Have Zarf be able to validate Kubernetes STIGs

[RothAndrew]

I'm currently looking at STIGs like this one but the way to check that it describes only works if you used kubeadm, and we use all kinds of different k8s distros. Better to check from inside the cluster?

Using instructions HERE and HERE you could test this manually using curl.

It would be super awesome if I could just run something like zarf compliance verify or something and have it spit out the results of a bunch of checks against these STIGS.

[andrewg-xyz]

What would be the reason for integrating compliance checks with ZARF? Maybe consider instead, integrating with big bang itself or equivalent tools that could exist in a cluster.

[RothAndrew]

Good questions!

integrating with big bang itself

Can you expand? What might that look like? I'm not married to anything in particular right now, just spitballing how we might handle checking for compliance of these stigs automatically.

or equivalent tools that could exist in a cluster.

Can you expand? What tools are you thinking about? It would need to be something very small, since some of the use cases that we are after are very resource constrained.

[jeff-mccoy]

So my thought wasn't on "validating stigs" per-se in Zarf, but rather add a pluggable system where you could run some tests/validation checks of your own against packages to be included as part of the package creation process and included/signed within the package. We could expose some basic interface that lets ppl describe bash scripts or similar that zarf runs prior to packaging and include their outputs (probably would need well-defined outputs) into the package creation phase.

I don't think this should be a full replacement for say a CI/CD system at all, but more about getting the assurance data into the package and signing, then letting the package deploy phase determine if it want's to accept that risk. Thinking out loud, the output could look something like:

type ZarfAssetValidation struct {
	Name        string
	Description string
	Value       interface{}
	Signature   string
}

[jeff-mccoy]

The reason this fits in zarf vs a runtime component like Big Bang would be to prevent even attempting to deploy something lacking basic static validation. But of course runtime defense is equally and separately important as pre-apply static checks.

[RothAndrew]

Interesting: https://medium.com/@LachlanEvenson/kubernetes-hardening-using-kubescape-ab7f9df341cc