New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(apiserver): new 9 Kubernetes ApiServer checks #3288
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Impressive 👏
Please check my comments, there are some broken links and some parts of the code that can be improved not to check everything if something is not set.
"ResourceType": "KubernetesAPIServer", | ||
"Description": "This check verifies that the AlwaysPullImages admission control plugin is enabled in the Kubernetes API server. This plugin ensures that every new pod always pulls the required images, enforcing image access control and preventing the use of possibly outdated or altered images.", | ||
"Risk": "Without AlwaysPullImages, once an image is pulled to a node, any pod can use it without any authorization check, potentially leading to security risks.", | ||
"RelatedUrl": "https://kubernetes.io/docs/admin/admission-controllers/#alwayspullimages", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check link.
}, | ||
"Recommendation": { | ||
"Text": "Configure the API server to use the AlwaysPullImages admission control plugin to ensure image security and integrity.", | ||
"Url": "https://kubernetes.io/docs/admin/kube-apiserver/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
f"AlwaysPullImages admission control plugin is set in pod {pod.name}." | ||
) | ||
plugin_set = False | ||
for container in pod.containers.values(): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we need to check if all the containers in the pod has the flag enabled.
}, | ||
"Recommendation": { | ||
"Text": "Configure the API server audit log retention period to retain logs for at least 30 days or as per your organization's requirements.", | ||
"Url": "https://kubernetes.io/docs/admin/kube-apiserver/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please check this link.
audit_log_maxage_set = False | ||
for container in pod.containers.values(): | ||
# Check if "--audit-log-maxage" is set to 30 or as appropriate | ||
for command in container.command: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we need to check if all the containers in the pod has the flag enabled.
}, | ||
"Recommendation": { | ||
"Text": "Enable audit logging in the API server by specifying a valid path for --audit-log-path to ensure comprehensive activity logging within the cluster.", | ||
"Url": "https://kubernetes.io/docs/admin/kube-apiserver/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check link.
# Check if "--audit-log-maxsize" is set to 100 MB or as appropriate | ||
for command in container.command: | ||
if command.startswith("--audit-log-maxsize"): | ||
if int(command.split("=")[1]) >= 100: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check if value is more or less than that.
}, | ||
"Recommendation": { | ||
"Text": "Configure the API server audit log file size limit to 100 MB or as per your organization's requirements.", | ||
"Url": "https://kubernetes.io/docs/admin/kube-apiserver/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check this link please.
# Check if "--audit-log-maxbackup" is set to 10 or as appropriate | ||
for command in container.command: | ||
if command.startswith("--audit-log-maxbackup"): | ||
if int(command.split("=")[1]) >= 10: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here we should check if the value is different. What if we create a config variables for all the checks here, thus it will be customizable.
}, | ||
"Recommendation": { | ||
"Text": "Configure the API server audit log backup retention to 10 or as per your organization's requirements.", | ||
"Url": "https://kubernetes.io/docs/admin/kube-apiserver/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check link.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Description
Add new 9 Kubernetes ApiServer checks:
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.