu-limits-not-set.yaml @@ -11,7 +11,7 @@ info: Set CPU limits for all containers in Kubernetes Deployments to ensure fair CPU resource distribution and prevent performance issues. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-cpu-requests-not-set.yaml b/cloud/kubernetes/deployments/k8s-cpu-requests-not-set.yaml index 319677a594..a01635ee99 100644 --- a/cloud/kubernetes/deployments/k8s-cpu-requests-not-set.yaml +++ b/cloud/kubernetes/deployments/k8s-cpu-requests-not-set.yaml @@ -11,7 +11,7 @@ info: Set CPU requests for all containers in Kubernetes Deplayments to ensure efficient scheduling and resource allocation. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-default-namespace-used.yaml b/cloud/kubernetes/deployments/k8s-default-namespace-used.yaml index 2a35ad6add..84d60d93c7 100644 --- a/cloud/kubernetes/deployments/k8s-default-namespace-used.yaml +++ b/cloud/kubernetes/deployments/k8s-default-namespace-used.yaml @@ -11,7 +11,7 @@ info: Avoid using the default namespace for Kubernetes Deployments. Create and specify dedicated namespaces tailored to specific applications or teams to enhance security and manage resources effectively. reference: - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - tags: cloud,devops,kubernetes,k8s,devsecops,namespaces + tags: cloud,devops,kubernetes,k8s,devsecops,namespaces,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-host-ports-check.yaml b/cloud/kubernetes/deployments/k8s-host-ports-check.yaml index 0d8fb6bd3b..d712e1f097 100644 --- a/cloud/kubernetes/deployments/k8s-host-ports-check.yaml +++ b/cloud/kubernetes/deployments/k8s-host-ports-check.yaml @@ -11,7 +11,7 @@ info: Avoid using host ports in Kubernetes Deployments. Use services or other networking mechanisms to expose container applications. reference: - https://kubernetes.io/docs/concepts/services-networking/service/ - tags: cloud,devops,kubernetes,security,devsecops,deployments + tags: cloud,devops,kubernetes,devsecops,deployments,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-image-pull-policy-always.yaml b/cloud/kubernetes/deployments/k8s-image-pull-policy-always.yaml index 17c192b3af..86f2892484 100644 --- a/cloud/kubernetes/deployments/k8s-image-pull-policy-always.yaml +++ b/cloud/kubernetes/deployments/k8s-image-pull-policy-always.yaml @@ -10,7 +10,7 @@ info: remediation: Update the image pull policy in Kubernetes Deployments to 'Always' to ensure that the latest container images are always used. reference: - https://kubernetes.io/docs/concepts/containers/images/#updating-images - tags: cloud,devops,kubernetes,k8s,devsecops,deployments,images,docker + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,images,docker,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-image-tag-not-fixed.yaml b/cloud/kubernetes/deployments/k8s-image-tag-not-fixed.yaml index 989b5b2759..9211eecb08 100644 --- a/cloud/kubernetes/deployments/k8s-image-tag-not-fixed.yaml +++ b/cloud/kubernetes/deployments/k8s-image-tag-not-fixed.yaml @@ -11,7 +11,7 @@ info: Use specific image tags for all containers in Kubernetes Deployments to ensure reproducibility and stability of application deployments. reference: - https://kubernetes.io/docs/concepts/containers/images/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-liveness-probe-not-configured.yaml b/cloud/kubernetes/deployments/k8s-liveness-probe-not-configured.yaml index dc4f612553..2039d0acf3 100644 --- a/cloud/kubernetes/deployments/k8s-liveness-probe-not-configured.yaml +++ b/cloud/kubernetes/deployments/k8s-liveness-probe-not-configured.yaml @@ -10,7 +10,7 @@ info: remediation: Configure liveness probes for all containers in Kubernetes Deployments to ensure proper health checks and automatic restarts of failing containers reference: - https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-memory-limits-not-set.yaml b/cloud/kubernetes/deployments/k8s-memory-limits-not-set.yaml index c8d50de6d9..b528dc243b 100644 --- a/cloud/kubernetes/deployments/k8s-memory-limits-not-set.yaml +++ b/cloud/kubernetes/deployments/k8s-memory-limits-not-set.yaml @@ -10,7 +10,7 @@ info: remediation: Set memory limits for all containers in Kubernetes Deployments to ensure resource management and application stability reference: - https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-memory-requests-not-set.yaml b/cloud/kubernetes/deployments/k8s-memory-requests-not-set.yaml index 2f83e31698..e4913e6095 100644 --- a/cloud/kubernetes/deployments/k8s-memory-requests-not-set.yaml +++ b/cloud/kubernetes/deployments/k8s-memory-requests-not-set.yaml @@ -10,7 +10,7 @@ info: remediation: Set memory requests for all containers in Kubernetes Deployments to ensure efficient pod scheduling and node resource utilization. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-minimize-added-capabilities.yaml b/cloud/kubernetes/deployments/k8s-minimize-added-capabilities.yaml index 6da198f43a..991f396b89 100644 --- a/cloud/kubernetes/deployments/k8s-minimize-added-capabilities.yaml +++ b/cloud/kubernetes/deployments/k8s-minimize-added-capabilities.yaml @@ -11,7 +11,7 @@ info: Ensure that no unnecessary capabilities are added to containers within Kubernetes Deployments. Use security contexts to define the minimum necessary privileges. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-privileged-container.yaml b/cloud/kubernetes/deployments/k8s-privileged-container.yaml index b37e429c23..d8310da838 100644 --- a/cloud/kubernetes/deployments/k8s-privileged-container.yaml +++ b/cloud/kubernetes/deployments/k8s-privileged-container.yaml @@ -11,7 +11,7 @@ info: Ensure that no container in Kubernetes Deployments runs in privileged mode, as the root user, or with privilege escalation enabled. Modify the security context for each container to set `privileged: false`, `runAsUser` appropriately, and `allowPrivilegeEscalation: false`. reference: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-readiness-probe-not-set.yaml b/cloud/kubernetes/deployments/k8s-readiness-probe-not-set.yaml index de141bb4dc..b29761b8a3 100644 --- a/cloud/kubernetes/deployments/k8s-readiness-probe-not-set.yaml +++ b/cloud/kubernetes/deployments/k8s-readiness-probe-not-set.yaml @@ -11,7 +11,7 @@ info: Define readiness probes in all containers within your Kubernetes Deployments to ensure that traffic is only routed to containers that are fully prepared to handle it. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-root-container-admission.yaml b/cloud/kubernetes/deployments/k8s-root-container-admission.yaml index 6dedcd1369..dd59064962 100644 --- a/cloud/kubernetes/deployments/k8s-root-container-admission.yaml +++ b/cloud/kubernetes/deployments/k8s-root-container-admission.yaml @@ -11,7 +11,7 @@ info: Configure security contexts for all pods to run containers with a non-root user. Use Pod Security Policies or OPA/Gatekeeper to enforce these configurations. reference: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups - tags: cloud,devops,kubernetes,devsecops,deployments,k8s + tags: cloud,devops,kubernetes,devsecops,deployments,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml b/cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml index b59ecb43f6..1a331a788a 100644 --- a/cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml +++ b/cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml @@ -11,7 +11,7 @@ info: Ensure that all containers in Kubernetes Deployments have a seccomp profile of docker/default or runtime/default set in their security contexts. reference: - https://kubernetes.io/docs/tutorials/clusters/seccomp/ - tags: cloud,devops,kubernetes,security,devsecops,containers + tags: cloud,devops,kubernetes,devsecops,containers,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/kubernetes-code-env.yaml b/cloud/kubernetes/kubernetes-code-env.yaml index ffcff48ad9..8c5a34b874 100644 --- a/cloud/kubernetes/kubernetes-code-env.yaml +++ b/cloud/kubernetes/kubernetes-code-env.yaml @@ -7,7 +7,7 @@ info: Checks if kubernetes CLI is set up and all necessary tools are installed on the environment. reference: - https://kubernetes.io/ - tags: cloud,devops,kubernetes,k8s,kubernetes-cloud-config + tags: cloud,devops,kubernetes,k8s,k8s-cluster-security self-contained: true code: diff --git a/cloud/kubernetes/network-policies/k8s-netpol-egress-rules.yaml b/cloud/kubernetes/network-policies/k8s-netpol-egress-rules.yaml index f08f42535b..c053894af2 100644 --- a/cloud/kubernetes/network-policies/k8s-netpol-egress-rules.yaml +++ b/cloud/kubernetes/network-policies/k8s-netpol-egress-rules.yaml @@ -10,7 +10,7 @@ info: remediation: Define egress rules in all network policies to control outbound traffic from your Kubernetes pods, thereby reducing security risks. reference: - https://kubernetes.io/docs/concepts/services-networking/network-policies/ - tags: cloud,devops,kubernetes,security,devsecops,network + tags: cloud,devops,kubernetes,devsecops,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/network-policies/k8s-netpol-namespace.yaml b/cloud/kubernetes/network-policies/k8s-netpol-namespace.yaml index 2051aae380..349b01076e 100644 --- a/cloud/kubernetes/network-policies/k8s-netpol-namespace.yaml +++ b/cloud/kubernetes/network-policies/k8s-netpol-namespace.yaml @@ -11,7 +11,7 @@ info: Ensure that all Network Policies explicitly define a namespace to maintain proper network isolation and security boundaries. reference: - https://kubernetes.io/docs/concepts/services-networking/network-policies/ - tags: cloud,devops,kubernetes,security,devsecops,networking + tags: cloud,devops,kubernetes,devsecops,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/network-policies/k8s-network-ingress-rules.yaml b/cloud/kubernetes/network-policies/k8s-network-ingress-rules.yaml index f0d245847d..954d2348ae 100644 --- a/cloud/kubernetes/network-policies/k8s-network-ingress-rules.yaml +++ b/cloud/kubernetes/network-policies/k8s-network-ingress-rules.yaml @@ -11,7 +11,7 @@ info: Define specific ingress rules in all network policies to control the flow of inbound traffic to pods, ensuring only authorized traffic can access cluster resources. reference: - https://kubernetes.io/docs/concepts/services-networking/network-policies/ - tags: cloud,devops,kubernetes,security,networking + tags: cloud,devops,kubernetes,security,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/pods/k8s-allow-privilege-escalation-set.yaml b/cloud/kubernetes/pods/k8s-allow-privilege-escalation-set.yaml index aaef1e10e3..b9e717d392 100644 --- a/cloud/kubernetes/pods/k8s-allow-privilege-escalation-set.yaml +++ b/cloud/kubernetes/pods/k8s-allow-privilege-escalation-set.yaml @@ -10,7 +10,7 @@ info: remediation: Ensure that the allowPrivilegeEscalation flag is set to false in all container configurations to minimize security risks reference: - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - tags: cloud,devops,kubernetes,security,devsecops,containers + tags: cloud,devops,kubernetes,security,devsecops,containers,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/pods/k8s-containers-share-host-ipc.yaml b/cloud/kubernetes/pods/k8s-containers-share-host-ipc.yaml index ead59c806a..b449495d9f 100644 --- a/cloud/kubernetes/pods/k8s-containers-share-host-ipc.yaml +++ b/cloud/kubernetes/pods/k8s-containers-share-host-ipc.yaml @@ -10,7 +10,7 @@ info: remediation: Ensure that no container in Kubernetes Pods is set to share the host IPC namespace. Configure 'spec.hostIPC' to 'false' for all pods to isolate IPC namespaces. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - tags: cloud,devops,kubernetes,k8s,devsecops,pods + tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/pods/k8s-host-network-namespace-shared.yaml b/cloud/kubernetes/pods/k8s-host-network-namespace-shared.yaml index a98680cc00..2bc9bd222d 100644 --- a/cloud/kubernetes/pods/k8s-host-network-namespace-shared.yaml +++ b/cloud/kubernetes/pods/k8s-host-network-namespace-shared.yaml @@ -11,7 +11,7 @@ info: Ensure that the 'hostNetwork' field is set to false in all Kubernetes Pods to prevent containers from sharing the host's network namespace. reference: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces - tags: cloud,devops,kubernetes,k8s,devsecops,namespace + tags: cloud,devops,kubernetes,k8s,devsecops,namespace,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/pods/k8s-host-pid-namespace-sharing.yaml b/cloud/kubernetes/pods/k8s-host-pid-namespace-sharing.yaml index e9386f6075..55296d3fc8 100644 --- a/cloud/kubernetes/pods/k8s-host-pid-namespace-sharing.yaml +++ b/cloud/kubernetes/pods/k8s-host-pid-namespace-sharing.yaml @@ -11,7 +11,7 @@ info: Ensure that the 'hostPID' field is set to 'false' in Kubernetes Pod specifications to prevent containers from sharing the host's PID namespace. reference: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces - tags: cloud,devops,kubernetes,k8s,devsecops,pods + tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/pods/k8s-readonly-fs.yaml b/cloud/kubernetes/pods/k8s-readonly-fs.yaml index 520aeb5a84..24312b1075 100644 --- a/cloud/kubernetes/pods/k8s-readonly-fs.yaml +++ b/cloud/kubernetes/pods/k8s-readonly-fs.yaml @@ -10,7 +10,7 @@ info: remediation: Configure containers to use read-only filesystems where possible to enhance security and minimize risk of unauthorized data modification reference: - https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation - tags: cloud,devops,kubernetes,k8s,devsecops,pods + tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/pods/k8s-readonly-rootfs.yaml b/cloud/kubernetes/pods/k8s-readonly-rootfs.yaml index 8f59478b73..3bbef35dbe 100644 --- a/cloud/kubernetes/pods/k8s-readonly-rootfs.yaml +++ b/cloud/kubernetes/pods/k8s-readonly-rootfs.yaml @@ -11,7 +11,7 @@ info: Configure all pods and containers to have their root filesystem set to read-only mode. This can be achieved by setting the securityContext.readOnlyRootFilesystem parameter to true in the pod or container configuration. reference: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems - tags: cloud,devops,kubernetes,security,devsecops,pods,k8s + tags: cloud,devops,kubernetes,devsecops,pods,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/pods/k8s-root-user-id.yaml b/cloud/kubernetes/pods/k8s-root-user-id.yaml index e2cd9a2db3..666e61a880 100644 --- a/cloud/kubernetes/pods/k8s-root-user-id.yaml +++ b/cloud/kubernetes/pods/k8s-root-user-id.yaml @@ -10,7 +10,7 @@ info: remediation: Configure pods to run with a non-root user ID by setting the 'securityContext' for each container and the pod itself. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - tags: cloud,devops,kubernetes,security,devsecops,pods + tags: cloud,devops,kubernetes,devsecops,pods,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/security-compliance/k8s-audit-log-path-set.yaml b/cloud/kubernetes/security-compliance/k8s-audit-log-path-set.yaml index d705b4bd37..9b0af09a50 100644 --- a/cloud/kubernetes/security-compliance/k8s-audit-log-path-set.yaml +++ b/cloud/kubernetes/security-compliance/k8s-audit-log-path-set.yaml @@ -11,7 +11,7 @@ info: Configure the Kubernetes API server to include the audit-log-path argument pointing to a secure, writeable directory where audit logs will be stored. Ensure that this directory is properly secured and regularly monitored. reference: - https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ - tags: cloud,devops,kubernetes,security,devsecops,api-server + tags: cloud,devops,kubernetes,devsecops,api-server,k8s,k8s-cluster-security variables: argument: "audit-log-path" diff --git a/cloud/kubernetes/security-compliance/k8s-enc-prov-conf.yaml b/cloud/kubernetes/security-compliance/k8s-enc-prov-conf.yaml index b755b9ff12..ac271d1834 100644 --- a/cloud/kubernetes/security-compliance/k8s-enc-prov-conf.yaml +++ b/cloud/kubernetes/security-compliance/k8s-enc-prov-conf.yaml @@ -11,7 +11,7 @@ info: Ensure that the encryption provider configuration file is set up correctly and referenced properly in the API server configuration. Encryption should be enabled and configured according to the security best practices. reference: - https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ - tags: cloud,devops,kubernetes,security,devsecops,encryption + tags: cloud,devops,kubernetes,devsecops,encryption,k8s,k8s-cluster-security variables: argument: "encryption-provider-config" diff --git a/cloud/kubernetes/security-compliance/k8s-etcd-cafile-set.yaml b/cloud/kubernetes/security-compliance/k8s-etcd-cafile-set.yaml index 6607c49e47..1c8a9f4cd5 100644 --- a/cloud/kubernetes/security-compliance/k8s-etcd-cafile-set.yaml +++ b/cloud/kubernetes/security-compliance/k8s-etcd-cafile-set.yaml @@ -11,7 +11,7 @@ info: Configure etcd to use an etcd-cafile argument that points to a valid CA certificate bundle. This setting should be part of the etcd startup arguments or in its configuration file. reference: - https://etcd.io/docs/v3.5/op-guide/security/ - tags: cloud,devops,kubernetes,security,devsecops,etcd + tags: cloud,devops,kubernetes,devsecops,etcd,k8s,k8s-cluster-security variables: argument: "etcd-cafile" diff --git a/cloud/kubernetes/security-compliance/k8s-etcd-files-set.yaml b/cloud/kubernetes/security-compliance/k8s-etcd-files-set.yaml index 7a6160556f..fa66bcccb1 100644 --- a/cloud/kubernetes/security-compliance/k8s-etcd-files-set.yaml +++ b/cloud/kubernetes/security-compliance/k8s-etcd-files-set.yaml @@ -11,7 +11,7 @@ info: Configure the etcd server to use etcd-certfile and etcd-keyfile arguments that point to valid certificate and key files respectively. This ensures that communications to and from the etcd server are properly encrypted. reference: - https://etcd.io/docs/v3.4.0/op-guide/security/ - tags: cloud,devops,kubernetes,security,devsecops,etcd + tags: cloud,devops,kubernetes,devsecops,etcd,k8s,k8s-cluster-security variables: argument: "etcd-certfile or etcd-keyfile" diff --git a/cloud/kubernetes/security-compliance/k8s-ns-usage-check.yaml b/cloud/kubernetes/security-compliance/k8s-ns-usage-check.yaml index a16b69c46b..8a8e1b3ccd 100644 --- a/cloud/kubernetes/security-compliance/k8s-ns-usage-check.yaml +++ b/cloud/kubernetes/security-compliance/k8s-ns-usage-check.yaml @@ -11,7 +11,7 @@ info: Implement and use namespaces to organize resources within the Kubernetes cluster effectively. Define access controls and resource quotas on a per-namespace basis. reference: - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - tags: cloud,devops,kubernetes,security,devsecops,namespaces + tags: cloud,devops,kubernetes,devsecops,namespaces,k8s,k8s-cluster-security variables: argument: "namespaces" diff --git a/cloud/kubernetes/security-compliance/k8s-svc-acct-issuer-set.yaml b/cloud/kubernetes/security-compliance/k8s-svc-acct-issuer-set.yaml index ac65cadc8e..9086abfb7c 100644 --- a/cloud/kubernetes/security-compliance/k8s-svc-acct-issuer-set.yaml +++ b/cloud/kubernetes/security-compliance/k8s-svc-acct-issuer-set.yaml @@ -11,7 +11,7 @@ info: Set the service-account-issuer argument to a valid issuer URL in the API server's startup arguments or configuration file. This ensures the tokens issued are trusted across services. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ - tags: cloud,devops,kubernetes,security,devsecops,api-server + tags: cloud,devops,kubernetes,devsecops,api-server,k8s,k8s-cluster-security variables: argument: "service-account-issuer" diff --git a/cloud/kubernetes/security-compliance/k8s-svc-acct-key.yaml b/cloud/kubernetes/security-compliance/k8s-svc-acct-key.yaml index 297ea44109..25e93ee840 100644 --- a/cloud/kubernetes/security-compliance/k8s-svc-acct-key.yaml +++ b/cloud/kubernetes/security-compliance/k8s-svc-acct-key.yaml @@ -11,7 +11,7 @@ info: Configure the API server to use a service-account-key-file that points to a valid private key used to sign service account tokens. This setting should be part of the API server startup arguments or in its configuration file. reference: - https://kubernetes.io/docs/admin/kube-apiserver/ - tags: cloud,devops,kubernetes,security,devsecops,api-server + tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security variables: argument: "service-account-key-file" diff --git a/cloud/kubernetes/security-compliance/k8s-svc-acct-lookup-set.yaml b/cloud/kubernetes/security-compliance/k8s-svc-acct-lookup-set.yaml index 5168e9aaf8..e628964fbf 100644 --- a/cloud/kubernetes/security-compliance/k8s-svc-acct-lookup-set.yaml +++ b/cloud/kubernetes/security-compliance/k8s-svc-acct-lookup-set.yaml @@ -11,7 +11,7 @@ info: Set the service-account-lookup argument to true in the API server's startup arguments or configuration file to ensure proper verification of service accounts. reference: - https://kubernetes.io/docs/admin/kube-apiserver/ - tags: cloud,devops,kubernetes,security,devsecops,api-server + tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security variables: argument: "service-account-lookup=true" diff --git a/cloud/kubernetes/security-compliance/k8s-tls-config-set.yaml b/cloud/kubernetes/security-compliance/k8s-tls-config-set.yaml index 30b5c65b75..b55ff705c9 100644 --- a/cloud/kubernetes/security-compliance/k8s-tls-config-set.yaml +++ b/cloud/kubernetes/security-compliance/k8s-tls-config-set.yaml @@ -11,7 +11,7 @@ info: Configure the API server to use tls-cert-file and tls-private-key-file that point to a valid certificate and key file respectively. This setting should be part of the API server startup arguments or in its configuration file. reference: - https://kubernetes.io/docs/admin/kube-apiserver/ - tags: cloud,devops,kubernetes,security,devsecops,api-server + tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security variables: argument: "tls-cert-file or tls-private-key-file" diff --git a/profiles/k8s-cluster-security.yml b/profiles/k8s-cluster-security.yml new file mode 100644 index 0000000000..bca020c786 --- /dev/null +++ b/profiles/k8s-cluster-security.yml @@ -0,0 +1,6 @@ +# Nuclei scan profile for scanning aws ACLs + +code: true # enable code templates + +tags: + - k8s-cluster-security # filter templates with "k8s-cluster-security" tags \ No newline at end of file