feat(apiserver): new 9 Kubernetes ApiServer checks #3288
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sergargar
added
prowler-4.0
provider/kubernetes
jfagoagas
requested changes
Feb 19, 2024
| "ResourceType": "KubernetesAPIServer", | ||
| "Description": "This check verifies that the AlwaysPullImages admission control plugin is enabled in the Kubernetes API server. This plugin ensures that every new pod always pulls the required images, enforcing image access control and preventing the use of possibly outdated or altered images.", | ||
| "Risk": "Without AlwaysPullImages, once an image is pulled to a node, any pod can use it without any authorization check, potentially leading to security risks.", | ||
| "RelatedUrl": "https://kubernetes.io/docs/admin/admission-controllers/#alwayspullimages", |
| }, | ||
| "Recommendation": { | ||
| "Text": "Configure the API server to use the AlwaysPullImages admission control plugin to ensure image security and integrity.", | ||
| "Url": "https://kubernetes.io/docs/admin/kube-apiserver/" |
There was a problem hiding this comment.
| f"AlwaysPullImages admission control plugin is set in pod {pod.name}." | ||
| ) | ||
| plugin_set = False | ||
| for container in pod.containers.values(): |
There was a problem hiding this comment.
Maybe we need to check if all the containers in the pod has the flag enabled.
| }, | ||
| "Recommendation": { | ||
| "Text": "Configure the API server audit log retention period to retain logs for at least 30 days or as per your organization's requirements.", | ||
| "Url": "https://kubernetes.io/docs/admin/kube-apiserver/" |
| audit_log_maxage_set = False | ||
| for container in pod.containers.values(): | ||
| # Check if "--audit-log-maxage" is set to 30 or as appropriate | ||
| for command in container.command: |
There was a problem hiding this comment.
Maybe we need to check if all the containers in the pod has the flag enabled.
| }, | ||
| "Recommendation": { | ||
| "Text": "Enable audit logging in the API server by specifying a valid path for --audit-log-path to ensure comprehensive activity logging within the cluster.", | ||
| "Url": "https://kubernetes.io/docs/admin/kube-apiserver/" |
| # Check if "--audit-log-maxsize" is set to 100 MB or as appropriate | ||
| for command in container.command: | ||
| if command.startswith("--audit-log-maxsize"): | ||
| if int(command.split("=")[1]) >= 100: |
There was a problem hiding this comment.
Check if value is more or less than that.
| }, | ||
| "Recommendation": { | ||
| "Text": "Configure the API server audit log file size limit to 100 MB or as per your organization's requirements.", | ||
| "Url": "https://kubernetes.io/docs/admin/kube-apiserver/" |
| # Check if "--audit-log-maxbackup" is set to 10 or as appropriate | ||
| for command in container.command: | ||
| if command.startswith("--audit-log-maxbackup"): | ||
| if int(command.split("=")[1]) >= 10: |
There was a problem hiding this comment.
Here we should check if the value is different. What if we create a config variables for all the checks here, thus it will be customizable.
| }, | ||
| "Recommendation": { | ||
| "Text": "Configure the API server audit log backup retention to 10 or as per your organization's requirements.", | ||
| "Url": "https://kubernetes.io/docs/admin/kube-apiserver/" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add new 9 Kubernetes ApiServer checks:
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.