feat(kubernetes): add etcd, controllermanager and rbac services #3261
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jfagoagas
added
prowler-4.0
provider/kubernetes
jfagoagas
requested changes
Feb 16, 2024
...ager/controllermanager_garbage_collection/controllermanager_garbage_collection.metadata.json
Outdated
Show resolved
Hide resolved
| from prowler.providers.common.common import global_provider | ||
| from prowler.providers.kubernetes.services.rbac.rbac_service import Rbac | ||
|
|
||
| rbac_client = Rbac(global_provider) |
There was a problem hiding this comment.
Suggested change
| rbac_client = Rbac(global_provider) | |
| rbac_client = RBAC(global_provider) |
There was a problem hiding this comment.
The Kubernetes client calls it Rbac https://github.com/kubernetes-client/python/blob/master/kubernetes/docs/RbacAuthorizationV1Api.md
| from prowler.providers.common.common import global_provider | ||
| from prowler.providers.kubernetes.services.etcd.etcd_service import Etcd | ||
|
|
||
| etcd_client = Etcd(global_provider) |
There was a problem hiding this comment.
Suggested change
| etcd_client = Etcd(global_provider) | |
| etcd_client = ETCD(global_provider) |
| "ResourceType": "ClusterRoleBinding", | ||
| "Description": "This check ensures that the 'cluster-admin' role, which provides wide-ranging powers, is used only where necessary. The 'cluster-admin' role grants super-user access to perform any action on any resource, including all namespaces. It should be applied cautiously to avoid excessive privileges.", | ||
| "Risk": "Inappropriate use of the 'cluster-admin' role can lead to excessive privileges, increasing the risk of malicious actions and potentially impacting the cluster's security posture.", | ||
| "RelatedUrl": "https://kubernetes.io/docs/admin/authorization/rbac/#user-facing-roles", |
| }, | ||
| "Recommendation": { | ||
| "Text": "Audit and assess the use of 'cluster-admin' role in all ClusterRoleBindings. Ensure it is assigned only to subjects that require such extensive privileges. Consider using more restrictive roles wherever possible.", | ||
| "Url": "https://kubernetes.io/docs/admin/authorization/rbac/#clusterrolebinding-example" |
Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
jfagoagas
requested changes
Feb 16, 2024
| }, | ||
| "Recommendation": { | ||
| "Text": "Review and adjust the --terminated-pod-gc-threshold argument in the kube-controller-manager to ensure efficient garbage collection and optimal resource utilization.", | ||
| "Url": "https://kubernetes.io/docs/admin/kube-controller-manager/" |
| "ResourceType": "Etcd", | ||
| "Description": "This check verifies that the etcd service in a Kubernetes cluster is configured with appropriate TLS encryption settings. etcd, being a key value store for all Kubernetes REST API objects, should have its communication encrypted to protect these sensitive objects in transit.", | ||
| "Risk": "Without proper TLS configuration, data stored in etcd can be susceptible to interception and unauthorized access, posing a significant security risk to the entire Kubernetes cluster.", | ||
| "RelatedUrl": "https://coreos.com/etcd/docs/latest/op-guide/security.html", |
There was a problem hiding this comment.
Include a specific link instead of a generic one about etcd security.
| }, | ||
| "Recommendation": { | ||
| "Text": "Ensure that the etcd service is configured with TLS encryption for secure communication. The --cert-file and --key-file arguments should point to a valid TLS certificate and key.", | ||
| "Url": "https://kubernetes.io/docs/admin/etcd/" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add etcd, ControllerManager and RBAC services for Kubernetes.
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.